Fair enough. I will get back to you regarding other hardware identifiers that we are considering filtering via ioctl commands.
From our initial look, it appears that most other hardware identifiers can be protected with existing selinux permissions. MAC is (thus far) unique in that many applications need access to the other information provided by that ioctl.
From our initial look, it appears that most other hardware identifiers can be protected with existing selinux permissions. MAC is (thus far) unique in that many applications need access to the other information provided by that ioctl.
On Thu, Oct 9, 2014 at 1:20 PM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
On Wednesday, October 08, 2014 05:41:42 PM Jeffrey Vander Stoep wrote:
> First time poster to the list. I would appreciate feedback/suggestions
> regarding the following patch.
>
> This patch which provides SELinux control over network interface MAC
> addresses. This patch allows access to the MAC address to be controlled by
> policy. Network MAC addresses are a long lived unique device identifier,
> and a security policy may wish to control access to the identifier without
> further limiting network use, perhaps for privacy reasons.
While I'm not opposed to such access controls, I'd like to see a more
comprehensive patchset before we commit to support something like this in the
mainline kernel. Surely network MAC addresses aren't the only hardware
identifier that one would be concerned about, right?
--
paul moore
www.paul-moore.com
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
