On Tue, Aug 23, 2016 at 10:42 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 08/23/2016 10:14 AM, Guido Trentalancia wrote: >> Modify the SELinux kernel code so that it is able to classify sockets with >> the new AF_ALG namespace (used for the user-space interface to the kernel >> Crypto API). >> >> A companion patch has been created for the Reference Policy and it will be >> posted to its mailing list, once this patch is merged. > > 1. Could we reclaim the redhat1 policy capability (originally reserved > for the ptrace_child capability that was later discarded and is not used > anywhere), or would that pose any compatibility problems (I don't think > so, but not entirely sure)? Yes, we *should* be able to reuse the capability, but some closer inspection/testing would likely need to be done. There was a thread about this somewhere a few months ago ... > 2. Could we generalize this to support separate classes for every > address family implemented by Linux rather than doing them piecemeal? I agree. I think Guido mentioned this might take some more time, but that is fine with me, I don't believe there is any hard deadline for this work. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
