On Fri, Dec 9, 2016 at 8:47 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 12/06/2016 10:04 AM, Stephen Smalley wrote: >> On 12/06/2016 09:10 AM, Richard Haines wrote: >>> Not sure if helpful but I plan to submit the SCTP patch next week after >>> testing on Fedora 25 with kernel 4.8.11. >> >> I chose to go ahead and add the SCTP socket security class to this patch >> so that we have all known socket classes defined by this patch, and then >> your patch can further add new permissions and other logic specific to >> SCTP under its own policy capability (at least I assume we'll want a >> policy capability unless we aren't overly concerned with breaking SCTP >> applications running under old policies with new kernels). > > Actually, perhaps we don't need another separate policy capability for > it if it goes in soon, since the extended_socket_class capability isn't > yet enabled in any policies. True, we don't make any guarantees regarding code that hasn't been released via Linus' tree and right now the extended socket class patch is just sitting in the SELinux tree. That said, I don't consider it major problem to introduce another policy capability if needed; it's definitely cleaner not to have to do so, but I wouldn't consider it reason to rush the SCTP support if it isn't ready. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
