On Thu, Jul 13, 2017 at 1:35 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > Also, I wanted to mention that this still doesn't address testing of > the finer-grained permissions for netlink sockets, e.g. > nlmsg_read/write/..., as noted in the open issue: > https://github.com/SELinuxProject/selinux-testsuite/issues/17 > > That isn't an obstacle to taking this one, but wanted to note that we > still want to address that at some point. Agreed. I still think that Milos' patch is an improvement and worth merging once the RHEL-7 are answered/resolved (your previous email). > Also, on the kernel side, we might want to consider defining those > permissions for more of the netlink socket classes, particularly the > newer ones, if/where it makes sense to do so. Or, alternatively, to > implement support analogous to the ioctl whitelisting support for > netlink messages so that we can do fine-grained restrictions there. Yes, definitely. Long term I think doing something similar to what was done for the individual ioctls is the best solution, but I'd be happy to accept netlink permission mapping updates in the meantime. -- paul moore www.paul-moore.com
