On Tue, 15 May 2018, Casey Schaufler wrote:
> Both SELinux and Smack use netlbl_sock_setattr() in their socket_post_create()
> hooks to establish the CIPSO to use if nothing else interferes. An unfortunate
> artifact of the Smack "ambient label" implementation is that the default
> configuration is going to delete the netlbl attribute for the floor ("_")
> label. This will conflict with any value that SELinux sets. :( Smack clearly
> needs to have it's use of netlabel revised, and that is work that's going on
> in parallel with stacking. That, however, is not an infrastructure issue, it's
> an issue with how the two modules use the facilities.
Can this kind of problem be prevented at the API level? i.e. ensure you
can't accidentally conflict with another LSM's use of the label here?
--
James Morris
<jmorris@xxxxxxxxx>
