On Dec 17, 2024 =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgoettsche@xxxxxxxxxxxxx> wrote: > > Add support for wildcard matching of network interface names. This is > useful for auto-generated interfaces, for example podman creates network > interfaces for containers with the naming scheme podman0, podman1, > podman2, ... > > Since the wildcard characters '?' and '*' should be very uncommon in > network interface names, and thus if netifcon definitions, avoid > introducing a new policy version or capability. > > Netifcon definitions are compared against in the order given by the > policy, so userspace tools should sort them in a reasonable order. > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > --- > security/selinux/include/security.h | 2 +- > security/selinux/ss/services.c | 5 +++-- > 2 files changed, 4 insertions(+), 3 deletions(-) My apologies on the delay in responding, overall I think is a nice improvement, but I would feel a lot better if we wrapped this with a policy capability so that users/admins that did run into a problem would have a way to work around this using policy. -- paul-moore.com
