On Fri, Mar 14, 2025 at 9:01 AM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> On Wed, 12 Mar 2025 at 14:04, Stephen Smalley
> <stephen.smalley.work@xxxxxxxxx> wrote:
> >
> > On Wed, Mar 12, 2025 at 4:01 AM Christian Göttsche
> > <cgoettsche@xxxxxxxxxxxxx> wrote:
> > >
> > > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> > >
> > > Retrieve the netlabel_wildcard policy capability in security_netif_sid()
> > > from the locked active policy instead of the cached value in
> > > selinux_state.
> > >
> > > Fixes: 8af43b61c17e ("selinux: support wildcard network interface names")
> > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> >
> > Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> >
> > Do we have tests for this feature? I didn't see any.
>
> No.
>
> Is there a way to retrieve the context of a network interface without
> actually sending packets? (Then one could simply use `ip link add
> $name_to_test type dummy`).
Not as far as I know. The inet_socket tests should exercise the
relevant permission checks that use the netif SIDs.
