On Fri, Mar 14, 2025 at 10:28 AM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Fri, Mar 14, 2025 at 9:01 AM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> >
> > On Wed, 12 Mar 2025 at 14:04, Stephen Smalley
> > <stephen.smalley.work@xxxxxxxxx> wrote:
> > >
> > > On Wed, Mar 12, 2025 at 4:01 AM Christian Göttsche
> > > <cgoettsche@xxxxxxxxxxxxx> wrote:
> > > >
> > > > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> > > >
> > > > Retrieve the netlabel_wildcard policy capability in security_netif_sid()
> > > > from the locked active policy instead of the cached value in
> > > > selinux_state.
> > > >
> > > > Fixes: 8af43b61c17e ("selinux: support wildcard network interface names")
> > > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> > >
> > > Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> > >
> > > Do we have tests for this feature? I didn't see any.
> >
> > No.
> >
> > Is there a way to retrieve the context of a network interface without
> > actually sending packets? (Then one could simply use `ip link add
> > $name_to_test type dummy`).
>
> Not as far as I know. The inet_socket tests should exercise the
> relevant permission checks that use the netif SIDs.
On a different note, I just realized that your subject line and commit
description uses "netlabel_wildcard" instead of "netif_wildcard".
