On Fri, Mar 14, 2025 at 10:28 AM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
> On Fri, Mar 14, 2025 at 9:01 AM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> > On Wed, 12 Mar 2025 at 14:04, Stephen Smalley
> > <stephen.smalley.work@xxxxxxxxx> wrote:
> > >
> > > On Wed, Mar 12, 2025 at 4:01 AM Christian Göttsche
> > > <cgoettsche@xxxxxxxxxxxxx> wrote:
> > > >
> > > > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> > > >
> > > > Retrieve the netlabel_wildcard policy capability in security_netif_sid()
> > > > from the locked active policy instead of the cached value in
> > > > selinux_state.
> > > >
> > > > Fixes: 8af43b61c17e ("selinux: support wildcard network interface names")
> > > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> > >
> > > Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> > >
> > > Do we have tests for this feature? I didn't see any.
> >
> > No.
> >
> > Is there a way to retrieve the context of a network interface without
> > actually sending packets? (Then one could simply use `ip link add
> > $name_to_test type dummy`).
>
> Not as far as I know. The inet_socket tests should exercise the
> relevant permission checks that use the netif SIDs.
Unfortunately, I don't believe there is a mechanism to simply view the
current label assigned to a network interface; adding something would
be helpful.
The obvious thing would be to add something to iproute2, but that is
going to involve some new LSM APIs to get that information as well as
working with the netdev folks to export it out along with the other
interface info. It would likely be much easier to add something under
/sys/fs/selinux, and such a change wouldn't prevent us from doing
something in iproute2 in the future.
--
paul-moore.com
