From: Paul Moore <paul.moore@hp.com>
To: Trent Jaeger <tjaeger@cse.psu.edu>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
selinux@tycho.nsa.gov, James Morris <jmorris@namei.org>,
Eric Paris <eparis@parisplace.org>
Subject: Re: Socket and inode label consistency
Date: Wed, 27 Aug 2008 11:49:38 -0400 [thread overview]
Message-ID: <200808271149.38256.paul.moore@hp.com> (raw)
In-Reply-To: <1219838254.5708.4.camel@moss-spartans.epoch.ncsc.mil>
On Wednesday 27 August 2008 7:57:34 am Stephen Smalley wrote:
> On Tue, 2008-08-26 at 20:50 -0400, Trent Jaeger wrote:
> > Hi,
> >
> > I see on the Kernel Development To Do list at http://
> > selinuxproject.org/page/Kernel_Development that the following task
> > is identified:
> >
> > "Full APIs for getting and setting security contexts of sockets and
> > IPC objects. Ensure that socket context is kept consistent on
> > socket inode and sock structures when changed."
> >
> > We are being bitten by this now, so I am wondering if anyone is
> > working on it or wishes to discuss how to proceed. We would be
> > interested in addressing this issue.
>
> I don't know of anyone working on it, but we are interested in it.
It is something that has been on my todo list for some time but it is
stuck with such a low priority that I haven't been able to make any
progress on it. If you've got time to work on it, I would be very
happy :)
> As I recall, you can get and set the socket inode label via fgetxattr
> and fsetxattr but the struct sock label isn't accessible from
> userspace (except via getpeercon, and then only for the peer). I
> think you'd need to add a .setxattr method to the socket_file_ops and
> have them call into the LSM interface to update the sock information
> (as well as continuing to update the socket inode info).
There would also need to be some work done to ensure that all the
outbound labeled networking stuff is updated when the socket's label is
changed via the xattr operations. Right now there is no way (at least
not that I know of) to change the label of an existing socket so we
don't have to worry about that problem.
I also wonder about changing the label of a socket while it is
connected, probably not a big issue for dgram sockets but I think it
could get pretty strange for stream sockets.
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-08-27 15:49 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-27 0:50 Socket and inode label consistency Trent Jaeger
2008-08-27 11:57 ` Stephen Smalley
2008-08-27 15:49 ` Paul Moore [this message]
2008-08-27 18:08 ` Trent Jaeger
2008-08-27 18:05 ` Eric Paris
2008-08-27 18:20 ` Trent Jaeger
2008-08-27 18:34 ` Paul Moore
2008-08-27 20:15 ` Trent Jaeger
2008-08-27 18:16 ` Stephen Smalley
2008-08-27 18:32 ` Trent Jaeger
2008-08-27 20:06 ` Casey Schaufler
2008-08-27 20:32 ` Paul Moore
2008-08-27 21:38 ` Trent Jaeger
2008-08-27 22:53 ` Casey Schaufler
2008-08-28 12:13 ` Stephen Smalley
2008-08-28 15:20 ` Trent Jaeger
2008-08-29 4:22 ` Casey Schaufler
2008-08-29 12:13 ` Stephen Smalley
2008-08-29 17:34 ` Trent Jaeger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200808271149.38256.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=tjaeger@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.