From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <452438FB.2090600@hp.com> Date: Wed, 04 Oct 2006 18:43:07 -0400 From: Paul Moore MIME-Version: 1.0 To: Joe Nall Cc: Stephen Smalley , Venkat Yekkirala , SE Linux , eparis@redhat.com, James Morris , Steve Grubb Subject: Re: [PATCH v4 1/2] NetLabel: secid reconciliation support References: <36282A1733C57546BE392885C0618592015CF96F@chaos.tcs.tcs-sec.com> <1159993643.19176.256.camel@moss-spartans.epoch.ncsc.mil> <45241EFF.2000108@hp.com> <200610041712.00629.sgrubb@redhat.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Joe Nall wrote: > On Oct 4, 2006, at 4:12 PM, Steve Grubb wrote: > > >>On Wednesday 04 October 2006 16:52, Paul Moore wrote: >> >>>I think we are all in agreement that the current xinetd patch is >>>broken. >>> Hopefully Steve Grubb will have fix it soon (I just added him as >>>a CC). >> >>In my opinion, this should be in bugzilla. This is the first I >>heard of xinetd >>being broken. LSPP issues that need quick solutions like this can >>get lost in >>mail. > > > Using Eric's kernel and rawhide xinetd, I get what I expect from this > simple test - > > [joe@mls user_u:user_r:user_t:SystemLow ~]$ telnet localhost test > Trying 127.0.0.1... > Connected to localhost.localdomain (127.0.0.1). > Escape character is '^]'. > uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm), > 6(disk),10(wheel) context=user_u:user_r:user_t:SystemLow > Connection closed by foreign host. > > [joe@mls user_u:user_r:user_t:SystemLow ~]$ newrole -l S-S > ... > [joe@mls user_u:user_r:user_t:SECRET ~]$ telnet localhost test > Trying 127.0.0.1... > Connected to localhost.localdomain (127.0.0.1). > Escape character is '^]'. > uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm), > 6(disk),10(wheel) context=user_u:user_r:user_t:SECRET Handling of loopback is a special case when using the secid patches, the behavior you are seeing is expected. > Can anyone provide a simple test that demonstrates how xinetd is broken? Try telneting into a remote host and note the context that in.telnetd is running on the remote machine. -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.