From: Joshua Roys <joshua.roys@gtri.gatech.edu>
To: "selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>
Subject: [RFC][PATCH] mod_selinux: setcon earlier
Date: Fri, 5 Mar 2010 16:46:55 -0500 [thread overview]
Message-ID: <4B917BCF.7060200@gtri.gatech.edu> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 1133 bytes --]
Hello,
I am wondering if the attached patch creates the actual intended
behavior? Specifically, at which point httpd calls setcon() when the
selinuxServerDomain option is set.
The current code ends up calling setcon after sockets have been opened,
at least if the prefork mpm is in use. Here's the current path: apache
calls these hooks in this order: pre_config, check_config, open_logs,
post_config. The prefork mpm opens the listening sockets in open_logs,
and mod_selinux does setcon() in post_config. However, I noticed that
the selinuxServerDomain option has the EXEC_ON_READ option set... and I
noticed issues with labeled networking having the setcon() called after
the listening sockets are opened.
The attached patch deletes (well, in this version just comments out...)
the mod_selinux post_config hook, and calls the routine directly from
the set_server_domain option-processing hook. This, because of the
EXEC_ON_READ option, is executed immediately upon finding a
selinuxServerDomain option in a httpd config file. Thus, setcon() is
called before sockets are opened.
Josh
[-- Attachment #1.2: setcon-earlier.diff --]
[-- Type: text/plain, Size: 641 bytes --]
--- mod_selinux.c.old 2010-03-03 11:40:14.886608228 -0500
+++ mod_selinux.c 2010-03-03 11:40:19.019609063 -0500
@@ -394,8 +394,10 @@
if (is_selinux_enabled() < 1)
return;
+/*
ap_hook_post_config(selinux_post_config,
NULL, NULL, APR_HOOK_MIDDLE);
+*/
ap_hook_post_read_request(selinux_post_read_request,
NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_handler(selinux_handler,
@@ -470,6 +472,8 @@
{
server_domain = apr_pstrdup(cmd->pool, v1);
+ selinux_post_config(NULL, NULL, cmd->temp_pool, cmd->server);
+
return NULL;
}
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 2719 bytes --]
next reply other threads:[~2010-03-05 21:46 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-05 21:46 Joshua Roys [this message]
2010-03-08 6:42 ` [RFC][PATCH] mod_selinux: setcon earlier KaiGai Kohei
2010-03-08 21:22 ` Joshua Roys
2010-03-09 1:02 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B917BCF.7060200@gtri.gatech.edu \
--to=joshua.roys@gtri.gatech.edu \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.