On 08/31/2011 04:36 PM, rongqing.li@windriver.com wrote: > ------- > Any review would be much appreciated. > > Comments: > -------- > Add a netlink attribute INET_DIAG_SECCTX > > Add a new netlink attribute INET_DIAG_SECCTX to dump the security > context of TCP sockets. > > The element sk_security of struct sock represents the socket > security context ID, which is inherited from the parent process > when the socket is created. > > but when SELinux type_transition rule is applied to socket, or > application sets /proc/xxx/attr/createsock, the socket security > context would be different from the creating process. For these > conditions, the "netstat -Z" would return wrong value, since > "netstat -Z" only returns the process security context as socket > process security. > > > The application to verify the netlink new attribute. > ------ > See attached file > > test: > -------- > 1. Enable SELinux when compile and startup . > root@qemu-host:/root> ./printsocketsec > inode:7141 system_u:system_r:rpcbind_t:s0 > inode:7136 system_u:system_r:rpcbind_t:s0 > inode:7604 system_u:system_r:initrc_t:s0 > inode:7227 system_u:system_r:rpcd_t:s0 > inode:7471 system_u:system_r:sshd_t:s0-s0:c0.c1023 > inode:7469 system_u:system_r:sshd_t:s0-s0:c0.c1023 > inode:7552 system_u:system_r:sendmail_t:s0 > inode:7348 system_u:system_r:initrc_t:s0 > inode:7553 system_u:system_r:sendmail_t:s0 > root@qemu-host:/root> > > 2. Disable SELinux when startup. > root@qemu-host:/root> ./printsocketsec > inode:3221 > inode:2942 > inode:2861 > inode:3256 > inode:3156 > inode:3220 > inode:3060 > root@qemu-host:/root> > > 3. Disable SELinux when compile and startup > root@qemu-host:/root> ./printsocketsec > inode:3221 > inode:2942 > inode:2861 > inode:3256 > inode:3156 > inode:3220 > inode:3060 > root@qemu-host:/root> > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Best Reagrds, Roy | RongQing Li