From: Dominick Grift <dominick.grift@defensec.nl>
To: Ted Toth <txtoth@gmail.com>
Cc: SELinux <selinux@vger.kernel.org>
Subject: Re: context of socket passed between processes
Date: Wed, 07 Sep 2022 22:56:35 +0200 [thread overview]
Message-ID: <87a67ac398.fsf@defensec.nl> (raw)
In-Reply-To: <CAFPpqQE4isJqSmSOozWdKRN1rmt7_6sG_9VsroD-zjfQzWYqEQ@mail.gmail.com> (Ted Toth's message of "Wed, 7 Sep 2022 15:18:55 -0500")
Ted Toth <txtoth@gmail.com> writes:
> systemd uses a helper process (sd-listen) to create sockets and pass
> their fds back to its parent. I've patched systemd to call semanage to
> get the context for the port if it exists and create a context using
> the returned type when calling setsockcreatecon. Everything looks
> right i.e. the port type is retrieved, the context is created and
> setsockcreatecon is called without errors. However 'netstat -Z' shows
> the listening sockets type as init_t and not the type in the
> setsockcreatecon call, is this the expected behavior? Can anyone help
> me understand why this is happening?
It is probably the context of the process listening on the port and not
the context of the socket that binds to the port
also i doubt you can rely on the presence of (lib)semanage (think small
embedded devices with monolithic policy)
>
> Ted
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
next prev parent reply other threads:[~2022-09-07 20:56 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-07 20:18 context of socket passed between processes Ted Toth
2022-09-07 20:56 ` Dominick Grift [this message]
2022-09-07 22:48 ` Paul Moore
2022-09-08 13:43 ` Ted Toth
2022-09-08 14:15 ` Ted Toth
2022-09-08 14:28 ` Ondrej Mosnacek
2022-09-08 14:38 ` Dominick Grift
2022-09-08 21:54 ` Ted Toth
2022-09-07 22:46 ` Paul Moore
2022-09-08 13:41 ` Ted Toth
2022-09-08 14:41 ` Paul Moore
2022-09-08 14:48 ` Dominick Grift
2022-09-12 13:11 ` Ted Toth
2022-09-14 13:42 ` Ted Toth
2022-09-14 14:03 ` Paul Moore
2022-09-14 16:44 ` Ted Toth
2022-09-19 3:33 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a67ac398.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=selinux@vger.kernel.org \
--cc=txtoth@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.