[PATCH iproute2-next 0/4] make ip vrf exec SELinux-aware

[Andrea Claudi <aclaudi@redhat.com>]

In order to execute a service with VRF, a user should start it using
"ip vrf exec". For example, using systemd, the user can encapsulate the
ExecStart command in ip vrf exec as shown below:

ExecStart=/usr/sbin/ip vrf exec vrf1 /usr/sbin/httpd $OPTIONS -DFOREGROUND 

Assuming SELinux is in permissive mode, starting the service with the
current ip vrf implementation results in:

# systemctl start httpd
# ps -eafZ | grep httpd
system_u:system_r:ifconfig_t:s0 root      597448       1  1 19:22 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:ifconfig_t:s0 apache    597452  597448  0 19:22 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
[snip]

This is incorrect, as the context for httpd should be httpd_t, not
ifconfig_t.

This happens because ipvrf_exec invokes cmd_exec without setting the
correct SELinux context before. Without the correct setting, the process
is executed using ip's SELinux context.

This patch series makes "ip vrf exec" SELinux-aware using the
setexecfilecon functions, which retrieves the correct context to be used
on the next execvp() call.

After this series:
# systemctl start httpd
# ps -eafZ | grep httpd
system_u:system_r:httpd_t:s0    root      595805       1  0 19:01 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache    595809  595805  0 19:01 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND


Patch series description:
- 1/4 and 2/4 are preliminary changes to make SELinux helper functions
  used in ss conformant to the SELinux API definitions;
- 3/4 makes SELinux helper functions into a library, so they can be used
  in other iproute tools - such as ip - when iproute is compiled without
  SELinux support; 
- 4/4, finally, add setexecfilecon to the SELinux stubs, and uses it to
  actually set the correct file context for the command to be executed.

Andrea Claudi (4):
  ss: make is_selinux_enabled stub work like in SELinux
  ss: make SELinux stub functions conformant to API definitions
  lib: add SELinux include and stub functions
  ip vrf: make ipvrf_exec SELinux-aware

 include/selinux.h | 10 ++++++++++
 ip/ipvrf.c        |  6 ++++++
 lib/Makefile      |  4 ++++
 lib/selinux.c     | 37 +++++++++++++++++++++++++++++++++++++
 misc/ss.c         | 36 ++----------------------------------
 5 files changed, 59 insertions(+), 34 deletions(-)
 create mode 100644 include/selinux.h
 create mode 100644 lib/selinux.c

-- 
2.41.0