* Question regarding SELinux and IPsec
@ 2005-03-08 15:42 Paul Moore
2005-03-09 3:48 ` Kodungallur Varma
0 siblings, 1 reply; 2+ messages in thread
From: Paul Moore @ 2005-03-08 15:42 UTC (permalink / raw)
To: selinux
Hello,
At the symposium last week Trent Jaeger presented some work that he and
a few others did to enable negotiation of SELinux contexts during an IKE
exchange. During the Q/A portion of Trent's presentation he said there
was a draft available which specified the additional IKE payload format,
however, doing a quick search through the IPsec/IKE IETF working groups
I wasn't able to find anything relevant. Has the draft expired, or am I
simply missing it? Either way, it would be a great help if someone
could post a pointer to the draft, or if it is not currently available
online I would appreciate it if you could send me a copy via email.
Thanks,
--
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore@hp.com hewlett packard
. (603) 884-5056 linux security
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Question regarding SELinux and IPsec
2005-03-08 15:42 Question regarding SELinux and IPsec Paul Moore
@ 2005-03-09 3:48 ` Kodungallur Varma
0 siblings, 0 replies; 2+ messages in thread
From: Kodungallur Varma @ 2005-03-09 3:48 UTC (permalink / raw)
To: selinux
Hi all,
I am trying to dynamically change the context of my program by
using the setcon() function. I have a simple program that tries to do
that but the setcon() function always returns -1 for the input in the
program.
#include <stdio.h>
#include <selinux/selinux.h>
int main()
{
int i;
char str[100];
strcpy(str,"system_u:object_r:libselinux_test_t");
i = setcon((security_context_t) str);
if(i == 0)
{
printf("changed to new context..\n");
}
else if(i == -1)
{
printf("error..setcon() returned -1\n");
}
else
{
printf("unknown result\n");
}
return 1;
}
libselinux_test_t is the domain in which I want this program to run. I
have the following policy for that:
-----------
daemon_domain(libselinux_test_t)
type libselinux_test_t, domain, privlog;
role user_r types libselinux_test_t;
type libselinux_test_dir_t, file_type, sysadmfile;
type libselinux_test_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(user_t, libselinux_test_exec_t, libselinux_test_t)
allow libselinux_test_t sshd_t:fd use;
------------
as I am in user_t domain when I execute the program, the program
starts in the user_t domain. but as there is that domain_auto_trans()
into the libselinux_test_t domain, setcon() into that domain soulldnt
fail for the invalid domain reasons.
I dont have any avc: denied messages as the setcon fails. my belief is
that I am passing bad arguements to setcon().
could someone please point out where the problem is. also I tried to
print out the domain of the current process using getcon(), but I have
some problem. could someone let me know how to print that out, rather
that viewing it using ps axZ.
thanx a lot in advance..
Ram
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-03-09 3:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-08 15:42 Question regarding SELinux and IPsec Paul Moore
2005-03-09 3:48 ` Kodungallur Varma
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.