-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/12/2010 11:39 AM, Xavier Toth wrote: > ---------- Forwarded message ---------- > From: Xavier Toth <txtoth@xxxxxxxxx> > Date: Wed, May 12, 2010 at 10:38 AM > Subject: Re: talking to mcstrans in MLS enforcing on rhel6 beta > To: Stephen Smalley <sds@xxxxxxxxxxxxx> > > > On Tue, May 11, 2010 at 4:13 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> On Tue, 2010-05-11 at 11:10 -0500, Xavier Toth wrote: >>> I'm a bit confused about something. mcstransd creates a socket and >>> through a transition rule it get labeled setrans_var_run_t (this is >>> also the type used with mls_trusted_object in the setrans policy) >>> however when other apps try and connect to it the target context type >>> is setrans_t which of course isn't trusted so no one can connect. As >>> an experiment I added setrans_t as a mls trusted object and then other >>> apps could connect. Not sure where the target context comes from on >>> connectto because the socket file is label setrans_var_run_t on the >>> disk. Something needs fixing just not sure what. Doesn't seem right to >>> add 'mls_trusted_object(setrans_t)'. >> >> When you create and bind a Unix domain socket in the file system >> namespace (as opposed to the abstract namespace), there are two objects: >> the socket itself (created upon the socket call, labeled with the label >> of the creating process), and the file (created upon the bind call, >> labeled in accordance with the usual file labeling behavior). >> Connecting to such a socket requires both write access to the file and >> connectto permission to the socket. So connectto is a socket-to-socket >> (which looks like process-to-process since sockets are labeled based on >> creating process and act as proxies/queues between processes) check. >> >> -- >> Stephen Smalley >> National Security Agency >> >> > > So mls_trusted_object(setrans_t) needs to be added. > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux selinux-policy-3.7.19-15.el6 should have this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvq1iQACgkQrlYvE4MpobM7iwCg52TJrPWJf2602dB9ih4IyFUs X+oAn1RiJ9hZ7jDSJUstUWSduTM/lGvh =7If3 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
