On Wednesday 27 August 2008 2:20:48 pm Trent Jaeger wrote: > On Aug 27, 2008, at 2:05 PM, Eric Paris wrote: > >> Hi, > >> > >> > >> What we want is to create a socket within the context of a > >> multilevel secure process. For example, if the process has an MLS > >> range of s0-s1, we may want an s0 or s1 socket. > >> > >> > >> Thus, in theory, we should be able to avoid dealing with context > >> changes on connected sockets and such. Once the socket goes into > >> any use, it cannot be relabeled. > >> > >> > >> I am not sure that setxattr will work as this is an inode > >> operation, and I do not see a reference from an inode to an > >> associated socket. > >> > >> > >> Originally, I was thinking of setsockopt, but I agree that it > >> would be > >> nice to deal with it via the file interface, like fsetfilecon. > > > > /proc/self/attr/sockcreate and I know I wrote some libselinux stuff > > around it too.... > > OK. We'll take a look. Yeah, as others have said setsockcreatecon() is your friend here. If you need a working example there is a test utility included in the audit-test project on sourceforge[1] which uses setsockcreatecon() to create some strangely labeled sockets. If you download the audit-test sources the tool can be found in utils/network-server; it isn't the prettiest piece of code but it works ;) If you have any questions or problems don't hesitate to ask. [1] http://sourceforge.net/projects/audit-test -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
