Re: Socket and inode label consistency

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On Aug 27, 2008, at 2:34 PM, Paul Moore wrote:
On Wednesday 27 August 2008 2:20:48 pm Trent Jaeger wrote:
On Aug 27, 2008, at 2:05 PM, Eric Paris wrote:
Hi,


What we want is to create a socket within the context of a
multilevel secure process.  For example, if the process has an MLS
range of s0-s1, we may want an s0 or s1 socket.


Thus, in theory, we should be able to avoid dealing with context
changes on connected sockets and such.  Once the socket goes into
any use, it cannot be relabeled.


I am not sure that setxattr will work as this is an inode
operation, and I do not see a reference from an inode to an
associated socket.


Originally, I was thinking of setsockopt, but I agree that it
would be
nice to deal with it via the file interface, like fsetfilecon.

/proc/self/attr/sockcreate and I know I wrote some libselinux stuff
around it too....

OK.  We'll take a look.

Yeah, as others have said setsockcreatecon() is your friend here.  If 
you need a working example there is a test utility included in the 
audit-test project on sourceforge[1] which uses setsockcreatecon() to 
create some strangely labeled sockets.  If you download the audit-test 
sources the tool can be found in utils/network-server; it isn't the 
prettiest piece of code but it works ;)

If you have any questions or problems don't hesitate to ask.



That is great.  Thanks.

Regards,
Trent.
----------------------------------------------
Trent Jaeger, Associate Professor
Pennsylvania State University, CSE Dept
346A IST Bldg, University Park, PA 16802
Ph: (814) 865-1042, Fax: (814) 865-3176

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux