On 06/18/2010 03:45 PM, Stephen Smalley wrote:
On Fri, 2010-06-18 at 15:34 -0400, Daniel J Walsh wrote:
http://0pointer.de/blog/projects/systemd.html
This has interesting ramifications for SELinux. I have a working
version of this in Fedora 14, but we need to add rules like
allow sshd_t init_t:tcp_socket { getopt ioctl getattr setopt };
Since systemd will be doing the listening and passing the socket to sshd.
Could we have risks of sshd_t grabbing the tcp_socket connected to
httpd_t?
In this scenario we are no longer protecting against the name_bind, and
are forced to put more trust into init_t.
Can we get systemd to use setsockcreatecon() to assign the right label
to the socket?
Probably but how does it figure out the context?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
