On Fri, 2010-06-18 at 16:00 -0400, Daniel J Walsh wrote:
> On 06/18/2010 03:45 PM, Stephen Smalley wrote:
> > On Fri, 2010-06-18 at 15:34 -0400, Daniel J Walsh wrote:
> >> http://0pointer.de/blog/projects/systemd.html
> >>
> >> This has interesting ramifications for SELinux. I have a working
> >> version of this in Fedora 14, but we need to add rules like
> >>
> >> allow sshd_t init_t:tcp_socket { getopt ioctl getattr setopt };
> >>
> >> Since systemd will be doing the listening and passing the socket to sshd.
> >>
> >> Could we have risks of sshd_t grabbing the tcp_socket connected to
> >> httpd_t?
> >>
> >> In this scenario we are no longer protecting against the name_bind, and
> >> are forced to put more trust into init_t.
> >
> > Can we get systemd to use setsockcreatecon() to assign the right label
> > to the socket?
> >
>
> Probably but how does it figure out the context?
The sockets would normally be labeled with the context of the individual
daemon process. So we would want to compute the context in which the
daemon process will run and then use that for the socket. Which we can
do via security_compute_create(). Sample code attached. Compile with:
gcc -lselinux -o setsockcon setsockcon.c
Example run (in permissive):
$ runcon system_u:system_r:init_t:s0 ./setsockcon /usr/sbin/sshd
/usr/sbin/sshd system_u:system_r:sshd_t:s0
--
Stephen Smalley
National Security Agency
#include <selinux/selinux.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int setsockconfrompath(const char *path)
{
security_context_t mycon = NULL, fcon = NULL, newcon = NULL;
security_class_t sclass;
int rc = 0;
rc = getcon(&mycon);
if (rc < 0)
goto out;
rc = getfilecon(path, &fcon);
if (rc < 0)
goto out;
sclass = string_to_security_class("process");
rc = security_compute_create(mycon, fcon, sclass, &newcon);
if (rc < 0)
goto out;
rc = setsockcreatecon(newcon);
if (rc < 0)
goto out;
printf("%s %s\n", path, newcon);
out:
freecon(mycon);
freecon(fcon);
freecon(newcon);
return rc;
}
int main(int argc, char **argv)
{
int i;
for (i = 1; i < argc; i++)
if (setsockconfrompath(argv[i]) < 0) {
perror(argv[i]);
exit(1);
}
exit(0);
}
