-------
Any review would be much appreciated.
Comments:
--------
Add a netlink attribute INET_DIAG_SECCTX
Add a new netlink attribute INET_DIAG_SECCTX to dump the security
context of TCP sockets.
The element sk_security of struct sock represents the socket
security context ID, which is inherited from the parent process
when the socket is created.
but when SELinux type_transition rule is applied to socket, or
application sets /proc/xxx/attr/createsock, the socket security
context would be different from the creating process. For these
conditions, the "netstat -Z" would return wrong value, since
"netstat -Z" only returns the process security context as socket
process security.
The application to verify the netlink new attribute.
------
See attached file
test:
--------
1. Enable SELinux when compile and startup .
root@qemu-host:/root> ./printsocketsec
inode:7141 system_u:system_r:rpcbind_t:s0
inode:7136 system_u:system_r:rpcbind_t:s0
inode:7604 system_u:system_r:initrc_t:s0
inode:7227 system_u:system_r:rpcd_t:s0
inode:7471 system_u:system_r:sshd_t:s0-s0:c0.c1023
inode:7469 system_u:system_r:sshd_t:s0-s0:c0.c1023
inode:7552 system_u:system_r:sendmail_t:s0
inode:7348 system_u:system_r:initrc_t:s0
inode:7553 system_u:system_r:sendmail_t:s0
root@qemu-host:/root>
2. Disable SELinux when startup.
root@qemu-host:/root> ./printsocketsec
inode:3221
inode:2942
inode:2861
inode:3256
inode:3156
inode:3220
inode:3060
root@qemu-host:/root>
3. Disable SELinux when compile and startup
root@qemu-host:/root> ./printsocketsec
inode:3221
inode:2942
inode:2861
inode:3256
inode:3156
inode:3220
inode:3060
root@qemu-host:/root>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
