Thanks for clarifying the socket fd context. For the iproute ss utility I was thinking of altering the man page to reflect your comments (added below) and some testing I've done using policy role/type and range transition statements. Overall do you think it is worth adding the socket contexts to the ss utility. -Z, --context Show SELinux security contexts. The context of the process using the socket and the sockets context will be displayed. The socket context is taken from the file descriptors inode and is not the actual socket context held by the kernel. Sockets are typically labeled with the context of the creating process, however the context shown will reflect any policy role, type and/or range transition rules applied, and is therefore a useful reference. For netlink(7) sockets the initiating process context is displayed as follows: 1. If valid pid show the process context. 2. If destination is kernel (pid = 0) show kernel initial context. 3. If a unique identifier has been allocated by the kernel or netlink user, show context as "not available". This will generally indicate that a process has more than one netlink socket active. Richard ----- Original Message ----- > From: Paul Moore <paul@xxxxxxxxxxxxxx> > To: Ole Kliemann <ole@xxxxxxxxxxxxxxx>; Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> > Cc: selinux@xxxxxxxxxxxxx > Sent: Friday, 7 February 2014, 21:50 > Subject: Re: RFC - Display context information using iproute2 ss utility > > On Friday, February 07, 2014 06:03:25 PM Ole Kliemann wrote: >> On Fri, Feb 07, 2014 at 04:22:37PM +0000, Richard Haines wrote: >> > I've been patching the iproute2 "ss" utility to display > the SELinux >> > security contexts for process and sockets, however I'm not sure >> > whether the socket contexts are correct (I expected most to show >> > system_u:object_r:....). >> > >> > I'm taking the socket contexts from /proc/PID/fd as was mentioned > in >> > a previous email regarding socket contexts - is this correct ?? >> >> I was doing it that way and it seemed to work ... > > What you will see is the label of the socket's associated inode, not the > actual socket label. > >> ... I could even change the context using 'chcon /proc/PID/fd'. > > Yes, you really shouldn't do that. I've actually got a patch kicking > around > that I haven't had the time to test which will actually prevent you from > changing a socket's inode label. > >> But I have no idea whether it is supposed to be a reliable way or >> any other methods exist. The whole sockfs thing kept me rather >> wondering... > > It works as far as I know, it just turns out that it isn't quite what you > think it is :) > > -- > paul moore > www.paul-moore.com > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
