On Tue, 2021-11-16 at 16:38 +0000, Richard Haines wrote: > Clarify how SELinux setsockcreatecon(3) and policy socket* class > type_transition rules can impact domain:<domain> entries. > > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> > --- > V2: Clarify the labels returned using getsockopt(2) > > doc/man/man8/netlabelctl.8 | 29 ++++++++++++++++++++++++++++- > 1 file changed, 28 insertions(+), 1 deletion(-) > > diff --git a/doc/man/man8/netlabelctl.8 b/doc/man/man8/netlabelctl.8 > index bb00096..2a7852b 100644 > --- a/doc/man/man8/netlabelctl.8 > +++ b/doc/man/man8/netlabelctl.8 > @@ -57,7 +57,9 @@ Display the kernel's list of supported labeling > protocols. > The domain mapping module is used to map different NetLabel labeling > protocols > to either individual LSM domains or the default domain mapping. It is > up to > each LSM to determine what defines a domain. With SELinux, the normal > SELinux > -domain should be used, i.e. "ping_t". In addition to protocol > selection based > +domain should be used, i.e. "ping_t" (however see the > +.B NOTES > +section below regarding SElinux). In addition to protocol selection > based > only on the LSM domain, it is also possible to select the labeling > protocol > based on both the LSM domain and destination address. The network > address > selectors can specify either single hosts or entire networks and work > for both > @@ -259,6 +261,31 @@ The static, or fallback, labels are only supported > on Linux Kernels version > Linux Kernels 2.6.28 and later and CALIPSO/RFC5570 is only supported > on Linux > Kernels 4.8.0 and later. > .P > +When using the SELinux LSM, it is generally assumed that the > +.I type > +component of the process security label should be used as the > +.I domain:<domain> > +entry. However, NetLabel services actually use the socket security > label to > +determine labeling. Normally this would be the same > +.I type > +component as the process (as by default the socket inherits the > process > +label). There are cases where this matters, as it is possible with > SELinux > +to set a different label on the socket using the libselinux function > +.BR setsockcreatecon (3), > +or a policy socket* class > +.I type_transition > +rule. Should these be used to change a socket label, then the new > socket > +.I type > +must be used in the > +.I domain:<domain> > +entry instead. > +If fallback labeling is configured and a new socket label is set on > the > +client, the server will show that label when > +.BR getsockopt (2) > +with > +.I optname=SO_PEERSEC > +is called. > +.P > The NetLabel project site, with more information including the source > code > repository, can be found at https://github.com/netlabel. ; Please > report any > bugs at the project site or directly to the author. Are these really bugs or just features ?? The new tests in [1] treat them as features. [1] https://lore.kernel.org/selinux/20211117131450.41705-1-richard_c_haines@xxxxxxxxxxxxxx/ https://lore.kernel.org/selinux/20211117131450.41705-1-richard_c_haines@xxxxxxxxxxxxxx/
