Maybe if I set the port type using semanage then a type transition will happen automatically? On Thu, Aug 25, 2022 at 8:22 AM Ted Toth <txtoth@xxxxxxxxx> wrote: > > I asked on the systemd-devel list about enabling systemd to set the > context of a socket and got the answer I've included below. I don't > know how a transition rule can be written to transition tcp sockets to > multiple different target contexts, is this possible and if so how? > > ---------- Forwarded message --------- > From: Lennart Poettering <lennart@xxxxxxxxxxxxxx> > Date: Thu, Aug 25, 2022 at 4:19 AM > Subject: Re: [systemd-devel] socket activation selinux context on create > To: Ted Toth <txtoth@xxxxxxxxx> > Cc: <systemd-devel@xxxxxxxxxxxxxxxxxxxxx> > > > On Mi, 24.08.22 11:50, Ted Toth (txtoth@xxxxxxxxx) wrote: > > > I don't see a way to set the context of the socket that systemd > > listens on. If there is a way to do this please tell me otherwise I'd > > like to see an option (SELinuxCreateContext?) added to be able to set > > the context (setsockcreatecon) to be used by systemd when creating the > > socket. Currently as an extra layer of security I add code called in > > the socket activation ExecStartPre process to check that the source > > context (peercon) can connect to the target context (getcon). If a > > sockets context was set by systemd I would have to perform this > > additional check as my SELinux policy would do it for me. > > This was proposed before, but SELinux maintainers really want that the > loaded selinux policy picks the label, and not unit files. > > i.e. as I understand their philosophy: how labels are assigned should > be encoded in the database and in the policy but not elsewhere, > i.e. in unit files. I think that philosophy does make sense. > > Lennart > > -- > Lennart Poettering, Berlin
