I tried setting the context of the port with semanage and starting the service but netstat shows the type as init_t and not the type I set. The system I tried this on is in permissive. On Thu, Aug 25, 2022 at 8:30 AM Ted Toth <txtoth@xxxxxxxxx> wrote: > > Maybe if I set the port type using semanage then a type transition > will happen automatically? > > On Thu, Aug 25, 2022 at 8:22 AM Ted Toth <txtoth@xxxxxxxxx> wrote: > > > > I asked on the systemd-devel list about enabling systemd to set the > > context of a socket and got the answer I've included below. I don't > > know how a transition rule can be written to transition tcp sockets to > > multiple different target contexts, is this possible and if so how? > > > > ---------- Forwarded message --------- > > From: Lennart Poettering <lennart@xxxxxxxxxxxxxx> > > Date: Thu, Aug 25, 2022 at 4:19 AM > > Subject: Re: [systemd-devel] socket activation selinux context on create > > To: Ted Toth <txtoth@xxxxxxxxx> > > Cc: <systemd-devel@xxxxxxxxxxxxxxxxxxxxx> > > > > > > On Mi, 24.08.22 11:50, Ted Toth (txtoth@xxxxxxxxx) wrote: > > > > > I don't see a way to set the context of the socket that systemd > > > listens on. If there is a way to do this please tell me otherwise I'd > > > like to see an option (SELinuxCreateContext?) added to be able to set > > > the context (setsockcreatecon) to be used by systemd when creating the > > > socket. Currently as an extra layer of security I add code called in > > > the socket activation ExecStartPre process to check that the source > > > context (peercon) can connect to the target context (getcon). If a > > > sockets context was set by systemd I would have to perform this > > > additional check as my SELinux policy would do it for me. > > > > This was proposed before, but SELinux maintainers really want that the > > loaded selinux policy picks the label, and not unit files. > > > > i.e. as I understand their philosophy: how labels are assigned should > > be encoded in the database and in the policy but not elsewhere, > > i.e. in unit files. I think that philosophy does make sense. > > > > Lennart > > > > -- > > Lennart Poettering, Berlin
