On Wed, Sep 7, 2022 at 4:19 PM Ted Toth <txtoth@xxxxxxxxx> wrote: > > systemd uses a helper process (sd-listen) to create sockets and pass > their fds back to its parent. I've patched systemd to call semanage to > get the context for the port if it exists and create a context using > the returned type when calling setsockcreatecon. This obviously depends on how you structure and write your policy, but I don't think you want to use a port type directly as a socket type. I think we talked about this a little in the other thread, but for bound/listening sockets maybe you could do a transition for new child sockets based on the listening socket and port types. > Everything looks > right i.e. the port type is retrieved, the context is created and > setsockcreatecon is called without errors. However 'netstat -Z' shows > the listening sockets type as init_t and not the type in the > setsockcreatecon call, is this the expected behavior? Can anyone help > me understand why this is happening? You're calling setsockcreatecon() before you create the listening socket, right? I wouldn't expect this to work properly if you create the listening socket and then call setsockcreatecon() hoping to have the new label applied to the new child sockets. -- paul-moore.com
