On Mon, Jan 29, 2024 at 2:49 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
> unix_socket test is failing because type_transition rule is not being
> applied to newly created server socket, leading to a denial when the
> client tries to connect. I believe that once worked; will see if I can
> find the last working kernel.
If we had a socket type transition on new connections I think it would
have been a *long* time ago. I don't recall us supporting that, but
it's possible I've simply forgotten.
That isn't to say I wouldn't support something like that, it could be
interesting, but we would want to make sure it applies to all
connection based sockets and not just AF_UNIX. Although for the vast
majority of users it would probably only be useful for AF_UNIX as you
would need a valid peer label to do a meaningful transition.
I would need to chase down the code paths for AF_UNIX, but for
AF_INET/AF_INET6 I expect you would need to augment
selinux_inet_conn_request() with the security_transition_sid() call.
Possibly something like this (completely untested, likely broken,
etc.) ...
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a6bf90ace84c..1c6a92173596 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5524,7 +5524,10 @@ static int selinux_inet_conn_request(const struct sock *s
k, struct sk_buff *skb,
err = selinux_conn_sid(sksec->sid, peersid, &connsid);
if (err)
return err;
- req->secid = connsid;
+ err = security_transition_sid(sksec->sid, connsid, sksec->sclass, NULL,
+ &req->secid);
+ if (err)
+ return err;
req->peer_secid = peersid;
return selinux_netlbl_inet_conn_request(req, family);
--
paul-moore.com
