On Mon, Jan 29, 2024 at 4:56 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Mon, Jan 29, 2024 at 2:49 PM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > unix_socket test is failing because type_transition rule is not being > > applied to newly created server socket, leading to a denial when the > > client tries to connect. I believe that once worked; will see if I can > > find the last working kernel. > > If we had a socket type transition on new connections I think it would > have been a *long* time ago. I don't recall us supporting that, but > it's possible I've simply forgotten. > > That isn't to say I wouldn't support something like that, it could be > interesting, but we would want to make sure it applies to all > connection based sockets and not just AF_UNIX. Although for the vast > majority of users it would probably only be useful for AF_UNIX as you > would need a valid peer label to do a meaningful transition. Sorry, I probably wasn't clear. I mean that the Unix socket files are NOT being labeled in accordance with the type_transition rules in policy. Which does work on local file systems and used to work on NFS, so this is a regression at some point (but not new to Ondrej's patch).
