On Tue, Jan 30, 2024 at 10:44 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > On Mon, Jan 29, 2024 at 4:56 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > > > On Mon, Jan 29, 2024 at 2:49 PM Stephen Smalley > > <stephen.smalley.work@xxxxxxxxx> wrote: > > > unix_socket test is failing because type_transition rule is not being > > > applied to newly created server socket, leading to a denial when the > > > client tries to connect. I believe that once worked; will see if I can > > > find the last working kernel. > > > > If we had a socket type transition on new connections I think it would > > have been a *long* time ago. I don't recall us supporting that, but > > it's possible I've simply forgotten. > > > > That isn't to say I wouldn't support something like that, it could be > > interesting, but we would want to make sure it applies to all > > connection based sockets and not just AF_UNIX. Although for the vast > > majority of users it would probably only be useful for AF_UNIX as you > > would need a valid peer label to do a meaningful transition. > > Sorry, I probably wasn't clear. I mean that the Unix socket files are > NOT being labeled in accordance with the type_transition rules in > policy. Which does work on local file systems and used to work on NFS, > so this is a regression at some point (but not new to Ondrej's patch). Ah, gotcha. I guess I'm not too surprised, the sock/socket/inode labeling and duplication has always been very awkward and it wouldn't surprise me if we inadvertently broke something over the years. Tracking down the source of the breakage is good, but if that is taking too long (I can only imagine how long that might take), I would be happy with a fix with a number of comment additions warning future devs against changing the relevant code. -- paul-moore.com
