Re: socket activation selinux context on create

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I've tested setting the type of the port using semanage port -a
however when I start the service netstat still shows the type as
init_t. I don't know of any other way to get a type transition of a
socket to happen, do you?. I've also posted to the selinux list but
haven't gotten any responses yet.

Ted

On Thu, Aug 25, 2022 at 4:19 AM Lennart Poettering
<lennart@xxxxxxxxxxxxxx> wrote:
>
> On Mi, 24.08.22 11:50, Ted Toth (txtoth@xxxxxxxxx) wrote:
>
> > I don't see a way to set the context of the socket that systemd
> > listens on. If there is a way to do this please tell me otherwise I'd
> > like to see an option (SELinuxCreateContext?) added to be able to set
> > the context (setsockcreatecon) to be used by systemd when creating the
> > socket. Currently as an extra layer of security I add code called in
> > the socket activation ExecStartPre process to check that the source
> > context (peercon) can connect to the target context (getcon). If a
> > sockets context was set by systemd I would have to perform this
> > additional check as my SELinux policy would do it for me.
>
> This was proposed before, but SELinux maintainers really want that the
> loaded selinux policy picks the label, and not unit files.
>
> i.e. as I understand their philosophy: how labels are assigned should
> be encoded in the database and in the policy but not elsewhere,
> i.e. in unit files. I think that philosophy does make sense.
>
> Lennart
>
> --
> Lennart Poettering, Berlin
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux