I'm testing a runner of a patch but what I'm seeing is setsockcreatecon called (in a sd-listen process) with the context I've set using 'semanage port -t' but then when I look at the listening socket context (netstat -Z) it is still init_t and not the type set by setsockcreatecon. I'm not clear about how systemd uses a child process (sd-listen) to create a listening socket and whether the socket context persists across the processes, can someone explain this to me? Ted On Tue, Sep 6, 2022 at 4:51 PM Ted Toth <txtoth@xxxxxxxxx> wrote: > > I think I figured out how to add libsemanage to the link, when you see > the patch you can tell me if I did it right. > > On Tue, Sep 6, 2022 at 11:46 AM Ted Toth <txtoth@xxxxxxxxx> wrote: > > > > I'm working on a patch and adding a function to selinux_util.c which > > calls libsemanage functions but I don't know how to add this library > > to the link of the systemd (libsystemd-shared-<version>.so) shared > > library as I'm not familiar with the build, how do I do this? > > Also a lot of the semanage functions on failure do not set errno so > > how should I log these failures, i.e. which log_ function should I > > call? > > > > Ted > > > > On Fri, Sep 2, 2022 at 9:13 AM Lennart Poettering > > <lennart@xxxxxxxxxxxxxx> wrote: > > > > > > On Fr, 02.09.22 09:04, Ted Toth (txtoth@xxxxxxxxx) wrote: > > > > > > > I have set the type for the port in question using the 'semanage port' > > > > command so the loaded policy has a type which systemd should use when > > > > calling setsockcreatecon. It is my opinion that > > > > socket_determine_selinux_label function should query policy for the > > > > port type and if it has been set use it and if not fallback to its > > > > current behavior. > > > > > > Sure, patch very welcome. > > > > > > SELinux code really requires external contributions, none of the core > > > developers know SELinux too well to do feel confident to implement > > > that. > > > > > > (consider filing an RFE issue on github, so that this is tracked) > > > > > > Lennart > > > > > > -- > > > Lennart Poettering, Berlin
Re: socket activation selinux context on create
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: socket activation selinux context on create
- From: Ted Toth <txtoth@xxxxxxxxx>
- Date: Wed, 7 Sep 2022 13:28:21 -0500
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <CAFPpqQGRg+Fn1GheZ0LGNfw1tgmRYoDADoeASbonDPpmD2dNAA@mail.gmail.com>
- References: <CAFPpqQHS_v7gqXsdCpE3LXA4JzL=-K0U7Q9jiGY5EqT6XCoQbg@mail.gmail.com> <Ywc+pjOFkAEswVuQ@gardel-login> <CAFPpqQHpAoj7shew5LZJEoRHnJ-_FiDOX8fuVNW0cokZH=oKhg@mail.gmail.com> <YxIPmRMbIwbOTNW3@gardel-login> <CAFPpqQGL=VDohfEe1_dAJ-_PDof-6DLaHOm6DVrFiwvzO5-gHw@mail.gmail.com> <CAFPpqQGRg+Fn1GheZ0LGNfw1tgmRYoDADoeASbonDPpmD2dNAA@mail.gmail.com>
- References:
- socket activation selinux context on create
- From: Ted Toth
- Re: socket activation selinux context on create
- From: Lennart Poettering
- Re: socket activation selinux context on create
- From: Ted Toth
- Re: socket activation selinux context on create
- From: Lennart Poettering
- Re: socket activation selinux context on create
- From: Ted Toth
- Re: socket activation selinux context on create
- From: Ted Toth
- socket activation selinux context on create
- Prev by Date: Stuck mount units
- Next by Date: systemd automount unit: run only when server is reachable
- Previous by thread: Re: socket activation selinux context on create
- Next by thread: Ordering units and targets with devices
- Index(es):
 |