Linux Archive

Linux Archive (
-   Fedora SELinux Support (
-   -   Fwd: talking to mcstrans in MLS enforcing on rhel6 beta (

Xavier Toth 05-12-2010 03:39 PM

Fwd: talking to mcstrans in MLS enforcing on rhel6 beta
---------- Forwarded message ----------
From: Xavier Toth <>
Date: Wed, May 12, 2010 at 10:38 AM
Subject: Re: talking to mcstrans in MLS enforcing on rhel6 beta
To: Stephen Smalley <>

On Tue, May 11, 2010 at 4:13 PM, Stephen Smalley <> wrote:
> On Tue, 2010-05-11 at 11:10 -0500, Xavier Toth wrote:
>> I'm a bit confused about something. mcstransd creates a socket and
>> through a transition rule it get labeled setrans_var_run_t (this is
>> also the type used with mls_trusted_object in the setrans policy)
>> however when other apps try and connect to it the target context type
>> is setrans_t which of course isn't trusted so no one can connect. As
>> an experiment I added setrans_t as a mls trusted object and then other
>> apps could connect. Not sure where the target context comes from on
>> connectto because the socket file is label setrans_var_run_t on the
>> disk. Something needs fixing just not sure what. Doesn't seem right to
>> add 'mls_trusted_object(setrans_t)'.
> When you create and bind a Unix domain socket in the file system
> namespace (as opposed to the abstract namespace), there are two objects:
> the socket itself (created upon the socket call, labeled with the label
> of the creating process), and the file (created upon the bind call,
> labeled in accordance with the usual file labeling behavior).
> Connecting to such a socket requires both write access to the file and
> connectto permission to the socket. *So connectto is a socket-to-socket
> (which looks like process-to-process since sockets are labeled based on
> creating process and act as proxies/queues between processes) check.
> --
> Stephen Smalley
> National Security Agency

So mls_trusted_object(setrans_t) needs to be added.
selinux mailing list

All times are GMT. The time now is 10:16 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.