Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Fwd: talking to mcstrans in MLS enforcing on rhel6 beta (http://www.linux-archive.org/fedora-selinux-support/370148-fwd-talking-mcstrans-mls-enforcing-rhel6-beta.html)

Xavier Toth 05-12-2010 03:39 PM

Fwd: talking to mcstrans in MLS enforcing on rhel6 beta
 
---------- Forwarded message ----------
From: Xavier Toth <txtoth@gmail.com>
Date: Wed, May 12, 2010 at 10:38 AM
Subject: Re: talking to mcstrans in MLS enforcing on rhel6 beta
To: Stephen Smalley <sds@tycho.nsa.gov>


On Tue, May 11, 2010 at 4:13 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Tue, 2010-05-11 at 11:10 -0500, Xavier Toth wrote:
>> I'm a bit confused about something. mcstransd creates a socket and
>> through a transition rule it get labeled setrans_var_run_t (this is
>> also the type used with mls_trusted_object in the setrans policy)
>> however when other apps try and connect to it the target context type
>> is setrans_t which of course isn't trusted so no one can connect. As
>> an experiment I added setrans_t as a mls trusted object and then other
>> apps could connect. Not sure where the target context comes from on
>> connectto because the socket file is label setrans_var_run_t on the
>> disk. Something needs fixing just not sure what. Doesn't seem right to
>> add 'mls_trusted_object(setrans_t)'.
>
> When you create and bind a Unix domain socket in the file system
> namespace (as opposed to the abstract namespace), there are two objects:
> the socket itself (created upon the socket call, labeled with the label
> of the creating process), and the file (created upon the bind call,
> labeled in accordance with the usual file labeling behavior).
> Connecting to such a socket requires both write access to the file and
> connectto permission to the socket. *So connectto is a socket-to-socket
> (which looks like process-to-process since sockets are labeled based on
> creating process and act as proxies/queues between processes) check.
>
> --
> Stephen Smalley
> National Security Agency
>
>

So mls_trusted_object(setrans_t) needs to be added.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 07:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.