Fwd: talking to mcstrans in MLS enforcing on rhel6 beta
-----BEGIN PGP SIGNED MESSAGE-----
On 05/12/2010 11:39 AM, Xavier Toth wrote:
> ---------- Forwarded message ----------
> From: Xavier Toth <firstname.lastname@example.org>
> Date: Wed, May 12, 2010 at 10:38 AM
> Subject: Re: talking to mcstrans in MLS enforcing on rhel6 beta
> To: Stephen Smalley <email@example.com>
> On Tue, May 11, 2010 at 4:13 PM, Stephen Smalley <firstname.lastname@example.org> wrote:
>> On Tue, 2010-05-11 at 11:10 -0500, Xavier Toth wrote:
>>> I'm a bit confused about something. mcstransd creates a socket and
>>> through a transition rule it get labeled setrans_var_run_t (this is
>>> also the type used with mls_trusted_object in the setrans policy)
>>> however when other apps try and connect to it the target context type
>>> is setrans_t which of course isn't trusted so no one can connect. As
>>> an experiment I added setrans_t as a mls trusted object and then other
>>> apps could connect. Not sure where the target context comes from on
>>> connectto because the socket file is label setrans_var_run_t on the
>>> disk. Something needs fixing just not sure what. Doesn't seem right to
>>> add 'mls_trusted_object(setrans_t)'.
>> When you create and bind a Unix domain socket in the file system
>> namespace (as opposed to the abstract namespace), there are two objects:
>> the socket itself (created upon the socket call, labeled with the label
>> of the creating process), and the file (created upon the bind call,
>> labeled in accordance with the usual file labeling behavior).
>> Connecting to such a socket requires both write access to the file and
>> connectto permission to the socket. So connectto is a socket-to-socket
>> (which looks like process-to-process since sockets are labeled based on
>> creating process and act as proxies/queues between processes) check.
>> Stephen Smalley
>> National Security Agency
> So mls_trusted_object(setrans_t) needs to be added.
> selinux mailing list
selinux-policy-3.7.19-15.el6 should have this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/