rpms/xinetd/devel xinetd-2.3.14-label.patch, NONE, 1.1 xinetd.spec, 1.32, 1.33
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Aug 23 22:17:36 UTC 2006
Author: sgrubb
Update of /cvs/dist/rpms/xinetd/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv3020
Modified Files:
xinetd.spec
Added Files:
xinetd-2.3.14-label.patch
Log Message:
* Wed Aug 23 2006 Steve Grubb <sgrubb at redhat.com> 2:2.3.14-4
- Added labeled networking patch
xinetd-2.3.14-label.patch:
config.h.in | 1
configure.in | 28 +++++++++++++++++++
xinetd/child.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++
xinetd/main.c | 5 ++-
xinetd/nvlists.c | 1
xinetd/sconf.h | 2 +
xinetd/xinetd.conf.man | 3 ++
7 files changed, 108 insertions(+), 1 deletion(-)
--- NEW FILE xinetd-2.3.14-label.patch ---
diff -urNp xinetd-2.3.14.orig/config.h.in xinetd-2.3.14/config.h.in
--- xinetd-2.3.14.orig/config.h.in 2006-06-16 13:20:01.000000000 -0400
+++ xinetd-2.3.14/config.h.in 2006-08-23 17:26:04.000000000 -0400
@@ -112,6 +112,7 @@
/* Options */
#undef HAVE_LIBWRAP
#undef LIBWRAP
+#undef LABELED_NET
#undef HAVE_LOADAVG
diff -urNp xinetd-2.3.14.orig/configure.in xinetd-2.3.14/configure.in
--- xinetd-2.3.14.orig/configure.in 2006-06-16 13:20:01.000000000 -0400
+++ xinetd-2.3.14/configure.in 2006-08-23 17:26:04.000000000 -0400
@@ -289,6 +289,34 @@ AC_ARG_WITH(libwrap,
AC_MSG_RESULT(no)
)
+AC_MSG_CHECKING(whether to use labeled-networking)
+AC_ARG_WITH(labeled-networking,
+[ --with-labeled-networking[=PATH] Compile in labeled networking support.],
+[ case "$withval" in
+ no)
+ AC_MSG_RESULT(no)
+ ;;
+ yes)
+ AC_MSG_RESULT(yes)
+ AC_CHECK_LIB(selinux, setexeccon, [
+ AC_DEFINE(LABELED_NET)
+ LABELLIBS="-lselinux" ])
+ LIBS="$LABELLIBS $LIBS"
+ ;;
+ *)
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(LABELED_NET)
+ if test -d "$withval"; then
+ LABELLIBS="-L$withval -lselinux"
+ else
+ LABELLIBS="$withval"
+ fi
+ LIBS="$LABELLIBS $LIBS"
+ ;;
+ esac ],
+ AC_MSG_RESULT(no)
+)
+
AC_FUNC_MMAP
AC_CHECK_FUNCS(isatty)
diff -urNp xinetd-2.3.14.orig/xinetd/child.c xinetd-2.3.14/xinetd/child.c
--- xinetd-2.3.14.orig/xinetd/child.c 2006-06-16 13:20:01.000000000 -0400
+++ xinetd-2.3.14/xinetd/child.c 2006-08-23 17:27:22.000000000 -0400
@@ -31,6 +31,9 @@
#ifdef HAVE_NETDB_H
#include <netdb.h>
#endif
+#ifdef LABELED_NET
+#include <selinux/selinux.h>
+#endif
#include "str.h"
#include "child.h"
@@ -44,6 +47,12 @@
#include "options.h"
#include "redirect.h"
+/* Local declarations */
+#ifdef LABELED_NET
+static int set_exec_context_from_socket( int fd );
+#endif
+
+
/*
* This function is running in the new process
*/
@@ -143,6 +152,19 @@ void exec_server( const struct server *s
}
#endif
+ /*
+ Set the context if the option was given
+ */
+#ifdef LABELED_NET
+ if (SC_LABELED_NET(scp))
+ {
+ if (set_exec_context_from_socket( descriptor ) < 0)
+ msg( LOG_ERR, func,
+ "Changing process context failed for %s", SC_NAME( scp )) ;
+ _exit( 1 ) ;
+ }
+#endif
+
(void) Sclose( descriptor ) ;
#ifndef solaris
@@ -461,3 +483,50 @@ void child_exit(void)
}
}
+#ifdef LABELED_NET
+static int get_context_from_socket(int fd, char *buffer, unsigned int *buflen)
+{
+ const char *func = "get_context_from_socket" ;
+
+ int retval = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, buffer, buflen);
+
+ if ( debug.on )
+ {
+ if (retval)
+ msg( LOG_DEBUG, func,
+ "error getting context of fd %d: %s", fd, strerror(errno));
+ else
+ msg( LOG_DEBUG, func,
+ "got context for fd %d: %s", fd, buffer);
+ }
+
+ return retval;
+}
+
+static int set_exec_context_from_socket( int fd )
+{
+ const char *func = "set_exec_context_from_socket" ;
+
+ char buffer[255];
+ unsigned int buflen = 255;
+
+ if (get_context_from_socket(fd, buffer, &buflen))
+ return -1;
+
+ int retval = setexeccon(buffer);
+
+ if (debug.on)
+ {
+ security_context_t current_exec_context;
+ getexeccon( ¤t_exec_context );
+
+ msg( LOG_DEBUG, func,
+ "current security exec context now: %s",
+ current_exec_context);
+
+ freecon( current_exec_context );
+ }
+
+ return retval;
+}
+#endif
diff -urNp xinetd-2.3.14.orig/xinetd/main.c xinetd-2.3.14/xinetd/main.c
--- xinetd-2.3.14.orig/xinetd/main.c 2006-06-16 13:20:01.000000000 -0400
+++ xinetd-2.3.14/xinetd/main.c 2006-08-23 17:26:04.000000000 -0400
@@ -80,7 +80,10 @@ int main( int argc, char *argv[] )
#ifdef HAVE_DNSREGISTRATION
"rendezvous "
#endif
-#if !defined(LIBWRAP) && !defined(HAVE_LOADAVG) && !defined(HAVE_MDNS) && !defined(HAVE_HOWL) && !defined(HAVE_DNSREGISTRATION)
+#ifdef LABELED_NET
+ "labeled-networking "
+#endif
+#if !defined(LIBWRAP) && !defined(HAVE_LOADAVG) && !defined(HAVE_MDNS) && !defined(HAVE_HOWL) && !defined(HAVE_DNSREGISTRATION) && !defined(LABELED_NET)
"no "
#endif
"options compiled in."
diff -urNp xinetd-2.3.14.orig/xinetd/nvlists.c xinetd-2.3.14/xinetd/nvlists.c
--- xinetd-2.3.14.orig/xinetd/nvlists.c 2006-06-16 13:20:01.000000000 -0400
+++ xinetd-2.3.14/xinetd/nvlists.c 2006-08-23 17:26:04.000000000 -0400
@@ -47,6 +47,7 @@ const struct name_value service_flags[]
{ "SENSOR", SF_SENSOR },
{ "IPv4", SF_IPV4 },
{ "IPv6", SF_IPV6 },
+ { "LABELED", SF_LABELED },
{ CHAR_NULL, 0 }
} ;
diff -urNp xinetd-2.3.14.orig/xinetd/sconf.h xinetd-2.3.14/xinetd/sconf.h
--- xinetd-2.3.14.orig/xinetd/sconf.h 2006-06-16 13:20:01.000000000 -0400
+++ xinetd-2.3.14/xinetd/sconf.h 2006-08-23 17:26:04.000000000 -0400
@@ -58,6 +58,7 @@
#define SF_SENSOR 9
#define SF_IPV4 10
#define SF_IPV6 11
+#define SF_LABELED 12
/*
* Values for log options
@@ -239,6 +240,7 @@ struct service_config
#define SC_SENSOR( scp ) M_IS_SET( (scp)->sc_xflags, SF_SENSOR )
#define SC_IPV4( scp ) M_IS_SET( (scp)->sc_xflags, SF_IPV4 )
#define SC_IPV6( scp ) M_IS_SET( (scp)->sc_xflags, SF_IPV6 )
+#define SC_LABELED_NET( scp ) M_IS_SET( (scp)->sc_xflags, SF_LABELED )
#define SC_IS_RPC( scp ) ( M_IS_SET( (scp)->sc_type, ST_RPC ) )
#define SC_IS_INTERNAL( scp ) ( M_IS_SET( (scp)->sc_type, ST_INTERNAL ) )
diff -urNp xinetd-2.3.14.orig/xinetd/xinetd.conf.man xinetd-2.3.14/xinetd/xinetd.conf.man
--- xinetd-2.3.14.orig/xinetd/xinetd.conf.man 2006-06-16 13:20:01.000000000 -0400
+++ xinetd-2.3.14/xinetd/xinetd.conf.man 2006-08-23 17:26:04.000000000 -0400
@@ -145,6 +145,9 @@ Sets the service to be an IPv4 service (
.B IPv6
Sets the service to be an IPv6 service (AF_INET6), if IPv6 is available on the system.
.TP
+.B LABELED
+The LABELED flag will tell xinetd to change the child processes SE Linux context to match that of the incoming connection as it starts the service.
+.TP
.B REUSE
The REUSE flag is deprecated. All services now implicitly use the REUSE flag.
.RE
Index: xinetd.spec
===================================================================
RCS file: /cvs/dist/rpms/xinetd/devel/xinetd.spec,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- xinetd.spec 12 Jul 2006 08:54:06 -0000 1.32
+++ xinetd.spec 23 Aug 2006 22:17:33 -0000 1.33
@@ -4,7 +4,7 @@
Summary: A secure replacement for inetd.
Name: xinetd
Version: 2.3.14
-Release: 3.1
+Release: 4
License: Distributable (BSD-like)
Group: System Environment/Daemons
Epoch: 2
@@ -16,6 +16,7 @@
Source99: filter-requires-xinetd.sh
Patch0: xinetd-2.3.11-pie.patch
Patch1: xinetd-2.3.12-tcp_rpc.patch
+Patch2: xinetd-2.3.14-label.patch
Prereq: /sbin/chkconfig /etc/init.d /sbin/service
%{!?tcp_wrappers:BuildRequires: tcp_wrappers}
Requires: filesystem >= 2.0.1, initscripts, setup, fileutils
@@ -37,9 +38,13 @@
%setup -q
%patch0 -p0 -b .pie
%patch1 -p1 -b .tcp_rpc
+%patch2 -p1 -b .lspp
+
+aclocal
+autoconf
%build
-%configure --with-loadavg --with-inet6 %{!?tcp_wrappers:--with-libwrap}
+%configure --with-loadavg --with-inet6 %{!?tcp_wrappers:--with-libwrap} --with-labeled-networking
make
%install
@@ -95,6 +100,9 @@
%{_mandir}/*/*
%changelog
+* Wed Aug 23 2006 Steve Grubb <sgrubb at redhat.com> 2:2.3.14-4
+- Added labeled networking patch
+
* Wed Jul 12 2006 Jesse Keating <jkeating at redhat.com> - 2:2.3.14-3.1
- rebuild
More information about the fedora-cvs-commits
mailing list