[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: FC5 - changing security context to sockets




On Sep 18, 2006, at 7:30 AM, Stephen Smalley wrote:

As far as relabeling sockets is concerned, you could possibly use
fsetfilecon(3), which is a wrapper for fsetxattr(3), since the VFS has a
fallback for security attributes to the security module.

Would this work for unix domain but not IP sockets?

However,
relabeling in general is not desirable and should be minimized.  The
goal is to label objects with the right context upon creation and keep
them in that context for their lifetime.

In the CMW programming model I have more experience with, a multilevel
daemon would accept() and then set the new socket level to that of the
connecting peer so that both socket endpoints were at the same level.

What is the right way to do this?

Newer kernels support a way to create a socket in a particular context
via /proc/self/attr/sockcreate, and newer libselinux versions provide a function interface for setting this attribute, setsockcreatecon (3). But
these would not be present in FC5, only in FC6.

Found in libselinux-1.30.28-1

joe


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]