[redhat-lspp] new xinetd patch
Steve Grubb
sgrubb at redhat.com
Thu Aug 24 13:36:44 UTC 2006
On Thursday 24 August 2006 08:42, Stephen Smalley wrote:
> At present, we don't have a parallel libselinux function for the
> SCM_SECURITY support for datagrams; not sure exactly what form that
> would take or whether it would be useful.
After looking into UDP packets, I found this documentation:
"With UDP, each read/write can have different peer and thus the security
context might change every time. As a result the security context retrieval
must be done TOGETHER with the packet retrieval."
If this is true, it means that xinetd cannot do anything for UDP services
since reading the socket is something done by the service and not xinetd. So,
I think setting LABELED flag on UDP service should result in an error to warn
the admin that xinetd cannot honor their config.
This also brings up another corner case, tcp wait services. In this
configuration, the accept is done by the service. I think that xinetd should
issue an error in this case as well to warn the admin that it cannot possibly
honor this configuration either.
Comments?
-Steve
More information about the redhat-lspp
mailing list