[redhat-lspp] Xinetd patches for selinux context configuration
Paul Moore
paul.moore at hp.com
Mon Dec 4 19:57:18 UTC 2006
On Wednesday 29 November 2006 5:08 pm, James Antill wrote:
> diff -rup xinetd-2.3.14-orig/xinetd/child.c xinetd-2.3.14/xinetd/child.c
> --- xinetd-2.3.14-orig/xinetd/child.c 2006-11-28 14:03:07.000000000
> -0500
> +++ xinetd-2.3.14/xinetd/child.c 2006-11-29 17:04:19.000000000 -0500
> @@ -33,6 +33,8 @@
> +static int set_context_from_socket( const struct service_config *scp,
> int fd )
> +{
> + security_context_t curr_context = NULL;
> + security_context_t peer_context = NULL;
> + security_context_t exec_context = NULL;
> + context_t bcon = NULL;
> + context_t pcon = NULL;
> + security_context_t new_context = NULL;
> + security_context_t new_exec_context = NULL;
> + int retval = -1;
> + const char *exepath = NULL;
> +
> + if (getcon(&curr_context) < 0)
> + goto fail;
> +
> + if (getpeercon(fd, &peer_context) < 0)
> + goto fail;
> +
> + exepath = SC_SERVER_ARGV( scp )[0];
> + if (getfilecon(exepath, &exec_context) < 0)
> + goto fail;
This turns out to be broken, the "exepath = ... " should be changed to the
following:
exepath = SC_SERVER( scp );
... or something similar; the issue is that "SC_SERVER_ARGV" does not return
the full path name, simple the "basename" and as a result the getfilecon()
call fails.
James, you can test this yourself using the following steps (it's really easy,
I promise!). Simply do the following:
1. Boot with a recent kernel (lspp.56 is what I used)
2. Enabled telnet through xinetd and flip the "LABELED" flag
3. Enable NetLabel:
(if using targeted)
# netlabelctl -p cipsov4 add pass doi:1 tags:1
# netlabelctl -p map add domain:unconfined_t protocol:cipsov4,1
(if using mls and root)
# netlabelctl -p cipsov4 add pass doi:1 tags:1
# netlabelctl -p map add domain:staff_t protocol:cipsov4,1
4. Restart xinetd
5. Connect to the telnet server via localhost
6. Check the context of the telnet server
When done you can disable NetLabel by the following command:
# netlabelctl -p cipsov4 del doi:1
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list