[redhat-lspp] Xinetd patches for selinux context configuration

Paul Moore paul.moore at hp.com
Mon Dec 4 19:57:18 UTC 2006 

On Wednesday 29 November 2006 5:08 pm, James Antill wrote:
> diff -rup xinetd-2.3.14-orig/xinetd/child.c xinetd-2.3.14/xinetd/child.c
> --- xinetd-2.3.14-orig/xinetd/child.c	2006-11-28 14:03:07.000000000
> -0500
> +++ xinetd-2.3.14/xinetd/child.c	2006-11-29 17:04:19.000000000 -0500
> @@ -33,6 +33,8 @@
> +static int set_context_from_socket( const struct service_config *scp,
> int fd )
> +{
> +   security_context_t curr_context = NULL;
> +   security_context_t peer_context = NULL;
> +   security_context_t exec_context = NULL;
> +   context_t bcon = NULL;
> +   context_t pcon = NULL;
> +   security_context_t new_context = NULL;
> +   security_context_t new_exec_context = NULL;
> +   int retval = -1;
> +   const char *exepath = NULL;
> +
> +   if (getcon(&curr_context) < 0)
> +     goto fail;
> +
> +   if (getpeercon(fd, &peer_context) < 0)
> +     goto fail;
> +
> +   exepath = SC_SERVER_ARGV( scp )[0];
> +   if (getfilecon(exepath, &exec_context) < 0)
> +     goto fail;

This turns out to be broken, the "exepath = ... " should be changed to the 
following:

 exepath = SC_SERVER( scp );

... or something similar; the issue is that "SC_SERVER_ARGV" does not return 
the full path name, simple the "basename" and as a result the getfilecon() 
call fails.

James, you can test this yourself using the following steps (it's really easy, 
I promise!).  Simply do the following:

1. Boot with a recent kernel (lspp.56 is what I used)
2. Enabled telnet through xinetd and flip the "LABELED" flag
3. Enable NetLabel:
   (if using targeted)
   # netlabelctl -p cipsov4 add pass doi:1 tags:1
   # netlabelctl -p map add domain:unconfined_t protocol:cipsov4,1
   (if using mls and root)
   # netlabelctl -p cipsov4 add pass doi:1 tags:1
   # netlabelctl -p map add domain:staff_t protocol:cipsov4,1
4. Restart xinetd
5. Connect to the telnet server via localhost
6. Check the context of the telnet server

When done you can disable NetLabel by the following command:

   # netlabelctl -p cipsov4 del doi:1

-- 
paul moore
linux security @ hp

More information about the redhat-lspp mailing list