[redhat-lspp] Xinetd patches for selinux context configuration
Stephen Smalley
sds at tycho.nsa.gov
Wed Nov 29 21:32:45 UTC 2006
On Wed, 2006-11-29 at 16:29 -0500, Steve Grubb wrote:
> On Wednesday 29 November 2006 16:14, James Antill wrote:
> > Ok, this patch doesn't do any bounding then.
> > I've currently left the old config. context stuff in atm. in case we
> > want to change that to specify the MLS bound, it's easier for me. But if
> > this is fine as is I'll drop that part before I hand it off to Steve.
>
> If we are adding a parser to xinetd, it needs to check that the context it
> read is indeed valid. Also, xinetd does an integrated check in check_entry(),
> confparse.c. It needs to do some paranoid checks that they are not specifying
> a label when labeled networking flag is not given.
security_check_context(3) can be used to validate a context against the
active policy.
I'm not sure the approach is quite workable yet either - if you
configure xinetd to use labeled networking but the incoming connection
is coming from a host that doesn't support it, getpeercon() will fail
and you need to gracefully deal with it (e.g. fall back to some default,
possibly based on the client machine's address).
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list