[redhat-lspp] Xinetd patches for selinux context configuration

[James Antill]

 I've created the patches to allow selinux context to be specified for
xinetd and they seem to work, however one problem is that xinetd isn't
allowed to transition to any other domains. Eg:

type=AVC msg=audit(1164755336.496:24242): avc:  denied  { transition } for  pid=22285 comm="xinetd" name="in.cat.msg" dev=md0 ino=7619116 scontext=user_u:system_r:inetd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=process

type=AVC msg=audit(1164755097.924:24194): avc:  denied  { transition } for  pid=21497 comm="xinetd" name="in.cat.msg" dev=md0 ino=7619116 scontext=user_u:system_r:inetd_t:s0 tcontext=user_u:system_r:inetd_t:s0-s0:c0.c1023 tclass=process

type=AVC msg=audit(1164755203.968:24207): avc:  denied  { entrypoint } for  pid=21825 comm="xinetd" name="in.cat.msg" dev=md0 ino=7619116 scontext=user_u:system_r:fingerd_t:s0 tcontext=user_u:object_r:httpd_exec_t:s0 tclass=file

...so either the setexeccon fails, because xinetd isn't allowed to
transition to that context ... or the context doesn't have the ability
to exec anything but itself (you can transition to fingerd_t and then
exec fingerd_exec_t ... but that doesn't do anything).


 Example config.:

        # selinux_context = user_u:system_r:inetd_t:SystemLow-SystemHigh
        selinux_context = user_u:system_r:httpd_t
        # selinux_context = user_u:system_r:fingerd_t

 Anyway, here are the patches/rpms:

http://people.redhat.com/jantill/xinetd/

-- 
James Antill <jantill at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061128/7f675aff/attachment.sig>