FC5 - changing security context to sockets

[Stephen Smalley]

On Sat, 2006-09-16 at 23:12 -0400, Sandra Julieta Rueda Rodriguez wrote:
> Hello,
> 
> I am currently working with SElinux FC5 and I want an application to be
> able to switch security context. The application uses sockets, so they
> inherit the security context from the application.
> To allow the application to switch security context (domain) I will add a
> transition rule in the list of selinux policies.
> 
> However, I also want the application to be able to relabel the socket with
> the new security context. So far I have not found a direct way to do it so
> I am planning to modify the sys_setsockopt function in the socket file and
> other functions related to that one. I was wondering if there is a direct
> way to do it, instead of having to modify the kernel.

When you say "switch contexts", do you mean setexeccon()+execve(), or
setcon()?  The former enables proper control over the inheritance of
state and initialization of the process in the new context; the latter
requires trust in the application to maintain any separation and weakens
the binding between the new context and the code.

As far as relabeling sockets is concerned, you could possibly use
fsetfilecon(3), which is a wrapper for fsetxattr(3), since the VFS has a
fallback for security attributes to the security module.  However,
relabeling in general is not desirable and should be minimized.  The
goal is to label objects with the right context upon creation and keep
them in that context for their lifetime.  

Newer kernels support a way to create a socket in a particular context
via /proc/self/attr/sockcreate, and newer libselinux versions provide a
function interface for setting this attribute, setsockcreatecon(3).  But
these would not be present in FC5, only in FC6.

-- 
Stephen Smalley
National Security Agency