FC5 - changing security context to sockets
Joe Nall
joe at nall.com
Mon Sep 18 19:00:55 UTC 2006
On Sep 18, 2006, at 7:30 AM, Stephen Smalley wrote:
> As far as relabeling sockets is concerned, you could possibly use
> fsetfilecon(3), which is a wrapper for fsetxattr(3), since the VFS
> has a
> fallback for security attributes to the security module.
Would this work for unix domain but not IP sockets?
> However,
> relabeling in general is not desirable and should be minimized. The
> goal is to label objects with the right context upon creation and keep
> them in that context for their lifetime.
In the CMW programming model I have more experience with, a multilevel
daemon would accept() and then set the new socket level to that of the
connecting peer so that both socket endpoints were at the same level.
What is the right way to do this?
> Newer kernels support a way to create a socket in a particular context
> via /proc/self/attr/sockcreate, and newer libselinux versions
> provide a
> function interface for setting this attribute, setsockcreatecon
> (3). But
> these would not be present in FC5, only in FC6.
Found in libselinux-1.30.28-1
joe
More information about the fedora-selinux-list
mailing list