FC5 - changing security context to sockets

[Stephen Smalley]

On Mon, 2006-09-18 at 14:00 -0500, Joe Nall wrote:
> On Sep 18, 2006, at 7:30 AM, Stephen Smalley wrote:
> 
> > As far as relabeling sockets is concerned, you could possibly use
> > fsetfilecon(3), which is a wrapper for fsetxattr(3), since the VFS  
> > has a
> > fallback for security attributes to the security module.
> 
> Would this work for unix domain but not IP sockets?

Depends on your kernel.  With existing kernels, it will work on all
sockets (because there is only one SID and it is stored in the incore
inode associated with the user socket).  With kernels with the recent
labeled networking patches (back ported to 2.6.18 for fc6/rhel5, queued
for 2.6.19), there is a separate SID stored in the struct sock, so
further work would be required to synchronize that SID if the SID was
allowed to change after creation.

> > However,
> > relabeling in general is not desirable and should be minimized.  The
> > goal is to label objects with the right context upon creation and keep
> > them in that context for their lifetime.
> 
> In the CMW programming model I have more experience with, a multilevel
> daemon would accept() and then set the new socket level to that of the
> connecting peer so that both socket endpoints were at the same level.
> 
> What is the right way to do this?

That is being handled in the kernel automatically in the recent kernels
with labeled networking patches.  New server socket is assigned the
level of the requesting client when it is created, so that it always has
the right label.

> 
> > Newer kernels support a way to create a socket in a particular context
> > via /proc/self/attr/sockcreate, and newer libselinux versions  
> > provide a
> > function interface for setting this attribute, setsockcreatecon 
> > (3).  But
> > these would not be present in FC5, only in FC6.
> 
> Found in libselinux-1.30.28-1
> 
> joe
-- 
Stephen Smalley
National Security Agency