[redhat-lspp] Xinetd patches for selinux context configuration

Stephen Smalley sds at tycho.nsa.gov
Wed Nov 29 15:31:37 UTC 2006 

On Wed, 2006-11-29 at 08:17 -0500, Paul Moore wrote:
> On Wednesday 29 November 2006 2:06 am, James Antill wrote:
> > On Wed, 2006-11-29 at 01:00 -0500, Paul Moore wrote:
> > > I just took a quick look at the patch and I have to ask why you decided
> > > to take the context from the xinetd config file instead of using
> > > security_compute_create() as described in BZ #209379?  As it stands I
> > > don't think the current approach of taking the full SELinux context (TE
> > > and MLS label) from the config file solves the problem we are interested
> > > in - multi-level network services via xinetd.
> >
> >  Ok, if that's the problem I'm not sure why we want any changes to the
> > config. file. As I understand it from the above BZ, you have:
> >
> > user_u:system_r:inetd_t
> >     = xinetd is running as this
> > user_u:system_r:fingerd_exec_t
> >     = in.fingerd on disk
> > user_u:system_r:fingerd_t
> >     = in.fingerd when run normally from xinetd
> > user_u:system_r:unconfined_t:SystemLow-SystemHigh
> >     = getpeercon()
> >
> > user_u:system_r:fingerd_t:SystemLow-SystemHigh
> >     = What we want the in.fingerd to be running in, with ML networking
> 
> That's it exactly.  I don't think we want any changes to the config file, at 
> least I don't see a need for any changes; I think all we want is a change to 
> how xinetd operates when the "LABELED" flag is specified.
> 
> >  So we need to take the getfilecon() and getpeercon() and combine them
> > somehow (the BZ says security_compute_create()[1]), and we might then
> > need to move to fgetfilecon() / fexecve() to close the race :(.
> >  Is the above right? If not what piece(s) of information need to come
> > from the config. file?
> >
> > [1] I tried a few different calls with security_compute_create, and
> > maybe I'm not using the right security class, but I can't get it to
> > combine the TE and MLS correctly.
> 
> Granted I haven't actually tried any of this to verify that it works, but I 
> suspect you would want to do the following (I'm also not the best person to 
> ask about SELinux userspace calls so there may be better functions to use):
> 
> 1. getpeercon() to determine the context of the remote
> 2. getcon() to determine the context of xinetd
> 3. getfilecon() to determine the context of the server's binary
> 4. Compute the context of the server's domain when run by xinetd using
>    security_compute_create(), the contexts from #2 and #3, and the process
>    class
> 5. Replace the MLS label from #4 with the MLS label from #1
> 6. setexeccon() with #5 to set the context for the server
> 7. Start the server
> 
> Yes, there is a race condition between steps #3 and #7 but in practice I don't 
> think it will be a real issue as normal users should not have write/relabel 
> access to any of the server's binaries on disk which means only the admin 
> would have the ability to cause the race.

The above sounds correct.  With regard to the "race", if the binary's
type has changed since #3, then the execve should fail because the new
domain computed by #4 will lack entrypoint permission to the new file
type.

-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list