[redhat-lspp] Xinetd patches for selinux context configuration
Stephen Smalley
sds at tycho.nsa.gov
Wed Nov 29 21:22:35 UTC 2006
On Wed, 2006-11-29 at 16:14 -0500, James Antill wrote:
> diff -rup xinetd-2.3.14-orig/xinetd/child.c xinetd-2.3.14/xinetd/child.c
> --- xinetd-2.3.14-orig/xinetd/child.c 2006-11-28 14:03:07.000000000
> -0500
> +++ xinetd-2.3.14/xinetd/child.c 2006-11-29 15:55:27.000000000 -0500
> @@ -513,4 +511,74 @@ static int set_context_from_socket( int
>
> return retval;
> }
> +
> +static int set_context_from_socket( const struct service_config *scp,
> int fd )
> +{
> + security_context_t curr_context;
> + security_context_t peer_context;
> + security_context_t exec_context;
> + context_t bcon;
> + context_t pcon;
> + security_context_t new_context;
> + security_context_t new_exec_context;
If you init these variables to NULL, you can unconditionally free them
on the exit path and not require as many distinct labels.
> + int retval = -1;
> + const char *exepath = NULL;
> +
> + if (getcon(&curr_context) < 0)
> + goto fail_getcon;
> +
> + if (getpeercon(fd, &peer_context) < 0)
> + goto fail_getpeercon;
> +
> + exepath = SC_SERVER_ARGV( scp )[0];
> + if (lgetfilecon(exepath, &exec_context) < 0)
> + goto fail_lgetfilecon;
You want getfilecon() here rather than lgetfilecon(), since you want the
context of the executable that will be executed by execve, not any
symlink to it.
> + if (!context_range_get(pcon))
> + goto fail_context_range_get;
> +
> + if (!context_range_set(bcon, context_range_get(pcon)))
> + goto fail_context_range_set;
context_range_set returns nonzero upon failure - looks like the man page
is wrong for the _set functions.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list