Fwd: talking to mcstrans in MLS enforcing on rhel6 beta

Daniel J Walsh dwalsh at redhat.com
Wed May 12 16:24:04 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/12/2010 11:39 AM, Xavier Toth wrote:
> ---------- Forwarded message ----------
> From: Xavier Toth <txtoth at gmail.com>
> Date: Wed, May 12, 2010 at 10:38 AM
> Subject: Re: talking to mcstrans in MLS enforcing on rhel6 beta
> To: Stephen Smalley <sds at tycho.nsa.gov>
> 
> 
> On Tue, May 11, 2010 at 4:13 PM, Stephen Smalley <sds at tycho.nsa.gov> wrote:
>> On Tue, 2010-05-11 at 11:10 -0500, Xavier Toth wrote:
>>> I'm a bit confused about something. mcstransd creates a socket and
>>> through a transition rule it get labeled setrans_var_run_t (this is
>>> also the type used with mls_trusted_object in the setrans policy)
>>> however when other apps try and connect to it the target context type
>>> is setrans_t which of course isn't trusted so no one can connect. As
>>> an experiment I added setrans_t as a mls trusted object and then other
>>> apps could connect. Not sure where the target context comes from on
>>> connectto because the socket file is label setrans_var_run_t on the
>>> disk. Something needs fixing just not sure what. Doesn't seem right to
>>> add 'mls_trusted_object(setrans_t)'.
>>
>> When you create and bind a Unix domain socket in the file system
>> namespace (as opposed to the abstract namespace), there are two objects:
>> the socket itself (created upon the socket call, labeled with the label
>> of the creating process), and the file (created upon the bind call,
>> labeled in accordance with the usual file labeling behavior).
>> Connecting to such a socket requires both write access to the file and
>> connectto permission to the socket.  So connectto is a socket-to-socket
>> (which looks like process-to-process since sockets are labeled based on
>> creating process and act as proxies/queues between processes) check.
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>>
> 
> So mls_trusted_object(setrans_t) needs to be added.
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux-policy-3.7.19-15.el6 should have this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvq1iQACgkQrlYvE4MpobM7iwCg52TJrPWJf2602dB9ih4IyFUs
X+oAn1RiJ9hZ7jDSJUstUWSduTM/lGvh
=7If3
-----END PGP SIGNATURE-----

More information about the selinux mailing list