talking to mcstrans in MLS enforcing on rhel6 beta
- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
I'm a bit confused about something. mcstransd creates a socket and
through a transition rule it get labeled setrans_var_run_t (this is
also the type used with mls_trusted_object in the setrans policy)
however when other apps try and connect to it the target context type
is setrans_t which of course isn't trusted so no one can connect. As
an experiment I added setrans_t as a mls trusted object and then other
apps could connect. Not sure where the target context comes from on
connectto because the socket file is label setrans_var_run_t on the
disk. Something needs fixing just not sure what. Doesn't seem right to
add 'mls_trusted_object(setrans_t)'.
Ted
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/11/2010 12:10 PM, Xavier Toth wrote:
I'm a bit confused about something. mcstransd creates a socket
and
through a transition rule it get labeled setrans_var_run_t (this is
also the type used with mls_trusted_object in the setrans policy)
however when other apps try and connect to it the target context type
is setrans_t which of course isn't trusted so no one can connect. As
an experiment I added setrans_t as a mls trusted object and then other
apps could connect. Not sure where the target context comes from on
connectto because the socket file is label setrans_var_run_t on the
disk. Something needs fixing just not sure what. Doesn't seem right to
add 'mls_trusted_object(setrans_t)'.
Ted
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Since connectto has a constraint on it, I think we need to add this also?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEUEARECAAYFAkvpo7gACgkQrlYvE4MpobOuugCYo2aC2+irPvhnzmLDzKwIfdQN
MQCfd+sRrhhUQKVrb8WQZ72CEaRAcHs=
=I0Lq
-----END PGP SIGNATURE-----
On Tue, 2010-05-11 at 11:10 -0500, Xavier Toth wrote:
I'm a bit confused about something. mcstransd creates a socket
and
through a transition rule it get labeled setrans_var_run_t (this is
also the type used with mls_trusted_object in the setrans policy)
however when other apps try and connect to it the target context type
is setrans_t which of course isn't trusted so no one can connect. As
an experiment I added setrans_t as a mls trusted object and then other
apps could connect. Not sure where the target context comes from on
connectto because the socket file is label setrans_var_run_t on the
disk. Something needs fixing just not sure what. Doesn't seem right to
add 'mls_trusted_object(setrans_t)'.
When you create and bind a Unix domain socket in the file system
namespace (as opposed to the abstract namespace), there are two objects:
the socket itself (created upon the socket call, labeled with the label
of the creating process), and the file (created upon the bind call,
labeled in accordance with the usual file labeling behavior).
Connecting to such a socket requires both write access to the file and
connectto permission to the socket. So connectto is a socket-to-socket
(which looks like process-to-process since sockets are labeled based on
creating process and act as proxies/queues between processes) check.
--
Stephen Smalley
National Security Agency
5107
days inactive
5107
days old
selinux@lists.fedoraproject.org
2 comments
3 participants
tags (0)
participants (3)
-
Daniel J Walsh -
Stephen Smalley -
Ted Toth