On Wed, 20.08.14 12:01, Michal Sekletar (msekl...@redhat.com) wrote: > > > + if (context->selinux_labeled_net && > > > use_selinux()) { > > > + _cleanup_free_ char *label = NULL; > > > + > > > + err = label_get_socket_label(socket_fd, > > > command->path, &label); > > > + if (err < 0) { > > > + r = EXIT_SELINUX_CONTEXT; > > > + goto fail_child; > > > + } > > > + > > > + err = setexeccon(label); > > > + if (err < 0) { > > > + r = EXIT_SELINUX_CONTEXT; > > > + goto fail_child; > > > + } > > > + } > > > > If both SELinuxContext= and SELinuxLabeledNet= are set we should > > probably not execute one after the other, but only one of them. > > I think that it makes sense to set both and resulting label will be > combination > of both. Note that from SELinux label we acquire from network we are using > only > security level part.
Hmm? But in both cases we just execute setexeccon()? Are you saying that if we invoke setexeccon() twice with a specific combination of parameters then it leads to different results than just doing the second invocation and leaving the first one out? The documentation doesn't mention that. Obviously, I have no understanding of SELinux as it appears, but this sounds so werid to me. Dan, what's the story here? > > > +#ifdef HAVE_SELINUX > > > + if (!know_label && s->selinux_labeled_net) { > > > + r = getcon(&label); > > > + if (r < 0) > > > + return r; > > > + know_label = true; > > > + } > > > +#endif > > > if (!know_label) { > > > > > > > Can you explain this bit? Why would we label the listening socket with our > > own > > label here? > > This is because of MLS SELinux policy implementation details. If we relabel to > the context acquired from the target binary then it if not possible to > connect to > the socket because SELinux denies a packet receive on the socket. > > https://github.com/selinux-policy/selinux-policy/blob/rawhide-base/policy/mls#L361 I don't understand a word of this, I mus say. But is it really the intention here to take the current process label and apply it directly to the socket fd? Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel