Re: [redhat-lspp] new xinetd patch

Stephen Smalley Thu, 24 Aug 2006 05:40:30 -0700

On Wed, 2006-08-23 at 17:56 -0400, Steve Grubb wrote:
> Hello,
> 
> This is the long overdue xinetd patch. To enable it, you have to rerun
> autoconf and add the --with-labeled-networking option to configure. Then
> in the service configuration, add a
> 
> flags = LABELED
> 
> When compiled correctly, there will be a message in the syslog that says
> labeled-networking option was compiled in. As for testing this, only external
> services will get the setexeccon applied. Internal services like echo will
> not.
> 
> If you want a srpm, you can download one here:
> http://people.redhat.com/sgrubb/files/lspp/xinetd-2.3.14-4.src.rpm
> 
> enjoy...
> 
> -Steve
> 
>


> diff -urNp xinetd-2.3.14.orig/xinetd/child.c xinetd-2.3.14/xinetd/child.c
> --- xinetd-2.3.14.orig/xinetd/child.c 2006-06-16 13:20:01.000000000 -0400
> +++ xinetd-2.3.14/xinetd/child.c      2006-08-23 17:27:22.000000000 -0400
> +#ifdef LABELED_NET
> +static int get_context_from_socket(int fd, char *buffer, unsigned int 
> *buflen)
> +{
> +   const char *func = "get_context_from_socket" ;
> +
> +   int retval = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, buffer, buflen);

libselinux provides a wrapper for this interface that internally handles
size determination and allocation of the buffer, getpeercon(3).

At present, we don't have a parallel libselinux function for the
SCM_SECURITY support for datagrams; not sure exactly what form that
would take or whether it would be useful.

> +static int set_exec_context_from_socket( int fd )
> +{
> +   const char *func = "set_exec_context_from_socket" ;
> +
> +   char buffer[255];
> +   unsigned int buflen = 255;

255 is too limiting, but if you use getpeercon, you won't have to worry
about it.

> +   if (get_context_from_socket(fd, buffer, &buflen))
> +      return -1;
> +
> +   int retval = setexeccon(buffer);

Do you want to apply any kind of access checks on the peer context
before using it, or are you entirely relying on the OS level checks to
bound the client?

> +
> +   if (debug.on)
> +   {
> +      security_context_t current_exec_context;
> +      getexeccon( &current_exec_context );
> +
> +      msg( LOG_DEBUG, func, 
> +        "current security exec context now: %s", 
> +        current_exec_context);
> +
> +      freecon( current_exec_context );
> +   }
> +
> +   return retval;
> +}
> +#endif
> diff -urNp xinetd-2.3.14.orig/xinetd/main.c xinetd-2.3.14/xinetd/main.c
> --- xinetd-2.3.14.orig/xinetd/main.c  2006-06-16 13:20:01.000000000 -0400
> +++ xinetd-2.3.14/xinetd/main.c       2006-08-23 17:26:04.000000000 -0400
> @@ -80,7 +80,10 @@ int main( int argc, char *argv[] )
>  #ifdef HAVE_DNSREGISTRATION
>     "rendezvous "
>  #endif
> -#if !defined(LIBWRAP) && !defined(HAVE_LOADAVG) && !defined(HAVE_MDNS) && 
> !defined(HAVE_HOWL) && !defined(HAVE_DNSREGISTRATION)
> +#ifdef LABELED_NET
> +   "labeled-networking "
> +#endif
> +#if !defined(LIBWRAP) && !defined(HAVE_LOADAVG) && !defined(HAVE_MDNS) && 
> !defined(HAVE_HOWL) && !defined(HAVE_DNSREGISTRATION) && !defined(LABELED_NET)
>     "no "
>  #endif
>     "options compiled in."
> diff -urNp xinetd-2.3.14.orig/xinetd/nvlists.c xinetd-2.3.14/xinetd/nvlists.c
> --- xinetd-2.3.14.orig/xinetd/nvlists.c       2006-06-16 13:20:01.000000000 
> -0400
> +++ xinetd-2.3.14/xinetd/nvlists.c    2006-08-23 17:26:04.000000000 -0400
> @@ -47,6 +47,7 @@ const struct name_value service_flags[] 
>        { "SENSOR",                     SF_SENSOR              },
>        { "IPv4",                       SF_IPV4                },
>        { "IPv6",                       SF_IPV6                },
> +      { "LABELED",                    SF_LABELED             },
>        { CHAR_NULL,                    0                      }
>     } ;
>  
> diff -urNp xinetd-2.3.14.orig/xinetd/sconf.h xinetd-2.3.14/xinetd/sconf.h
> --- xinetd-2.3.14.orig/xinetd/sconf.h 2006-06-16 13:20:01.000000000 -0400
> +++ xinetd-2.3.14/xinetd/sconf.h      2006-08-23 17:26:04.000000000 -0400
> @@ -58,6 +58,7 @@
>  #define SF_SENSOR       9
>  #define SF_IPV4         10
>  #define SF_IPV6         11
> +#define SF_LABELED      12
>  
>  /*
>   * Values for log options
> @@ -239,6 +240,7 @@ struct service_config
>  #define SC_SENSOR( scp )          M_IS_SET( (scp)->sc_xflags, SF_SENSOR )
>  #define SC_IPV4( scp )            M_IS_SET( (scp)->sc_xflags, SF_IPV4 )
>  #define SC_IPV6( scp )            M_IS_SET( (scp)->sc_xflags, SF_IPV6 )
> +#define SC_LABELED_NET( scp )     M_IS_SET( (scp)->sc_xflags, SF_LABELED )
>  
>  #define SC_IS_RPC( scp )         ( M_IS_SET( (scp)->sc_type, ST_RPC ) )
>  #define SC_IS_INTERNAL( scp )    ( M_IS_SET( (scp)->sc_type, ST_INTERNAL ) )
> diff -urNp xinetd-2.3.14.orig/xinetd/xinetd.conf.man 
> xinetd-2.3.14/xinetd/xinetd.conf.man
> --- xinetd-2.3.14.orig/xinetd/xinetd.conf.man 2006-06-16 13:20:01.000000000 
> -0400
> +++ xinetd-2.3.14/xinetd/xinetd.conf.man      2006-08-23 17:26:04.000000000 
> -0400
> @@ -145,6 +145,9 @@ Sets the service to be an IPv4 service (
>  .B IPv6
>  Sets the service to be an IPv6 service (AF_INET6), if IPv6 is available on 
> the system.
>  .TP
> +.B LABELED
> +The LABELED flag will tell xinetd to change the child processes SE Linux 
> context to match that of the incoming connection as it starts the service.
> +.TP
>  .B REUSE
>  The REUSE flag is deprecated.  All services now implicitly use the REUSE 
> flag.
>  .RE
> 
> --
> redhat-lspp mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/redhat-lspp
-- 
Stephen Smalley
National Security Agency

--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp

Re: [redhat-lspp] new xinetd patch

Reply via email to