Paul Moore wrote:
> Steve Grubb wrote:
>
>>diff -urNp xinetd-2.3.14.orig/xinetd/child.c xinetd-2.3.14/xinetd/child.c
>>--- xinetd-2.3.14.orig/xinetd/child.c 2006-06-16 13:20:01.000000000 -0400
>>+++ xinetd-2.3.14/xinetd/child.c 2006-08-24 14:11:09.000000000 -0400
>>@@ -31,6 +31,9 @@
>> #ifdef HAVE_NETDB_H
>> #include <netdb.h>
>> #endif
>>+#ifdef LABELED_NET
>>+#include <selinux/selinux.h>
>>+#endif
>>
>> #include "str.h"
>> #include "child.h"
>>@@ -44,6 +47,12 @@
>> #include "options.h"
>> #include "redirect.h"
>>
>>+/* Local declarations */
>>+#ifdef LABELED_NET
>>+static int set_context_from_socket( int fd );
>>+#endif
>>+
>>+
>> /*
>> * This function is running in the new process
>> */
>>@@ -143,6 +152,19 @@ void exec_server( const struct server *s
>> }
>> #endif
>>
>>+ /*
>>+ Set the context if the option was given
>>+ */
>>+#ifdef LABELED_NET
>>+ if (SC_LABELED_NET(scp))
>>+ {
>>+ if (set_context_from_socket( descriptor ) < 0)
>>+ msg( LOG_ERR, func,
>>+ "Changing process context failed for %s", SC_ID( scp )) ;
>>+ _exit( 1 ) ;
>>+ }
>>+#endif
>>+
>
>
> Steve, you forgot to add braces around the error path for the
> set_context_from_socket() call. Right now '_exit(1)' is always called
> which causes the child server to die prematurely.
>
I forgot to add: I made the change and this allowed me to telnet into
the system using NetLabel/CIPSO and accoring to ps the in.telnetd
process was running at the correct MLS label (the label of the telnet
client).
--
paul moore
linux security @ hp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
