Re: [systemd-devel] socket activation selinux context on create
I'm testing a runner of a patch but what I'm seeing is setsockcreatecon called (in a sd-listen process) with the context I've set using 'semanage port -t' but then when I look at the listening socket context (netstat -Z) it is still init_t and not the type set by setsockcreatecon. I'm not clear about how systemd uses a child process (sd-listen) to create a listening socket and whether the socket context persists across the processes, can someone explain this to me? Ted On Tue, Sep 6, 2022 at 4:51 PM Ted Toth wrote: > > I think I figured out how to add libsemanage to the link, when you see > the patch you can tell me if I did it right. > > On Tue, Sep 6, 2022 at 11:46 AM Ted Toth wrote: > > > > I'm working on a patch and adding a function to selinux_util.c which > > calls libsemanage functions but I don't know how to add this library > > to the link of the systemd (libsystemd-shared-.so) shared > > library as I'm not familiar with the build, how do I do this? > > Also a lot of the semanage functions on failure do not set errno so > > how should I log these failures, i.e. which log_ function should I > > call? > > > > Ted > > > > On Fri, Sep 2, 2022 at 9:13 AM Lennart Poettering > > wrote: > > > > > > On Fr, 02.09.22 09:04, Ted Toth (txt...@gmail.com) wrote: > > > > > > > I have set the type for the port in question using the 'semanage port' > > > > command so the loaded policy has a type which systemd should use when > > > > calling setsockcreatecon. It is my opinion that > > > > socket_determine_selinux_label function should query policy for the > > > > port type and if it has been set use it and if not fallback to its > > > > current behavior. > > > > > > Sure, patch very welcome. > > > > > > SELinux code really requires external contributions, none of the core > > > developers know SELinux too well to do feel confident to implement > > > that. > > > > > > (consider filing an RFE issue on github, so that this is tracked) > > > > > > Lennart > > > > > > -- > > > Lennart Poettering, Berlin
Re: [systemd-devel] socket activation selinux context on create
I think I figured out how to add libsemanage to the link, when you see the patch you can tell me if I did it right. On Tue, Sep 6, 2022 at 11:46 AM Ted Toth wrote: > > I'm working on a patch and adding a function to selinux_util.c which > calls libsemanage functions but I don't know how to add this library > to the link of the systemd (libsystemd-shared-.so) shared > library as I'm not familiar with the build, how do I do this? > Also a lot of the semanage functions on failure do not set errno so > how should I log these failures, i.e. which log_ function should I > call? > > Ted > > On Fri, Sep 2, 2022 at 9:13 AM Lennart Poettering > wrote: > > > > On Fr, 02.09.22 09:04, Ted Toth (txt...@gmail.com) wrote: > > > > > I have set the type for the port in question using the 'semanage port' > > > command so the loaded policy has a type which systemd should use when > > > calling setsockcreatecon. It is my opinion that > > > socket_determine_selinux_label function should query policy for the > > > port type and if it has been set use it and if not fallback to its > > > current behavior. > > > > Sure, patch very welcome. > > > > SELinux code really requires external contributions, none of the core > > developers know SELinux too well to do feel confident to implement > > that. > > > > (consider filing an RFE issue on github, so that this is tracked) > > > > Lennart > > > > -- > > Lennart Poettering, Berlin
Re: [systemd-devel] socket activation selinux context on create
I'm working on a patch and adding a function to selinux_util.c which calls libsemanage functions but I don't know how to add this library to the link of the systemd (libsystemd-shared-.so) shared library as I'm not familiar with the build, how do I do this? Also a lot of the semanage functions on failure do not set errno so how should I log these failures, i.e. which log_ function should I call? Ted On Fri, Sep 2, 2022 at 9:13 AM Lennart Poettering wrote: > > On Fr, 02.09.22 09:04, Ted Toth (txt...@gmail.com) wrote: > > > I have set the type for the port in question using the 'semanage port' > > command so the loaded policy has a type which systemd should use when > > calling setsockcreatecon. It is my opinion that > > socket_determine_selinux_label function should query policy for the > > port type and if it has been set use it and if not fallback to its > > current behavior. > > Sure, patch very welcome. > > SELinux code really requires external contributions, none of the core > developers know SELinux too well to do feel confident to implement > that. > > (consider filing an RFE issue on github, so that this is tracked) > > Lennart > > -- > Lennart Poettering, Berlin
Re: [systemd-devel] socket activation selinux context on create
On Fr, 02.09.22 09:04, Ted Toth (txt...@gmail.com) wrote: > I have set the type for the port in question using the 'semanage port' > command so the loaded policy has a type which systemd should use when > calling setsockcreatecon. It is my opinion that > socket_determine_selinux_label function should query policy for the > port type and if it has been set use it and if not fallback to its > current behavior. Sure, patch very welcome. SELinux code really requires external contributions, none of the core developers know SELinux too well to do feel confident to implement that. (consider filing an RFE issue on github, so that this is tracked) Lennart -- Lennart Poettering, Berlin
Re: [systemd-devel] socket activation selinux context on create
I have set the type for the port in question using the 'semanage port' command so the loaded policy has a type which systemd should use when calling setsockcreatecon. It is my opinion that socket_determine_selinux_label function should query policy for the port type and if it has been set use it and if not fallback to its current behavior. Ted On Thu, Aug 25, 2022 at 4:19 AM Lennart Poettering wrote: > > On Mi, 24.08.22 11:50, Ted Toth (txt...@gmail.com) wrote: > > > I don't see a way to set the context of the socket that systemd > > listens on. If there is a way to do this please tell me otherwise I'd > > like to see an option (SELinuxCreateContext?) added to be able to set > > the context (setsockcreatecon) to be used by systemd when creating the > > socket. Currently as an extra layer of security I add code called in > > the socket activation ExecStartPre process to check that the source > > context (peercon) can connect to the target context (getcon). If a > > sockets context was set by systemd I would have to perform this > > additional check as my SELinux policy would do it for me. > > This was proposed before, but SELinux maintainers really want that the > loaded selinux policy picks the label, and not unit files. > > i.e. as I understand their philosophy: how labels are assigned should > be encoded in the database and in the policy but not elsewhere, > i.e. in unit files. I think that philosophy does make sense. > > Lennart > > -- > Lennart Poettering, Berlin
Re: [systemd-devel] socket activation selinux context on create
On Do, 25.08.22 14:46, Ted Toth (txt...@gmail.com) wrote: > I've tested setting the type of the port using semanage port -a > however when I start the service netstat still shows the type as > init_t. I don't know of any other way to get a type transition of a > socket to happen, do you?. I've also posted to the selinux list but > haven't gotten any responses yet. Uh, that's a question for the selinux people. I only have a limited insight into selinux, and wouldn't know how to do such things. Lennart -- Lennart Poettering, Berlin
Re: [systemd-devel] socket activation selinux context on create
I've tested setting the type of the port using semanage port -a however when I start the service netstat still shows the type as init_t. I don't know of any other way to get a type transition of a socket to happen, do you?. I've also posted to the selinux list but haven't gotten any responses yet. Ted On Thu, Aug 25, 2022 at 4:19 AM Lennart Poettering wrote: > > On Mi, 24.08.22 11:50, Ted Toth (txt...@gmail.com) wrote: > > > I don't see a way to set the context of the socket that systemd > > listens on. If there is a way to do this please tell me otherwise I'd > > like to see an option (SELinuxCreateContext?) added to be able to set > > the context (setsockcreatecon) to be used by systemd when creating the > > socket. Currently as an extra layer of security I add code called in > > the socket activation ExecStartPre process to check that the source > > context (peercon) can connect to the target context (getcon). If a > > sockets context was set by systemd I would have to perform this > > additional check as my SELinux policy would do it for me. > > This was proposed before, but SELinux maintainers really want that the > loaded selinux policy picks the label, and not unit files. > > i.e. as I understand their philosophy: how labels are assigned should > be encoded in the database and in the policy but not elsewhere, > i.e. in unit files. I think that philosophy does make sense. > > Lennart > > -- > Lennart Poettering, Berlin
Re: [systemd-devel] socket activation selinux context on create
On Mi, 24.08.22 11:50, Ted Toth (txt...@gmail.com) wrote: > I don't see a way to set the context of the socket that systemd > listens on. If there is a way to do this please tell me otherwise I'd > like to see an option (SELinuxCreateContext?) added to be able to set > the context (setsockcreatecon) to be used by systemd when creating the > socket. Currently as an extra layer of security I add code called in > the socket activation ExecStartPre process to check that the source > context (peercon) can connect to the target context (getcon). If a > sockets context was set by systemd I would have to perform this > additional check as my SELinux policy would do it for me. This was proposed before, but SELinux maintainers really want that the loaded selinux policy picks the label, and not unit files. i.e. as I understand their philosophy: how labels are assigned should be encoded in the database and in the policy but not elsewhere, i.e. in unit files. I think that philosophy does make sense. Lennart -- Lennart Poettering, Berlin