[refpolicy] Socket labeling support for syslogd_t and setrans_t
HarryCiao
harrytaurus2002 at hotmail.com
Mon Mar 21 01:48:17 CDT 2011
Hi Chris,
Now that the patches for socket-labeling support have been merged into Linus kernel tree, I think it's time to submit the attached patches to have the socket created by syslogd_t and setrans_t domains have a separate type than the creator, so that we won't have to add syslogd_t or setrans_t domains into mlstrustedobject attribute in order to have domains at mls_systemlow to communicate with their sockets at mls_systemhigh.
Please find them out in the attachments. Below is some simple tests I've done.
Looking forward to your comments, thanks a lot!
Best regards,
Harry
------------------------
[root/sysadm_r/s0 at setrans]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 25
Policy from config file: refpolicy-mls
[root/sysadm_r/s0 at setrans]# run_init /etc/init.d/mcstrans start
Authenticating root.
Password:
Starting mcstransd: [ OK ]
[root/sysadm_r/SystemLow at setrans]# syshigh "ps Z -C mcstransd"
Password:
LABEL PID TTY STAT TIME COMMAND
system_u:system_r:setrans_t:SystemHigh 828 ? Ss 0:00 mcstransd
[root/sysadm_r/SystemLow at setrans]# compute_create system_u:system_r:setrans_t:SystemHigh system_u:system_r:setrans_t:SystemHigh unix_stream_socket
system_u:system_r:setrans_s_t:SystemHigh
[root/sysadm_r/SystemLow at setrans]# compute_create system_u:system_r:setrans_t:SystemHigh system_u:system_r:setrans_t:SystemHigh unix_dgram_socket
system_u:system_r:setrans_t:SystemHigh
[root/sysadm_r/SystemLow at setrans]#
[root/sysadm_r/SystemLow at setrans]# syshigh "ps Z -C syslogd"Password:
LABEL PID TTY STAT TIME COMMAND
system_u:system_r:syslogd_t:SystemHigh 395 ? Ss 0:00 syslogd -m 0
[root/sysadm_r/SystemLow at setrans]# compute_create system_u:system_r:syslogd_t:SystemHigh system_u:system_r:syslogd_t:SystemHigh unix_dgram_socket
system_u:system_r:syslogd_s_t:SystemHigh
[root/sysadm_r/SystemLow at setrans]# compute_create system_u:system_r:syslogd_t:SystemHigh system_u:system_r:syslogd_t:SystemHigh unix_stream_socket
system_u:system_r:syslogd_t:SystemHigh
[root/sysadm_r/SystemLow at setrans]#
[root/sysadm_r/SystemLow at setrans]# run_init /etc/init.d/mcstrans stop
Authenticating root.
Password:
Stopping mcstransd: [ OK ]
[root/sysadm_r/s0 at setrans]# audhigh "ausearch -ts recent -sv no"
Password:
<no matches>
[root/sysadm_r/s0 at setrans]#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110321/ff42105c/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Specify-a-separate-socket-type-for-syslogd_t.patch
Type: text/x-patch
Size: 3666 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110321/ff42105c/attachment-0003.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Allow-setrans_t-to-read-from-proc-filesystems.patch
Type: text/x-patch
Size: 1638 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110321/ff42105c/attachment-0004.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Specify-a-separate-socket-type-for-setrans_t.patch
Type: text/x-patch
Size: 3021 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110321/ff42105c/attachment-0005.bin
More information about the refpolicy
mailing list