[systemd-devel] [PATCH v2] socket: introduce SELinuxContextViaNet option
Lennart Poettering
lennart at poettering.net
Wed Aug 20 15:59:11 PDT 2014
On Wed, 20.08.14 19:53, Michal Sekletar (msekleta at redhat.com) wrote:
> This makes possible to spawn service instances triggered by socket with
> MLS/MCS SELinux labels which are created based on information provided by
> connected peer.
>
> Implementation of label_get_child_label derived from xinetd.
"ViaNet"? Still don't like the word "via", is it ever used like that
elswhere? Isn't "From" OK too? as in "SELinuxContextFromNet=" or so?
>
> if (p->type == SOCKET_SOCKET) {
> -
> +#ifdef HAVE_SELINUX
> + if (!know_label && s->selinux_context_via_net) {
> + r = getcon(&label);
> + if (r < 0)
> + return r;
> + know_label = true;
> + }
> +#endif
So far we managed to void #ifdefs for minor feature in the main source
files. I'd really prefer if we could maybe move getcon() into label.c or
so, and return some error we can detect if selinux is turned off...
> s->n_connections ++;
>
> + if (s->selinux_context_via_net)
> + service->exec_context.selinux_context_via_net = true;
> +
Still don#t like how this is passed through... (see other mail)
> +out:
> + if (r && security_getenforce() == 1)
> + r = -errno;
> +
> + freecon(mycon);
> + freecon(peercon);
> + freecon(fcon);
> + context_free(pcon);
> + context_free(bcon);
Wow! freecon() and context_free() are both selinux APIs? Yuck!
Hmm, minor suggestion: maybe use the _cleanup_ stuff for freeing these
fields? Makes the code a bit simpler.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list