[systemd-devel] SELinux labels on unix sockets

Jan Synacek jsynacek at redhat.com
Tue Mar 10 01:55:15 PDT 2015 

Lennart Poettering <lennart at poettering.net> writes:

> On Fri, 06.03.15 13:04, Jan Synáček (jsynacek at redhat.com) wrote:
>
>> Hello,
>> 
>> when systemd creates a socket file, it explicitly calls a selinux
>> procedure to label it. I don't think that is needed, as the kernel does
>> the right thing when the socket is created. Am I missing something? Why
>> is the explicit labeling in place?
>
> Well, it's complicated.
>
> If we use socket activation we label a socket taking into account the
> label of the binary that is eventually started for it.
>
> And then, for file system sockets the kernel could traditionally only
> derive the label to use from the directory the socket was created in,
> which makes it difficult to have multiple sockets in the same
> directory with different labels, which is pretty frequently done
> though. That said, I think this limitation was lifted a while back in
> the kernel, and the policy can now also take the socket file name into
> consideration and derive different labels automatically.
>
> Ultimately, I only superficially understand the selinux code. We rely
> on patches from Dan & co to keep it up-to-date. Better keep him in the
> loop.

If there is a way to specify the automatic labeling of the socket files
according to their names, and not the directory that they reside in, in
the policy, then the code that does the explicit labeling isn't
necessary. If not, the code would label the sockets incorrectly, which
is what actually happens now. Plus the fact that systemd doesn't
correctly re-require the libselinux handle (meaning that policy
updates/reloads are not recognized) on policy changes makes the logic
not work.

I've tried to write a small piece of code that would execute whenever a
policy is modified, but failed to do so. Calling
selinux_set_callback(SELINUX_CB_POLICYLOAD, cb) doesn't do anything.

So, I think that the code that explictly labels the socket files should
be removed.

It would be nice to hear from Dan, though.

Cheers,
-- 
Jan Synacek
Software Engineer, Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150310/0c679a32/attachment.sig>

More information about the systemd-devel mailing list