[systemd-devel] socket activation SELinuxContextFromNet issue
Ted Toth
txtoth at gmail.com
Tue Jun 8 15:16:14 UTC 2021
I'm working on a proxy to encrypt rsync network communications using
systemd socket activation (Accept=yes, SELinuxContextFromNet=true) so
that the proxy is run at the level of the connection (the system is
running selinux mls policy). rsync has the same systemd socket
activation configuration as I want it to also run at the level of the
connection. When the proxy is activated it connects to 873 (rsync) and
systemd logs an error:
Jun 7 18:19:25 comms systemd: Started fast remote file copy program
daemon (127.0.0.1:53456).
Jun 7 18:19:25 comms systemd: Failed at step SELINUX_CONTEXT spawning
/usr/bin/rsync: Protocol not available
Jun 7 18:19:25 comms systemd:
rsyncd at 16-127.0.0.1:873-127.0.0.1:53456.service: main process exited,
code=exited, status=229/SELINUX_CONTEXT
Jun 7 18:19:25 comms systemd: Unit
rsyncd at 16-127.0.0.1:873-127.0.0.1:53456.service entered failed state.
Prior to connecting to 873 the proxy calls setsockcreatecon. I think
that the error is coming from a systemd getpeercon call. What I'm
confused about is why the socket would not have a context. Any ideas?
Another data point is that if I netcat directly to 873 systemd
starts rsync without any issues. Also if I proxy to another port (ex.
10000 instead of 873) and run a server on it getpeercon of the
connection from the proxy reports the expected context.
Ted
More information about the systemd-devel
mailing list