[systemd-devel] socket activation SELinuxContextFromNet issue

Ted Toth txtoth at gmail.com
Wed Jun 9 20:22:08 UTC 2021


Unfortunately I was using 0.0.0.0 to connect to rsync in the proxy and
the netlabel.rules entry for that ip is unlabeled when I changed the
ip to 127.0.0.1 systemd no longer reports this error.

Ted

On Tue, Jun 8, 2021 at 10:16 AM Ted Toth <txtoth at gmail.com> wrote:
>
> I'm working on a proxy to encrypt rsync network communications using
> systemd socket activation (Accept=yes, SELinuxContextFromNet=true) so
> that the proxy is run at the level of the connection (the system is
> running selinux mls policy). rsync has the same systemd socket
> activation configuration as I want it to also run at the level of the
> connection. When the proxy is activated it connects to 873 (rsync) and
> systemd logs an error:
> Jun  7 18:19:25 comms systemd: Started fast remote file copy program
> daemon (127.0.0.1:53456).
> Jun  7 18:19:25 comms systemd: Failed at step SELINUX_CONTEXT spawning
> /usr/bin/rsync: Protocol not available
> Jun  7 18:19:25 comms systemd:
> rsyncd at 16-127.0.0.1:873-127.0.0.1:53456.service: main process exited,
> code=exited, status=229/SELINUX_CONTEXT
> Jun  7 18:19:25 comms systemd: Unit
> rsyncd at 16-127.0.0.1:873-127.0.0.1:53456.service entered failed state.
>
> Prior to connecting to 873 the proxy calls setsockcreatecon. I think
> that the error is coming from a systemd getpeercon call. What I'm
> confused about is why the socket would not have a context. Any ideas?
>
> Another data point is that if I netcat directly to 873 systemd
> starts rsync without any issues. Also if I proxy to another port (ex.
> 10000 instead of 873) and run a server on it getpeercon of the
> connection from the proxy reports the expected context.
>
> Ted


More information about the systemd-devel mailing list