[systemd-devel] socket activation selinux context on create
Ted Toth
txtoth at gmail.com
Wed Sep 7 18:28:21 UTC 2022
I'm testing a runner of a patch but what I'm seeing is
setsockcreatecon called (in a sd-listen process) with the context I've
set using 'semanage port -t' but then when I look at the listening
socket context (netstat -Z) it is still init_t and not the type set by
setsockcreatecon. I'm not clear about how systemd uses a child process
(sd-listen) to create a listening socket and whether the socket
context persists across the processes, can someone explain this to me?
Ted
On Tue, Sep 6, 2022 at 4:51 PM Ted Toth <txtoth at gmail.com> wrote:
>
> I think I figured out how to add libsemanage to the link, when you see
> the patch you can tell me if I did it right.
>
> On Tue, Sep 6, 2022 at 11:46 AM Ted Toth <txtoth at gmail.com> wrote:
> >
> > I'm working on a patch and adding a function to selinux_util.c which
> > calls libsemanage functions but I don't know how to add this library
> > to the link of the systemd (libsystemd-shared-<version>.so) shared
> > library as I'm not familiar with the build, how do I do this?
> > Also a lot of the semanage functions on failure do not set errno so
> > how should I log these failures, i.e. which log_ function should I
> > call?
> >
> > Ted
> >
> > On Fri, Sep 2, 2022 at 9:13 AM Lennart Poettering
> > <lennart at poettering.net> wrote:
> > >
> > > On Fr, 02.09.22 09:04, Ted Toth (txtoth at gmail.com) wrote:
> > >
> > > > I have set the type for the port in question using the 'semanage port'
> > > > command so the loaded policy has a type which systemd should use when
> > > > calling setsockcreatecon. It is my opinion that
> > > > socket_determine_selinux_label function should query policy for the
> > > > port type and if it has been set use it and if not fallback to its
> > > > current behavior.
> > >
> > > Sure, patch very welcome.
> > >
> > > SELinux code really requires external contributions, none of the core
> > > developers know SELinux too well to do feel confident to implement
> > > that.
> > >
> > > (consider filing an RFE issue on github, so that this is tracked)
> > >
> > > Lennart
> > >
> > > --
> > > Lennart Poettering, Berlin
More information about the systemd-devel
mailing list