From: Stephen Smalley <sds@tycho.nsa.gov>
To: Martin Christian <martin.christian@secunet.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: Sec context of unix domain sockets
Date: Wed, 13 Jul 2011 10:02:56 -0400 [thread overview]
Message-ID: <1310565776.12491.29.camel@moss-pluto> (raw)
In-Reply-To: <4E1D99D7.1030504@secunet.com>
On Wed, 2011-07-13 at 15:12 +0200, Martin Christian wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Stephen,
>
> you pointed me into the right direction: We have a startup log daemon
> which gets replaced by syslog at the end of the boot process. The AVC
> message occurs when /dev/log still belongs to the startup log daemon.
> Thanks for your hint!
>
> What I was missing all the time during my investigation was a tool,
> which displays the security labels of unix domain sockets. Is there
> nothing like this around? netstat doesn't seem to support selinux labels
> (an option -Z), does it? Maybe I could reserve some time in our schedule
> to add such an option to netstat.
The Fedora netstat program has a -Z option, but the implementation
appears to read the context of the owning process
(via /proc/<pid>/attr/current), not necessarily the context of the
individual socket. Not sure you can get to that information from any
process other than the owning one without reading kernel memory.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2011-07-13 14:02 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-04 16:07 Sec context of unix domain sockets Martin Christian
2011-07-11 14:21 ` Stephen Smalley
2011-07-12 16:57 ` Martin Christian
2011-07-12 17:23 ` Stephen Smalley
2011-07-13 13:12 ` Martin Christian
2011-07-13 14:02 ` Stephen Smalley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1310565776.12491.29.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=martin.christian@secunet.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.