All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ondrej Mosnacek <omosnace@redhat.com>
To: Ted Toth <txtoth@gmail.com>
Cc: Paul Moore <paul@paul-moore.com>,
	Dominick Grift <dominick.grift@defensec.nl>,
	SELinux <selinux@vger.kernel.org>
Subject: Re: context of socket passed between processes
Date: Thu, 8 Sep 2022 16:28:07 +0200	[thread overview]
Message-ID: <CAFqZXNus2pSv4=oxm-Mj+vz0D2TDNqiG6tf_--CSo5OcExK74Q@mail.gmail.com> (raw)
In-Reply-To: <CAFPpqQEoAcmpQALgD9S5ZYnd2KVSPOtsBaC67t3VLv9uS3KRbw@mail.gmail.com>

On Thu, Sep 8, 2022 at 4:15 PM Ted Toth <txtoth@gmail.com> wrote:
>
> On Thu, Sep 8, 2022 at 8:43 AM Ted Toth <txtoth@gmail.com> wrote:
> >
> > On Wed, Sep 7, 2022 at 5:48 PM Paul Moore <paul@paul-moore.com> wrote:
> > >
> > > On Wed, Sep 7, 2022 at 4:56 PM Dominick Grift
> > > <dominick.grift@defensec.nl> wrote:
> > > > Ted Toth <txtoth@gmail.com> writes:
> > > > > systemd uses a helper process (sd-listen) to create sockets and pass
> > > > > their fds back to its parent. I've patched systemd to call semanage to
> > > > > get the context for the port if it exists and create a context using
> > > > > the returned type when calling setsockcreatecon. Everything looks
> > > > > right i.e. the port type is retrieved, the context is created and
> > > > > setsockcreatecon is called without errors. However 'netstat -Z' shows
> > > > > the listening sockets type as init_t and not the type in the
> > > > > setsockcreatecon call, is this the expected behavior? Can anyone help
> > > > > me understand why this is happening?
> > > >
> > > > It is probably the context of the process listening on the port and not
> > > > the context of the socket that binds to the port
> > >
> > > That's a good point, I would have thought it would have looked at the
> > > socket itself but perhaps it is the calling process' label.  Actually,
> > > it might be the fd's label associated with the socket; that would
> > > explain it.  Someone would need to look at the netstat sources to
> > > confirm.
> >
> > Is there an API to query the context of a socket fd?
>
> I wrote a client which connects and calls getpeercon and indeed the
> context is what was set via setsockcreatecon so that's reassuring.
> Unfortunately it seems that netstat, ss and lsof don't have a way to
> query the context of the listening socket :( I'd like to see a
> getsockcon function (taking an fd as its argument) added to libselinux
> if it can be written.

There is a way to see a socket's context, though it's a bit obscure:

ls -ZL /proc/<PID>/fd/<FD>

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.


  reply	other threads:[~2022-09-08 14:28 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-07 20:18 context of socket passed between processes Ted Toth
2022-09-07 20:56 ` Dominick Grift
2022-09-07 22:48   ` Paul Moore
2022-09-08 13:43     ` Ted Toth
2022-09-08 14:15       ` Ted Toth
2022-09-08 14:28         ` Ondrej Mosnacek [this message]
2022-09-08 14:38           ` Dominick Grift
2022-09-08 21:54           ` Ted Toth
2022-09-07 22:46 ` Paul Moore
2022-09-08 13:41   ` Ted Toth
2022-09-08 14:41     ` Paul Moore
2022-09-08 14:48       ` Dominick Grift
2022-09-12 13:11       ` Ted Toth
2022-09-14 13:42         ` Ted Toth
2022-09-14 14:03         ` Paul Moore
2022-09-14 16:44           ` Ted Toth
2022-09-19  3:33             ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAFqZXNus2pSv4=oxm-Mj+vz0D2TDNqiG6tf_--CSo5OcExK74Q@mail.gmail.com' \
    --to=omosnace@redhat.com \
    --cc=dominick.grift@defensec.nl \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    --cc=txtoth@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.