Could I export the udp socket security contexts to /proc/net/udp

Could I export the udp socket security contexts to /proc/net/udp

[Rongqing Li]

Hi Linux-netdev folks:

Could I export the socket security contexts to udp, tcp, raw,
unix file under /proc/net/?


If can not, Could you tell me where and how I should export this
information to?


The element sk_security of struct sock represents the socket
security context ID, which is inheriting from the process which
creates this socket most of the time.


but when SELinux type_transition rule is applied to socket, or
application sets /proc/xxx/attr/createsock, the socket security
context would be different from the creating process. on this
condition, the "netstat -Z" will return wrong value, since
"netstat -Z" only returns the process security context as socket
process security.


I want to fix "netstat -Z", but first the kernel must export this
information, like /proc/xxx/attr/current is the process security
context. So I have this requirement.


Expect your instruction.

Thanks.

-- 
Best Reagrds,
Roy | RongQing Li
-------------------------------------------------------------
WIND RIVER Beijing | China Development Center
Phone: +86-10-6483-5025, Cell: +86-135-2202-9864, Fax: +86-10-6479-0367

Re: Could I export the udp socket security contexts to /proc/net/udp

[Rongqing Li]

Hi David:

Could you give some comments to my thought?

Thanks very much

Br


On 07/28/2011 01:38 PM, Rongqing Li wrote:
> Hi Linux-netdev folks:
>
> Could I export the socket security contexts to udp, tcp, raw,
> unix file under /proc/net/?
>
>
> If can not, Could you tell me where and how I should export this
> information to?
>
>
> The element sk_security of struct sock represents the socket
> security context ID, which is inheriting from the process which
> creates this socket most of the time.
>
>
> but when SELinux type_transition rule is applied to socket, or
> application sets /proc/xxx/attr/createsock, the socket security
> context would be different from the creating process. on this
> condition, the "netstat -Z" will return wrong value, since
> "netstat -Z" only returns the process security context as socket
> process security.
>
>
> I want to fix "netstat -Z", but first the kernel must export this
> information, like /proc/xxx/attr/current is the process security
> context. So I have this requirement.
>
>
> Expect your instruction.
>
> Thanks.
>

-- 
Best Reagrds,
Roy | RongQing Li
-------------------------------------------------------------
WIND RIVER Beijing | China Development Center
Phone: +86-10-6483-5025, Cell: +86-135-2202-9864, Fax: +86-10-6479-0367

Re: Could I export the udp socket security contexts to /proc/net/udp

[David Miller]

From: Rongqing Li <rongqing.li@windriver.com>
Date: Wed, 3 Aug 2011 16:07:46 +0800

> Hi David:
> 
> Could you give some comments to my thought?

Singling me out directly is not helpful, I'm overloaded as it is
and am unlikely to reply to your query.

I didn't ask you to post here in order to just duplicate the same
problem that emailing me privately creates.

I asked you to post here so that any developer, not just me, could
reply.