Bug 430929
| Summary: | lspp modification to xinetd calling getfilecon with incorrect path | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Joe Nall <joe> | ||||
| Component: | xinetd | Assignee: | Jan Safranek <jsafrane> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 8 | CC: | sgrubb | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | xinetd-2.3.14-18.fc9 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-01-31 15:20:15 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 293455 [details]
Patch to use correct path in getfilecon
Use SC_SERVER(scp) instead of SC_SERVER_ARGV( scp )[0]
Steve, could you please help me with this one? The patch looks harmless, but I am not able to test it without a day wasted by studying selinux and IPsec documentation and setting this up. The SELinux part of xinetd is your work, right? Jan, this patch looks OK. It should, in theory, do the same thing. Thanks Steve, now let's prove the theory in the real world. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10 Description of problem: getfilecon is being called with the basename of a path rather than the full path. This causes the new context computation to fail. Version-Release number of selected component (if applicable): xinetd-2.3.14-14.fc8 How reproducible: Always Steps to Reproduce: Use flags=LABELED and nonstandard path service auth { disable = no socket_type = stream wait = no user = nobody instances = UNLIMITED per_source = UNLIMITED server = /opt/foo/libexec/identd protocol = tcp flags = LABELED } Actual Results: Process launch fails with context errors Expected Results: Process should be launched at label of connection and with computed type. Additional info: