Red Hat Bugzilla – Bug 430929
lspp modification to xinetd calling getfilecon with incorrect path
Last modified: 2008-01-31 10:20:15 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:220.127.116.11) Gecko/20071213 Fedora/18.104.22.168-3.fc8 Firefox/22.214.171.124
Description of problem:
getfilecon is being called with the basename of a path rather than the full path. This causes the new context computation to fail.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Use flags=LABELED and nonstandard path
disable = no
socket_type = stream
wait = no
user = nobody
instances = UNLIMITED
per_source = UNLIMITED
server = /opt/foo/libexec/identd
protocol = tcp
flags = LABELED
Process launch fails with context errors
Process should be launched at label of connection and with computed type.
Created attachment 293455 [details]
Patch to use correct path in getfilecon
Use SC_SERVER(scp) instead of SC_SERVER_ARGV( scp )
Steve, could you please help me with this one? The patch looks harmless, but I
am not able to test it without a day wasted by studying selinux and IPsec
documentation and setting this up. The SELinux part of xinetd is your work, right?
Jan, this patch looks OK. It should, in theory, do the same thing.
Thanks Steve, now let's prove the theory in the real world.