From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10 Description of problem: getfilecon is being called with the basename of a path rather than the full path. This causes the new context computation to fail. Version-Release number of selected component (if applicable): xinetd-2.3.14-14.fc8 How reproducible: Always Steps to Reproduce: Use flags=LABELED and nonstandard path service auth { disable = no socket_type = stream wait = no user = nobody instances = UNLIMITED per_source = UNLIMITED server = /opt/foo/libexec/identd protocol = tcp flags = LABELED } Actual Results: Process launch fails with context errors Expected Results: Process should be launched at label of connection and with computed type. Additional info:
Created attachment 293455 [details] Patch to use correct path in getfilecon Use SC_SERVER(scp) instead of SC_SERVER_ARGV( scp )[0]
Steve, could you please help me with this one? The patch looks harmless, but I am not able to test it without a day wasted by studying selinux and IPsec documentation and setting this up. The SELinux part of xinetd is your work, right?
Jan, this patch looks OK. It should, in theory, do the same thing.
Thanks Steve, now let's prove the theory in the real world.