Bug 977873 - Use full path to server when checking selinux context
Summary: Use full path to server when checking selinux context
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: xinetd
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jan Synacek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-25 13:49 UTC by Jan Synacek
Modified: 2013-07-05 02:06 UTC (History)
2 users (show)

Fixed In Version: xinetd-2.3.15-6.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-07-05 02:06:56 UTC


Attachments (Terms of Use)
Patch (404 bytes, patch)
2013-06-25 13:51 UTC, Jan Synacek
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 976413 None None None Never

Internal Links: 976413

Description Jan Synacek 2013-06-25 13:49:57 UTC
Description of problem:
When the server binary is checked for its selinux context, its path is not full, and if the binary is located in a nonstandard location, getfilecon() returns -1 and xinetd reports that changing process context failed.

In set_context_from_socket():
   exepath = SC_SERVER_ARGV( scp )[0];
   if (getfilecon(exepath, &exec_context) < 0)
     goto fail;


Version-Release number of selected component (if applicable):
xinetd-2.3.15-5


How reproducible:
always


Steps to Reproduce:
1. Have a testing server

2. Configure a xinetd service
service test_labeled_ipv4
{
        id              = test_labeled_ipv4
        type            = UNLISTED
        flags           = REUSE IPv4 LABELED
        wait            = no
        user            = root
        disable         = no
        instances       = 1
        socket_type     = stream
        protocol        = tcp
        port            = 4001
        server          = /usr/local/non-standard/path/test_labeled_ipv4
}

3. Connect to the server

4. Observe an error


Actual results:
13/6/25@15:44:01: ERROR: 8373 {exec_server} Changing process context failed for test_labeled_ipv4


Expected results:
Connection succeeds if all the selinux stuff is right.

Comment 1 Jan Synacek 2013-06-25 13:51:52 UTC
Created attachment 765095 [details]
Patch

Comment 2 Fedora Update System 2013-06-26 08:07:14 UTC
xinetd-2.3.15-6.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/xinetd-2.3.15-6.fc19

Comment 4 Fedora Update System 2013-06-26 17:08:00 UTC
Package xinetd-2.3.15-6.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xinetd-2.3.15-6.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11714/xinetd-2.3.15-6.fc19
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2013-07-05 02:06:56 UTC
xinetd-2.3.15-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.