On Wed, 20.08.14 19:53, Michal Sekletar (msekl...@redhat.com) wrote:
> This makes possible to spawn service instances triggered by socket with
> MLS/MCS SELinux labels which are created based on information provided by
> connected peer.
>
> Implementation of label_get_child_label derived from xinetd.
"ViaNet"? Still don't like the word "via", is it ever used like that
elswhere? Isn't "From" OK too? as in "SELinuxContextFromNet=" or so?
>
> if (p->type == SOCKET_SOCKET) {
> -
> +#ifdef HAVE_SELINUX
> + if (!know_label && s->selinux_context_via_net) {
> + r = getcon(&label);
> + if (r < 0)
> + return r;
> + know_label = true;
> + }
> +#endif
So far we managed to void #ifdefs for minor feature in the main source
files. I'd really prefer if we could maybe move getcon() into label.c or
so, and return some error we can detect if selinux is turned off...
> s->n_connections ++;
>
> + if (s->selinux_context_via_net)
> + service->exec_context.selinux_context_via_net = true;
> +
Still don#t like how this is passed through... (see other mail)
> +out:
> + if (r && security_getenforce() == 1)
> + r = -errno;
> +
> + freecon(mycon);
> + freecon(peercon);
> + freecon(fcon);
> + context_free(pcon);
> + context_free(bcon);
Wow! freecon() and context_free() are both selinux APIs? Yuck!
Hmm, minor suggestion: maybe use the _cleanup_ stuff for freeing these
fields? Makes the code a bit simpler.
Lennart
--
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
