On Wed, 2006-11-29 at 16:29 -0500, Steve Grubb wrote: > On Wednesday 29 November 2006 16:14, James Antill wrote: > > Ok, this patch doesn't do any bounding then. > > I've currently left the old config. context stuff in atm. in case we > > want to change that to specify the MLS bound, it's easier for me. But if > > this is fine as is I'll drop that part before I hand it off to Steve. > > If we are adding a parser to xinetd, it needs to check that the context it > read is indeed valid. Also, xinetd does an integrated check in check_entry(), > confparse.c. It needs to do some paranoid checks that they are not specifying > a label when labeled networking flag is not given.
security_check_context(3) can be used to validate a context against the active policy. I'm not sure the approach is quite workable yet either - if you configure xinetd to use labeled networking but the incoming connection is coming from a host that doesn't support it, getpeercon() will fail and you need to gracefully deal with it (e.g. fall back to some default, possibly based on the client machine's address). -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
