On 02/14/2013 06:13 AM, Saurabh Sharma wrote:
Hello,
For connectto permission using unix_stream_socket, the system throws write avc
denial is on sock_file
e.g
allow abcd xyz:unix_stream_socket connectto;
connect function call throws
avc: denied { write } for pid=12345 scontext=u:r:abcd:s0
tcontext=u:object_r:xyz:s0 tclass=sock_file
Does connect call in socket opens a file for writing ?
If its so, is connectto rule is dependent on write permission in case of socket
?
What am i missing here ?
Note: pid, source context and target context are taken only for example
reference.
I think what you are missing is that there are two separate objects with
separate security contexts and security classes involved when dealing
with a Unix/local domain socket bound to the filesystem namespace.
There is the socket that was created by calling socket(), labeled by
default with the security context of the creating process and having a
tclass of unix_stream_socket. And then there is the file that was
created by calling bind(), labeled by default in the normal way for
files and having a tclass of sock_file. When you try to connect to one
of these sockets, there is first a check of whether you can write to the
socket file, and then if you pass that check, there is a subsequent
check of whether you can connectto the socket.
That's what the unix_socket_connect() macro in te_macros encapsulates.
You need both permissions in order to perform establish the connection.
(You further need various other permissions covered elsewhere, such as
search permission to all directories in the path to the socket file, and
connect, read, and write permission to the local socket you are using).
Linux DAC likewise checks write to the socket file on a connect() call;
SELinux just mirrors that check by virtue of hooking the standard
permission checking functions. The connectto check is unique to
SELinux; it was introduced for two reasons:
1) It provides a more direct control over the client-server relationship
than the file-based check.
2) It ensures that connections are controlled even if they do not use
the file namespace. Linux has a unique concept called the abstract
namespace in which the socket address starts with a nul byte and does
not correspond to anything in the filesystem. Those sockets wouldn't be
controlled at all if we relied solely on the file write check for
connections.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
