mirror of
https://github.com/SELinuxProject/selinux
synced 2025-02-27 06:50:32 +00:00
dcc55dba56
libselinux provides a proper getpeercon() implementation that uses getsockopt with SO_PEERSEC to reliably obtain the peer's security context from the kernel. mcstransd for reasons unknown rolled its own get_peer_con() function that uses getsockopt SO_PEERCRED to obtain the peer PID and then calls getpidcon_raw(). That's less efficient and less secure (subject to races; peer context may have changed since connect). Don't do that. The peer context doesn't appear to be used for anything currently, although there is a comment suggesting adding a permission check to see if the requester dominates the label to be translated to control what labels can be translated by what peers. Could likely dispense with it altogether. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> |
||
|---|---|---|
| checkpolicy | ||
| libselinux | ||
| libsemanage | ||
| libsepol | ||
| policycoreutils | ||
| scripts | ||
| secilc | ||
| sepolgen | ||
| .gitignore | ||
| Android.mk | ||
| CleanSpec.mk | ||
| Makefile | ||
| README | ||
Please submit all bug reports and patches to selinux@tycho.nsa.gov. Subscribe via selinux-join@tycho.nsa.gov. Build dependencies on Fedora: yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python-devel setools-devel swig ustr-devel To build and install everything under a private directory, run: make DESTDIR=~/obj install install-pywrap To install as the default system libraries and binaries (overwriting any previously installed ones - dangerous!), on x86_64, run: make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel or on x86 (32-bit), run: make install install-pywrap relabel This may render your system unusable if the upstream SELinux userspace lacks library functions or other dependencies relied upon by your distribution. If it breaks, you get to keep both pieces.