2010-01-19 04:56:37 +03:00
/*-*- Mode: C; c-basic-offset: 8 -*-*/
# ifndef foosocketutilhfoo
# define foosocketutilhfoo
2010-02-03 15:03:47 +03:00
/***
This file is part of systemd .
Copyright 2010 Lennart Poettering
systemd is free software ; you can redistribute it and / or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
systemd is distributed in the hope that it will be useful , but
WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the GNU
General Public License for more details .
You should have received a copy of the GNU General Public License
along with systemd ; If not , see < http : //www.gnu.org/licenses/>.
* * */
2010-01-19 04:56:37 +03:00
# include <sys/socket.h>
# include <netinet/in.h>
# include <sys/un.h>
2010-01-27 06:31:52 +03:00
# include <net/if.h>
2010-01-19 04:56:37 +03:00
# include "macro.h"
# include "util.h"
2010-01-23 05:35:54 +03:00
typedef struct SocketAddress {
2010-01-19 04:56:37 +03:00
union {
struct sockaddr sa ;
struct sockaddr_in in4 ;
struct sockaddr_in6 in6 ;
struct sockaddr_un un ;
struct sockaddr_storage storage ;
} sockaddr ;
/* We store the size here explicitly due to the weird
* sockaddr_un semantics for abstract sockets */
socklen_t size ;
/* Socket type, i.e. SOCK_STREAM, SOCK_DGRAM, ... */
int type ;
2010-01-23 05:35:54 +03:00
} SocketAddress ;
2010-01-19 04:56:37 +03:00
2010-01-23 05:35:54 +03:00
typedef enum SocketAddressBindIPv6Only {
SOCKET_ADDRESS_DEFAULT ,
SOCKET_ADDRESS_BOTH ,
2010-05-22 01:41:25 +04:00
SOCKET_ADDRESS_IPV6_ONLY ,
_SOCKET_ADDRESS_BIND_IPV6_ONLY_MAX ,
_SOCKET_ADDRESS_BIND_IPV6_ONLY_INVALID = - 1
2010-01-23 05:35:54 +03:00
} SocketAddressBindIPv6Only ;
2010-01-19 04:56:37 +03:00
2010-01-23 05:35:54 +03:00
# define socket_address_family(a) ((a)->sockaddr.sa.sa_family)
2010-01-19 04:56:37 +03:00
2010-01-23 05:35:54 +03:00
int socket_address_parse ( SocketAddress * a , const char * s ) ;
int socket_address_print ( const SocketAddress * a , char * * p ) ;
int socket_address_verify ( const SocketAddress * a ) ;
2010-02-12 04:02:14 +03:00
2010-04-15 08:19:54 +04:00
bool socket_address_can_accept ( const SocketAddress * a ) ;
2010-02-12 04:02:14 +03:00
int socket_address_listen (
const SocketAddress * a ,
int backlog ,
SocketAddressBindIPv6Only only ,
const char * bind_to_device ,
2010-07-01 02:29:17 +04:00
bool free_bind ,
2010-02-12 04:02:14 +03:00
mode_t directory_mode ,
mode_t socket_mode ,
Systemd is causing mislabeled devices to be created and then attempting to read them.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/28/2010 05:57 AM, Kay Sievers wrote:
> On Wed, Jul 28, 2010 at 11:43, Lennart Poettering
> <lennart@poettering.net> wrote:
>> On Mon, 26.07.10 16:42, Daniel J Walsh (dwalsh@redhat.com) wrote:
>>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>>> type=1400 audit(1280174589.476:7): avc: denied { read } for pid=1
>>> comm="systemd" name="autofs" dev=devtmpfs ino=9482
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>>> type=1400 audit(1280174589.476:8): avc: denied { read } for pid=1
>>> comm="systemd" name="autofs" dev=devtmpfs ino=9482
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>>>
>>> Lennart, we talked about this earlier. I think this is caused by the
>>> modprobe calls to create /dev/autofs. Since udev is not created at the
>>> point that init loads the kernel modules, the devices get created with
>>> the wrong label. Once udev starts the labels get fixed.
>>>
>>> I can allow init_t to read device_t chr_files.
>>
>> Hmm, I think a cleaner fix would be to make systemd relabel this device
>> properly before accessing it? Given that this is only one device this
>> should not be a problem for us to maintain, I think? How would the
>> fixing of the label work? Would we have to spawn restorecon for this, or
>> can we actually do this in C without too much work?
>
> I guess we can just do what udev is doing, and call setfilecon(), with
> a context of an earlier matchpathcon().
>
> Kay
> _______________________________________________
> systemd-devel mailing list
> systemd-devel@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Here is the updated patch with a fix for the labeling of /dev/autofs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxQMyoACgkQrlYvE4MpobNviACfWgxsjW2xzz1qznFex8RVAQHf
gIEAmwRmRcLvGqYtwQaZ3WKIg8wmrwNk
=pC2e
2010-07-28 17:39:54 +04:00
const char * label ,
2010-02-12 04:02:14 +03:00
int * ret ) ;
2010-01-19 04:56:37 +03:00
2010-06-05 02:52:30 +04:00
bool socket_address_is ( const SocketAddress * a , const char * s , int type ) ;
2010-04-21 05:27:44 +04:00
bool socket_address_equal ( const SocketAddress * a , const SocketAddress * b ) ;
2010-05-13 05:07:16 +04:00
bool socket_address_needs_mount ( const SocketAddress * a , const char * prefix ) ;
2010-05-22 01:41:25 +04:00
const char * socket_address_bind_ipv6_only_to_string ( SocketAddressBindIPv6Only b ) ;
SocketAddressBindIPv6Only socket_address_bind_ipv6_only_from_string ( const char * s ) ;
2010-01-19 04:56:37 +03:00
# endif