Andrea Claudi says:
====================
In order to execute a service with VRF, a user should start it using
"ip vrf exec". For example, using systemd, the user can encapsulate the
ExecStart command in ip vrf exec as shown below:
ExecStart=/usr/sbin/ip vrf exec vrf1 /usr/sbin/httpd $OPTIONS -DFOREGROUND
Assuming SELinux is in permissive mode, starting the service with the
current ip vrf implementation results in:
# systemctl start httpd
# ps -eafZ | grep httpd
system_u:system_r:ifconfig_t:s0 root 597448 1 1 19:22 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:ifconfig_t:s0 apache 597452 597448 0 19:22 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
[snip]
This is incorrect, as the context for httpd should be httpd_t, not
ifconfig_t.
This happens because ipvrf_exec invokes cmd_exec without setting the
correct SELinux context before. Without the correct setting, the process
is executed using ip's SELinux context.
This patch series makes "ip vrf exec" SELinux-aware using the
setexecfilecon functions, which retrieves the correct context to be used
on the next execvp() call.
After this series:
# systemctl start httpd
# ps -eafZ | grep httpd
system_u:system_r:httpd_t:s0 root 595805 1 0 19:01 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 595809 595805 0 19:01 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
====================
Signed-off-by: David Ahern <dsahern@kernel.org>
projects / thirdparty / iproute2.git / commitdiff
