From: David Ahern <dsahern@kernel.org>
Date: Fri, 25 Aug 2023 00:38:58 +0000 (-0700)
Subject: Merge branch 'vrf-exec-selinux' into next
X-Git-Tag: v6.6.0~31
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4e66b4bb2aa5467afe6504edfceec3a60ddf7bed;p=thirdparty%2Fiproute2.git

Merge branch 'vrf-exec-selinux' into next

Andrea Claudi  says:

====================

In order to execute a service with VRF, a user should start it using
"ip vrf exec". For example, using systemd, the user can encapsulate the
ExecStart command in ip vrf exec as shown below:

ExecStart=/usr/sbin/ip vrf exec vrf1 /usr/sbin/httpd $OPTIONS -DFOREGROUND

Assuming SELinux is in permissive mode, starting the service with the
current ip vrf implementation results in:

 # systemctl start httpd
 # ps -eafZ | grep httpd
system_u:system_r:ifconfig_t:s0 root      597448       1  1 19:22 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:ifconfig_t:s0 apache    597452  597448  0 19:22 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
[snip]

This is incorrect, as the context for httpd should be httpd_t, not
ifconfig_t.

This happens because ipvrf_exec invokes cmd_exec without setting the
correct SELinux context before. Without the correct setting, the process
is executed using ip's SELinux context.

This patch series makes "ip vrf exec" SELinux-aware using the
setexecfilecon functions, which retrieves the correct context to be used
on the next execvp() call.

After this series:
 # systemctl start httpd
 # ps -eafZ | grep httpd
system_u:system_r:httpd_t:s0    root      595805       1  0 19:01 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache    595809  595805  0 19:01 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

====================

Signed-off-by: David Ahern <dsahern@kernel.org>
---

4e66b4bb2aa5467afe6504edfceec3a60ddf7bed