I wrote a patch for xinetd as part of a class project. xinetd, a network daemon that starts services on demand. In SELinux with labeled IPSec, we would like to start these services in the same security context as the requesting context, rather than in the security context that xinetd is running at.
I developed this patch for xinetd-2.3.14.
---------------------------------------------- Documentation: This patch enables xinetd to extract the security context (security label in SELinux terms) of a peer client based on the Labeled IPsec patch for Linux (available in 2.6.16). We have added a new option for xinetd configuration, called 'secsock_adopt.' By setting this option (setting its value to 'yes'), xinetd automatically sets the security context of all service processes that it launches to that of the IPsec security association used to connect to xinetd, if any. By default, this is set option is set to 'no'. Design: xinetd gets the security context from the connected socket that received the request using the following system call. getsockopt(fd, SOL_SOCKET, SO_PEERSEC, buffer, buflen); SO_PEERSEC has been added to enable to retrieval of the security label of a peer socket. For a socket connected to a remote client, the client's security context is determined by the security context of the IPsec security association. The Linux kernel extensions added in version 2.6.16 enable retrieval of this security label using getsockopt. This approach will not work for kernels older than 2.6.16. The patch then has xinetd use the SELinux command setexeccon to assign the security context for the next execute command performed by xinetd. As a result, the service process launched for this client request will be assigned the security context of the IPsec security association. If there is no security association or the security association has no label, the child will be given the default security label. Note that this only works with the SELinux module. If SELinux is not loaded, then things work normally. ----------------------------------------------
Download the patch here.
Let me know if this patch is useful for you!