diff options
| author | Simo Sorce <simo@redhat.com> | 2013-06-21 20:36:20 -0400 |
|---|---|---|
| committer | Günther Deschner <gdeschner@redhat.com> | 2013-07-02 16:17:23 +0200 |
| commit | acc3b87b655cf7c6c0c7d698f5a5867b6732a69f (patch) | |
| tree | 97f3d944770bfc78c92f1fff854d66b78df76de7 /proxy/src/gp_proxy.h | |
| parent | f66a585e042fbb2f313c1cbde329088fac86cea6 (diff) | |
| download | gss-proxy-acc3b87b655cf7c6c0c7d698f5a5867b6732a69f.tar.gz gss-proxy-acc3b87b655cf7c6c0c7d698f5a5867b6732a69f.tar.xz gss-proxy-acc3b87b655cf7c6c0c7d698f5a5867b6732a69f.zip | |
Add service match using SeLinux Context
Using getpeercon we can know the elinux context of the process talking to
gssproxy. Use this information as an optional additional filter to match
processes to service definitions.
If a selinux_context option with a full user;role;type context is specified
into a service section, then the connecting process must also be running under
the specified selinux context in order to be allowed to connect.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Diffstat (limited to 'proxy/src/gp_proxy.h')
| -rw-r--r-- | proxy/src/gp_proxy.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/proxy/src/gp_proxy.h b/proxy/src/gp_proxy.h index dc7aada..835fcf5 100644 --- a/proxy/src/gp_proxy.h +++ b/proxy/src/gp_proxy.h @@ -31,6 +31,7 @@ #include <stdint.h> #include "verto.h" #include "gp_common.h" +#include "gp_selinux.h" #define _(STRING) gettext(STRING) @@ -52,6 +53,7 @@ struct gp_service { bool trusted; bool kernel_nfsd; char *socket; + SELINUX_CTX selinux_ctx; uint32_t mechs; struct gp_cred_krb5 krb5; @@ -106,6 +108,7 @@ void gp_socket_send_data(verto_ctx *vctx, struct gp_conn *conn, uint8_t *buffer, size_t buflen); struct gp_creds *gp_conn_get_creds(struct gp_conn *conn); const char *gp_conn_get_socket(struct gp_conn *conn); +bool gp_conn_check_selinux(struct gp_conn *conn, SELINUX_CTX ctx); /* from gp_workers.c */ int gp_workers_init(struct gssproxy_ctx *gpctx); |