Add service match using SeLinux Context

Using getpeercon we can know the elinux context of the process talking to
gssproxy. Use this information as an optional additional filter to match
processes to service definitions.
If a selinux_context option with a full user;role;type context is specified
into a service section, then the connecting process must also be running under
the specified selinux context in order to be allowed to connect.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>

1 files changed, 15 insertions, 0 deletions

diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml
index 9238aa6..0cbf965 100644
--- a/proxy/man/gssproxy.conf.5.xml
+++ b/proxy/man/gssproxy.conf.5.xml
@@ -165,6 +165,21 @@
                     </varlistentry>
 
                 <varlistentry>
+                    <term>selinux_context (string)</term>
+                    <listitem>
+                        <para>This parameter instructs the proxy to allow map a
+                              request to the service only if the context of the
+                              connecting client matches the one defined here.
+                        </para>
+                        <para>When this parameter is not set any client will be
+                              allowed regardless of their selinux context.
+                        </para>
+                        <para>Example: selinux_context = system_u:system_r:gssd_t
+                        </para>
+                    </listitem>
+                    </varlistentry>
+
+                <varlistentry>
                     <term>socket (string)</term>
                     <listitem>
                         <para>This parameter allows to create a per-service socket file over which gssproxy client and server components communicate.