Today's targeted policy...

Stephen Smalley sds at epoch.ncsc.mil
Thu Feb 10 16:48:55 UTC 2005


On Thu, 2005-02-10 at 10:23, Tom London wrote:
> Running targeted/enforcing, latest rawhide.
> 
> After installing today's policy files and rebooting, had X/execmem
> problems. Solved by 'setsebool -P allow_execmem 1'.
> 
> Rebooting produces scads of use and sigchild denials. Attached is
> /var/log/messages.
> 
> In the past, use/fd denials were usually due to leaky file descriptors
> across execs. That likely the case here? Not sure about sigchild....

No, I removed rules from the general unconfined_domain() macro that
shouldn't be applied to _all_ unconfined domains, and no one has yet
added them back to the specific unconfined.te file in the targeted
policy (which is the only place they were needed).  In the targeted
policy, all other domains are launched from the unconfined_t domain, and
these rules used to be covered by the domain_auto_trans rules, but the
re-introduction of initrc_t into the targeted policy means that they
have to be separately allowed.  So the allow domain unconfined_t:fd use;
allow domain unconfined_t:process sigchld; rules need to go into the
targeted unconfined.te file.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency




More information about the fedora-selinux-list mailing list