Environment variables over exec()?
Jan Kasprzak
kas at fi.muni.cz
Thu Mar 5 21:57:39 UTC 2009
Stephen Smalley wrote:
: > Does SELinux prevent the environment variables to be inherited
: > over exec()? If so, how can I enable it?
:
: On a domain transition, by default, SELinux will set the AT_SECURE auxv
: flag and glibc will then sanitize the environment in the same manner as
: for setuid/setgid program execution. You can disable that behavior on a
: selective basis by allowing the "noatsecure" permission between the old
: and new domains. You would add the following allow rule to your policy:
:
: allow mydaemon_t myprogram_t:process noatsecure;
Thanks for the explanation. I have already tested that the above
rule solves the problem for me (found it out using semodule -DB, as
suggested by Dominick Grift).
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<
More information about the fedora-selinux-list
mailing list