type_transition and sigchild
Maurizio Pagani Gmail
pag.maurizio at gmail.com
Tue Feb 19 06:55:06 UTC 2013
Hi there,
I'm a beginner of SELinux and i'm trying to implement "type_transition"
(process mode), this is my rules:
###### TYPE TRANSITION FOR lvm_t ############################
role diskadm_role_r types lvm_t;
type_transition diskadm_role_t lvm_exec_t : process lvm_t;
allow diskadm_role_t lvm_exec_t : file { getattr read open execute};
allow diskadm_role_t lvm_t: process transition;
#########################################################
But when I launch lvm commands, for example "lvdisplay" I receive this
message:
###############################################################
bash-4.1# lvdisplay
lvdisplay: error while loading shared libraries:
/lib64/ld-linux-x86-64.so.2: cannot apply additional memory protection after
relocation: Permission denied
###############################################################
I go to see in audit.log, and i've these avc-denied:
###############################################################
type=AVC msg=audit(1361254531.179:7044668): avc: denied { sigchld } for
pid=3968 comm="bash" scontext=ssh_role_u:diskadm_role_r:lvm_t:s0
tcontext=ssh_role_u:diskadm_role_r:diskadm_role_t:s0 tclass=process
###############################################################
I should create only a new rule for "allow lvm_t diskadm_role_t: process
sigchild", but there is a good reason because I must allow this? I'm
reading/studing a guide for "type_transition" in "SELinux By Example book"
and in this link: http://selinuxproject.org/page/TypeRules but i don't see
anything about "sigchild" and it's not highlighted nowhere as requirement
for "type_transition" rule.
Thanks in advance,
Maurizio Pagani
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130219/874a8bad/attachment.html>
More information about the selinux
mailing list