type_transition and sigchild

[Maurizio Pagani Gmail]

Hi Grift,


I added these rules, and now it works! And I understood how it works:

###### TYPE TRANSITION FOR lvm_t  #######################
role diskadm_role_r types lvm_t;

type_transition diskadm_role_t lvm_exec_t : process lvm_t;
allow diskadm_role_t lvm_exec_t : file { getattr read open execute};
allow diskadm_role_t lvm_t: process transition;

allow diskadm_role_t lvm_t: process {  siginh rlimitinh sigchld };
allow lvm_t diskadm_role_t: process {sigchld};
allow lvm_t diskadm_role_t: fd use;
#########################################################

Thanks for your support.

Maurizio

-----Original Message-----
From: Dominick Grift [mailto:dominick.grift at gmail.com] 
Sent: martedì 19 febbraio 2013 12:36
To: Maurizio Pagani Gmail
Cc: selinux at lists.fedoraproject.org
Subject: Re: type_transition and sigchild

On Tue, 2013-02-19 at 07:55 +0100, Maurizio Pagani Gmail wrote:

> 
> type=AVC msg=audit(1361254531.179:7044668): avc:  denied  { sigchld } 
> for
> pid=3968 comm="bash" scontext=ssh_role_u:diskadm_role_r:lvm_t:s0
> tcontext=ssh_role_u:diskadm_role_r:diskadm_role_t:s0 tclass=process
> 

sigchld permission is "child terminated" signal. child processes need to be able to send those to the parent process (in this case "lvdisplay(lvm_t)" executed by the user, using the "BASH shell(diskadm_role_t)"

This is a common event when doing a domain transition and therefore it is also part of the domtrans_pattern() pattern. This is a pattern in refpolicy that has all common permissions required to domain transition