[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fork rules

To: Arpan Darivemula <apd005@xxxxxxxxxx>
Subject: Re: fork rules
From: Valdis.Kletnieks@xxxxxx
Date: Sun, 05 Jun 2005 21:48:27 -0400
Cc: SELinux <SELinux@xxxxxxxxxxxxx>
In-reply-to: Your message of "Sun, 05 Jun 2005 15:13:38 CDT." <1118002418.21085.10.camel@xxxxxxxxxxxxxxxxxx>
References: <1118002418.21085.10.camel@xxxxxxxxxxxxxxxxxx>
Sender: owner-selinux@xxxxxxxxxxxxx

On Sun, 05 Jun 2005 15:13:38 CDT, Arpan Darivemula said:

> int main( int argc, char **argv )
> {
>         int pid;
> 
>         pid = getpid();
>         printf( "Parent PID: %i\n", pid );
> 
>         if ( fork() == 0 )
>         {
>                 pid = getpid();
>                 printf( "Child PID: %i\n", pid );
>         }
> }

I'd stick a 'sleep(120);' in there just before the fork() call, and then
start using 'pa axZ' or similar to find out what you're actually running as.

> neverallow dsifork_exec_t self:process{fork};

You're probably not actually in dsifork_exec_t. Probably because:

> allow user_t dsifork_exec_t:file {execute execute_no_trans read};

Did you really want execute_*NO*_trans there?  That means that a user_t
can exec a dsifork_exec_t and *remain* a user_t.  I think you wanted something
like:

domain_auto_trans(user_t, dsi_fork_t, dsi_fork_exec_t);
neverallow dsi_fork_t self:process(fork);

and then label the file as dsi_fork_exec_t, and apply the restriction to
dsi_fork_t

Attachment: pgpGDs8xMAGsz.pgp
Description: PGP signature

Follow-Ups:
- Re: fork rules
  - From: Arpan Darivemula

References:
- fork rules
  - From: Arpan Darivemula

Prev by Date: Re: Question about assurance?
Next by Date: dhcp policy
Previous by thread: fork rules
Next by thread: Re: fork rules
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.