Re: fork rules

[Arpan Darivemula <apd005@xxxxxxxxxx>]

Thank you for the reply.  It gave me a clearer understanding of the
process.
Arpan

On Sun, 2005-06-05 at 21:48 -0400, Valdis.Kletnieks@xxxxxx wrote:
> On Sun, 05 Jun 2005 15:13:38 CDT, Arpan Darivemula said:
> 
> > int main( int argc, char **argv )
> > {
> >         int pid;
> > 
> >         pid = getpid();
> >         printf( "Parent PID: %i\n", pid );
> > 
> >         if ( fork() == 0 )
> >         {
> >                 pid = getpid();
> >                 printf( "Child PID: %i\n", pid );
> >         }
> > }
> 
> I'd stick a 'sleep(120);' in there just before the fork() call, and then
> start using 'pa axZ' or similar to find out what you're actually running as.
> 
> > neverallow dsifork_exec_t self:process{fork};
> 
> You're probably not actually in dsifork_exec_t. Probably because:
> 
> > allow user_t dsifork_exec_t:file {execute execute_no_trans read};
> 
> Did you really want execute_*NO*_trans there?  That means that a user_t
> can exec a dsifork_exec_t and *remain* a user_t.  I think you wanted something
> like:
> 
> domain_auto_trans(user_t, dsi_fork_t, dsi_fork_exec_t);
> neverallow dsi_fork_t self:process(fork);
> 
> and then label the file as dsi_fork_exec_t, and apply the restriction to
> dsi_fork_t
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.