Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp3144499pxm; Mon, 28 Feb 2022 13:01:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJyFzZ60AH13aYW5kimGaL7vdse1bX0rd+1E1Jj60xdBVGI7aNnWETvBJVKYT+HeGS0qGOrK X-Received: by 2002:a17:90a:6383:b0:1b9:64d7:3af9 with SMTP id f3-20020a17090a638300b001b964d73af9mr18410460pjj.156.1646082107868; Mon, 28 Feb 2022 13:01:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646082107; cv=none; d=google.com; s=arc-20160816; b=HOLPXm+DtKOz/BYaizSQEY7yPD0YQEnoRZPsPEHMBvs0byUjFr7XtDaK7sJXIo9OmP Dwp6K3G/T8KYQPfDqZwiINeuYWnlxPtbKYmGd3gdQxYyFx5BFjlvmD4YkO8jVcEMA5ir aRfzyzRDcDNUoFZAzisXTTQn6KsJinQgiL6/GPUDtTWRc0YfSa4KHmaofoXBoVDuovaM 0WGYW+FThHdW1WEkf3Lze8/bIK++0wWpBqjFDvsacAipT0Ah17d4PehRTZ/2h2uCid0x HPsQ+teGoV496EoCScCFwe2bKeUXZxB7K3g9jMBpaPfp/FdFD7LVAAwlgIbwAOkQ16qj awtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=Klli8ID5sFc1O5IrN4/zTaoqrgIak+XwBpX+unqYM3I=; b=p71UfT/8tbLmYADjUBkK8JJOAMsoOeczwvpJGqsejoegBmIL0fcIqycjmuRMK7S655 l9RoinaEt3oOCmSkuXBkpI9EAGEU3qbpphaliOSNa/63ch8G03IVd1Y6g6btX4Kk4Mjv yLMB31G9tdUfFKZaVH9sKLPkEX3hIMQixVQ9k7NQr4rS3qBM2RaynmHKS2Rnp2P/66+A 0bvb1bRA8Ngt+PFNGQZLAkrHbnGGcNEyjSBprECICexHnOxf8rcGUQcZ41WytnZU+j4m huZLHkrQx6xiIkzxCllcmKKt9oJQUlOr1EmIa64jOqNaQxAn2Uy3ekVH40owLothxphb galA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=PvDqlfjn; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c20-20020a056a000ad400b004e057a894aesi11110723pfl.176.2022.02.28.13.01.42; Mon, 28 Feb 2022 13:01:47 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=PvDqlfjn; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229571AbiB1VBt (ORCPT + 22 others); Mon, 28 Feb 2022 16:01:49 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47602 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229733AbiB1VBs (ORCPT ); Mon, 28 Feb 2022 16:01:48 -0500 Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2378FCA73B for ; Mon, 28 Feb 2022 13:01:06 -0800 (PST) Received: by mail-qk1-x736.google.com with SMTP id t21so11413115qkg.6 for ; Mon, 28 Feb 2022 13:01:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=Klli8ID5sFc1O5IrN4/zTaoqrgIak+XwBpX+unqYM3I=; b=PvDqlfjnZ5QfwjPhr55DFCgkrqalzazP4NYQbWaVqn93F2LIQxKBbUZQqSshg68wSu k20MFM8LKx/F6o6HdS7HYwMUniYTjfcs/JZktyMFW6aYUgCxfR2SvqPlGtO0QjijUZVk QTrmn6jsp7e9IvZ5UMInhYbCtEzdUBaTytoVg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=Klli8ID5sFc1O5IrN4/zTaoqrgIak+XwBpX+unqYM3I=; b=mBfgK0qToOKq3gxr/xV+N11/oZbww9PysHH/R5xhXsRAcFFWwfjiKoXYOWqUgQqZBD U6KnIIVjlW5w8TmnoaHgNKSJ5dlnObsbH0dLNFGW/xxssCW1UjEp26G+Xcihfv7Xbot9 Mo+rjVH+6RJf7JN4cNQKf2LgdnA6RJqlnVuZvOgYDNovXwdRu/bujzy6RZIOEey2oMFo fLDJXvwZkCUOaWQTZ/z8tZdJl8Tbgt+a2qlIrQR9O1gA8BzQfu5RKM/8nnmxx0nfKRac CUxQx6dCg168i89N3227aCNYmcNSpLnreFbTWG9xKuN8nURni8fZk8IIc+EPebdxXzwH AdtA== X-Gm-Message-State: AOAM531sUS3AvrjifwwiBR1z8HLHcIToghWBdkMtTZMOX9UBYXxvHJ+S nyfofeoinmklbSksG/L/eeg2wEJB+S1gKiDb X-Received: by 2002:a05:620a:17a0:b0:648:e2c1:b764 with SMTP id ay32-20020a05620a17a000b00648e2c1b764mr12372701qkb.427.1646082064671; Mon, 28 Feb 2022 13:01:04 -0800 (PST) Received: from [192.168.1.126] (pool-68-134-25-67.bltmmd.fios.verizon.net. [68.134.25.67]) by smtp.gmail.com with ESMTPSA id q9-20020a05622a030900b002dd2c3a9fccsm7943991qtw.38.2022.02.28.13.01.03 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 28 Feb 2022 13:01:03 -0800 (PST) Message-ID: Date: Mon, 28 Feb 2022 16:01:02 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Subject: Re: [PATCH] mailman3 V2.1 Content-Language: en-US To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/19/22 05:34, Russell Coker wrote: > Same as the previous but also allow web server to map mailman data files. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20220219/policy/modules/services/mailman.if > =================================================================== > --- refpolicy-2.20220219.orig/policy/modules/services/mailman.if > +++ refpolicy-2.20220219/policy/modules/services/mailman.if > @@ -109,6 +109,44 @@ interface(`mailman_domtrans_cgi',` > > ####################################### > ## > +## Talk to mailman_cgi_t via Unix domain socket > +## > +## > +## > +## Domain talking to mailman > +## > +## > +# > +interface(`mailman_stream_connect_cgi',` > + gen_require(` > + type mailman_cgi_t, mailman_runtime_t; > + ') > + > + files_search_runtime($1) > + stream_connect_pattern($1, mailman_runtime_t, mailman_runtime_t, mailman_cgi_t) > +') > + > +####################################### > +## > +## Manage mailman runtime files > +## > +## > +## > +## Domain to manage the files > +## > +## > +# > +interface(`mailman_manage_runtime_files',` > + gen_require(` > + type mailman_runtime_t; > + ') > + > + files_search_runtime($1) > + manage_files_pattern($1, mailman_runtime_t, mailman_runtime_t) > +') > + > +####################################### > +## > ## Execute mailman in the caller domain. > ## > ## > @@ -186,6 +224,24 @@ interface(`mailman_read_data_files',` > > ####################################### > ## > +## map mailman data content. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mailman_map_data_files',` > + gen_require(` > + type mailman_data_t; > + ') > + > + allow $1 mailman_data_t:file map; > +') > + > +####################################### > +## > ## Create, read, write, and delete > ## mailman data files. > ## > @@ -342,3 +398,21 @@ interface(`mailman_domtrans_queue',` > libs_search_lib($1) > domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) > ') > + > +####################################### > +## > +## Manage mailman lock dir > +## > +## > +## > +## Domain allowed to manage it. > +## > +## > +# > +interface(`mailman_manage_lockdir',` > + gen_require(` > + type mailman_lock_t; > + ') > + > + allow $1 mailman_lock_t:dir manage_dir_perms; > +') > Index: refpolicy-2.20220219/policy/modules/services/mailman.te > =================================================================== > --- refpolicy-2.20220219.orig/policy/modules/services/mailman.te > +++ refpolicy-2.20220219/policy/modules/services/mailman.te > @@ -10,6 +10,7 @@ attribute mailman_domain; > attribute_role mailman_roles; > > mailman_domain_template(cgi) > +init_daemon_domain(mailman_cgi_t, mailman_cgi_exec_t) > > type mailman_data_t; > files_type(mailman_data_t) > @@ -26,11 +27,18 @@ files_lock_file(mailman_lock_t) > type mailman_runtime_t alias mailman_var_run_t; > files_runtime_file(mailman_runtime_t) > > +type mailman_cgi_tmpfs_t; > +files_tmpfs_file(mailman_cgi_tmpfs_t) > + > +type mailman_queue_tmpfs_t; > +files_tmpfs_file(mailman_queue_tmpfs_t) > + > mailman_domain_template(mail) > init_daemon_domain(mailman_mail_t, mailman_mail_exec_t) > role mailman_roles types mailman_mail_t; > > mailman_domain_template(queue) > +init_daemon_domain(mailman_queue_t, mailman_queue_exec_t) > > ######################################## > # > @@ -89,13 +97,16 @@ miscfiles_read_localization(mailman_doma > # CGI local policy > # > > -allow mailman_cgi_t self:unix_dgram_socket { create connect }; > +allow mailman_cgi_t self:process { signal signull sigkill }; > +allow mailman_cgi_t self:fifo_file rw_fifo_file_perms; > +allow mailman_cgi_t self:capability { dac_override setgid setuid }; > +allow mailman_cgi_t self:unix_dgram_socket create_socket_perms; > > allow mailman_cgi_t mailman_archive_t:dir search_dir_perms; > allow mailman_cgi_t mailman_archive_t:file read_file_perms; > > allow mailman_cgi_t mailman_data_t:dir rw_dir_perms; > -allow mailman_cgi_t mailman_data_t:file manage_file_perms; > +allow mailman_cgi_t mailman_data_t:file { map manage_file_perms }; > allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms; > > allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms; > @@ -104,11 +115,27 @@ allow mailman_cgi_t mailman_lock_t:file > allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms }; > allow mailman_cgi_t mailman_log_t:dir search_dir_perms; > > +allow mailman_cgi_t mailman_runtime_t:dir rw_dir_perms; > +allow mailman_cgi_t mailman_runtime_t:file read_file_perms; > +allow mailman_cgi_t mailman_runtime_t:sock_file manage_file_perms; > + > +fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file) > +allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms }; > + > kernel_read_crypto_sysctls(mailman_cgi_t) > +kernel_read_net_sysctls(mailman_cgi_t) > kernel_read_system_state(mailman_cgi_t) > +kernel_read_vm_overcommit_sysctl(mailman_cgi_t) > > +# need SELinuxContext=system_u:system_r:mailman_cgi_t:s0 in the systemd > +# service file for the correct context on running /usr/bin/uwsgi for > +# mailman3-web > +corecmd_bin_entry_type(mailman_cgi_t) Why can't the label be changed for uwsgi? > corecmd_exec_bin(mailman_cgi_t) > > +corenet_tcp_bind_generic_node(mailman_cgi_t) > +corenet_tcp_connect_all_unreserved_ports(mailman_cgi_t) > + > dev_read_urand(mailman_cgi_t) > > files_search_locks(mailman_cgi_t) > @@ -120,9 +147,9 @@ libs_dontaudit_write_lib_dirs(mailman_cg > > logging_search_logs(mailman_cgi_t) > > +miscfiles_read_generic_certs(mailman_cgi_t) > miscfiles_read_localization(mailman_cgi_t) > > - > optional_policy(` > apache_sigchld(mailman_cgi_t) > apache_use_fds(mailman_cgi_t) > @@ -133,6 +160,15 @@ optional_policy(` > ') > > optional_policy(` > + cron_rw_inherited_tmp_files(mailman_cgi_t) > + cron_system_entry(mailman_cgi_t, mailman_cgi_exec_t) > +') > + > +optional_policy(` > + mysql_stream_connect(mailman_cgi_t) > +') > + > +optional_policy(` > postfix_read_config(mailman_cgi_t) > ') > > @@ -142,7 +178,9 @@ optional_policy(` > # > > allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config }; > -allow mailman_mail_t self:process { signal signull setsched }; > +allow mailman_mail_t self:process { execmem signal signull setsched }; Any idea why the execmem is hit? > +allow mailman_mail_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; > +allow mailman_mail_t self:fifo_file rw_file_perms; > > allow mailman_mail_t mailman_archive_t:dir manage_dir_perms; > allow mailman_mail_t mailman_archive_t:file manage_file_perms; > @@ -167,8 +205,12 @@ manage_files_pattern(mailman_mail_t, mai > manage_dirs_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t) > files_runtime_filetrans(mailman_mail_t, mailman_runtime_t, { file dir }) > > +kernel_read_network_state(mailman_mail_t) > kernel_read_system_state(mailman_mail_t) > > +corenet_tcp_bind_all_unreserved_ports(mailman_mail_t) > +corenet_tcp_bind_generic_node(mailman_mail_t) > +corenet_tcp_connect_http_port(mailman_mail_t) > corenet_tcp_connect_smtp_port(mailman_mail_t) > corenet_sendrecv_spamd_client_packets(mailman_mail_t) > corenet_sendrecv_innd_client_packets(mailman_mail_t) > @@ -193,6 +235,7 @@ libs_read_lib_files(mailman_mail_t) > > logging_search_logs(mailman_mail_t) > > +miscfiles_read_generic_certs(mailman_mail_t) > miscfiles_read_localization(mailman_mail_t) > > mta_use_mailserver_fds(mailman_mail_t) > @@ -200,14 +243,26 @@ mta_dontaudit_rw_delivery_tcp_sockets(ma > mta_dontaudit_rw_queue(mailman_mail_t) > > optional_policy(` > + apache_search_config(mailman_mail_t) > +') > + > +optional_policy(` > courier_read_spool(mailman_mail_t) > ') > > optional_policy(` > cron_read_pipes(mailman_mail_t) > + cron_rw_inherited_tmp_files(mailman_mail_t) > + cron_search_spool(mailman_mail_t) > + cron_system_entry(mailman_mail_t, mailman_mail_exec_t) > +') > + > +optional_policy(` > + corenet_tcp_connect_mysqld_port(mailman_mail_t) > ') > > optional_policy(` > + postfix_read_config(mailman_mail_t) > postfix_search_spool(mailman_mail_t) > postfix_rw_inherited_master_pipes(mailman_mail_t) > ') > @@ -217,15 +272,18 @@ optional_policy(` > # Queue local policy > # > > -allow mailman_queue_t self:capability { setgid setuid }; > +allow mailman_queue_t self:capability { dac_override setgid setuid }; > allow mailman_queue_t self:process { setsched signal_perms }; > allow mailman_queue_t self:fifo_file rw_fifo_file_perms; > > +allow mailman_queue_t mailman_runtime_t:dir rw_dir_perms; > +allow mailman_queue_t mailman_runtime_t:file manage_file_perms; > + > allow mailman_queue_t mailman_archive_t:dir manage_dir_perms; > allow mailman_queue_t mailman_archive_t:file manage_file_perms; > > allow mailman_queue_t mailman_data_t:dir rw_dir_perms; > -allow mailman_queue_t mailman_data_t:file manage_file_perms; > +allow mailman_queue_t mailman_data_t:file { map manage_file_perms }; > allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms; > > allow mailman_queue_t mailman_lock_t:dir rw_dir_perms; > @@ -234,15 +292,25 @@ allow mailman_queue_t mailman_lock_t:fil > allow mailman_queue_t mailman_log_t:dir list_dir_perms; > allow mailman_queue_t mailman_log_t:file manage_file_perms; > > +fs_tmpfs_filetrans(mailman_queue_t, mailman_queue_tmpfs_t, file) > +allow mailman_queue_t mailman_queue_tmpfs_t:file { map manage_file_perms }; > + > +kernel_read_network_state(mailman_queue_t) > kernel_read_system_state(mailman_queue_t) > +kernel_search_vm_sysctl(mailman_queue_t) > > auth_domtrans_chk_passwd(mailman_queue_t) > > corecmd_read_bin_files(mailman_queue_t) > corenet_sendrecv_innd_client_packets(mailman_queue_t) > +corenet_tcp_bind_all_unreserved_ports(mailman_queue_t) > +corenet_tcp_bind_generic_node(mailman_queue_t) > +corenet_tcp_connect_generic_port(mailman_queue_t) > +corenet_tcp_connect_http_port(mailman_queue_t) > corenet_tcp_connect_innd_port(mailman_queue_t) > > files_dontaudit_search_runtime(mailman_queue_t) > +files_read_usr_files(mailman_queue_t) > files_search_locks(mailman_queue_t) > > miscfiles_read_localization(mailman_queue_t) > @@ -251,14 +319,24 @@ seutil_dontaudit_search_config(mailman_q > > userdom_search_user_home_dirs(mailman_queue_t) > > -cron_rw_tmp_files(mailman_queue_t) > - > optional_policy(` > apache_read_config(mailman_queue_t) > ') > > optional_policy(` > + cron_rw_tmp_files(mailman_queue_t) > + cron_search_spool(mailman_queue_t) > cron_system_entry(mailman_queue_t, mailman_queue_exec_t) > + cron_use_fds(mailman_queue_t) > +') > + > +optional_policy(` > + mysql_stream_connect(mailman_queue_t) > + mysql_tcp_connect(mailman_queue_t) > +') > + > +optional_policy(` > + postfix_read_config(mailman_queue_t) > ') > > optional_policy(` > Index: refpolicy-2.20220219/policy/modules/services/apache.te > =================================================================== > --- refpolicy-2.20220219.orig/policy/modules/services/apache.te > +++ refpolicy-2.20220219/policy/modules/services/apache.te > @@ -815,8 +815,10 @@ optional_policy(` > ') > > optional_policy(` > + mailman_stream_connect_cgi(httpd_t) > mailman_signal_cgi(httpd_t) > mailman_domtrans_cgi(httpd_t) > + mailman_map_data_files(httpd_t) > mailman_read_data_files(httpd_t) > mailman_search_data(httpd_t) > mailman_read_archive(httpd_t) > Index: refpolicy-2.20220219/policy/modules/services/cron.te > =================================================================== > --- refpolicy-2.20220219.orig/policy/modules/services/cron.te > +++ refpolicy-2.20220219/policy/modules/services/cron.te > @@ -604,6 +604,12 @@ optional_policy(` > ') > > optional_policy(` > + mailman_domtrans_queue(system_cronjob_t) > + # for flock > + mailman_manage_runtime_files(system_cronjob_t) > +') > + > +optional_policy(` > mrtg_append_create_logs(system_cronjob_t) > mrtg_read_config(system_cronjob_t) > ') > Index: refpolicy-2.20220219/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20220219.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20220219/policy/modules/system/systemd.te > @@ -1796,6 +1796,10 @@ optional_policy(` > ') > > optional_policy(` > + mailman_manage_lockdir(systemd_tmpfiles_t) There should be a systemd_tmpfilesd_managed(mailman_lock_t) in mailman.te instead. > +') > + > +optional_policy(` > xfs_create_tmp_dirs(systemd_tmpfiles_t) > ') > > Index: refpolicy-2.20220219/policy/modules/services/mailman.fc > =================================================================== > --- refpolicy-2.20220219.orig/policy/modules/services/mailman.fc > +++ refpolicy-2.20220219/policy/modules/services/mailman.fc > @@ -20,6 +20,7 @@ > > /usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) > /usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) > +/usr/lib/mailman3/bin/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) > /usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) > /usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > /usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > @@ -28,3 +29,4 @@ > /usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > > /usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > +/usr/share/mailman3-web/manage.py -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -- Chris PeBenito