We need to allow siginh; without it, xinit waits for 15 seconds
before continuing (not really user friendly), even though the system
functions properly afterwards.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/xserver.if | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index da2601a..01274b4 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -142,6 +142,8 @@ interface(`xserver_role',`
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
+ allow $2 xserver_t:process { siginh };
+
allow $2 iceauth_home_t:file manage_file_perms;
allow $2 iceauth_home_t:file { relabelfrom relabelto };
--
1.7.3.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/06/2011 04:16 PM, Sven Vermeulen wrote:
> We need to allow siginh; without it, xinit waits for 15 seconds
> before continuing (not really user friendly), even though the system
> functions properly afterwards.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/services/xserver.if | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index da2601a..01274b4 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -142,6 +142,8 @@ interface(`xserver_role',`
> allow $2 xserver_t:shm rw_shm_perms;
> allow $2 xserver_tmpfs_t:file rw_file_perms;
>
> + allow $2 xserver_t:process { siginh };
nit: no brace expansion needed, nothing to expand here.
> +
> allow $2 iceauth_home_t:file manage_file_perms;
> allow $2 iceauth_home_t:file { relabelfrom relabelto };
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1O0MMACgkQMlxVo39jgT9MtACeLpmJxCVKdiigm6vmTAxWfCOE
pHMAoJBJdi/lE+QQFDA4lEQU9/1nnvic
=qHv2
-----END PGP SIGNATURE-----
On 2/6/2011 10:16 AM, Sven Vermeulen wrote:
> We need to allow siginh; without it, xinit waits for 15 seconds
> before continuing (not really user friendly), even though the system
> functions properly afterwards.
This needs a comment in the policy. Also, it should probably go in
xserver_restricted_role() instead.
> Signed-off-by: Sven Vermeulen<[email protected]>
> ---
> policy/modules/services/xserver.if | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index da2601a..01274b4 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -142,6 +142,8 @@ interface(`xserver_role',`
> allow $2 xserver_t:shm rw_shm_perms;
> allow $2 xserver_tmpfs_t:file rw_file_perms;
>
> + allow $2 xserver_t:process { siginh };
> +
> allow $2 iceauth_home_t:file manage_file_perms;
> allow $2 iceauth_home_t:file { relabelfrom relabelto };
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Mon, Feb 14, 2011 at 09:44:04AM -0500, Christopher J. PeBenito wrote:
> On 2/6/2011 10:16 AM, Sven Vermeulen wrote:
> > We need to allow siginh; without it, xinit waits for 15 seconds
> > before continuing (not really user friendly), even though the system
> > functions properly afterwards.
>
> This needs a comment in the policy. Also, it should probably go in
> xserver_restricted_role() instead.
Why not both (xserver_role and xserver_restricted_role)? Both get the timeout otherwise.
I'm trying to find some information on the SIGINH but am failing
tremendously (all that I can find is that SELinux dontaudit's it and the
fact that many people don't know that). What is siginh?
Wkr,
Sven Vermeulen
On 02/14/11 14:03, Sven Vermeulen wrote:
> On Mon, Feb 14, 2011 at 09:44:04AM -0500, Christopher J. PeBenito wrote:
>> On 2/6/2011 10:16 AM, Sven Vermeulen wrote:
>>> We need to allow siginh; without it, xinit waits for 15 seconds
>>> before continuing (not really user friendly), even though the system
>>> functions properly afterwards.
>>
>> This needs a comment in the policy. Also, it should probably go in
>> xserver_restricted_role() instead.
>
> Why not both (xserver_role and xserver_restricted_role)? Both get the timeout otherwise.
xserver_role() calls xserver_restricted_role().
> I'm trying to find some information on the SIGINH but am failing
> tremendously (all that I can find is that SELinux dontaudit's it and the
> fact that many people don't know that). What is siginh?
Signal inheritance across exec().
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 02/16/11 09:31, Christopher J. PeBenito wrote:
> On 02/14/11 14:03, Sven Vermeulen wrote:
>> On Mon, Feb 14, 2011 at 09:44:04AM -0500, Christopher J. PeBenito wrote:
>> I'm trying to find some information on the SIGINH but am failing
>> tremendously (all that I can find is that SELinux dontaudit's it and the
>> fact that many people don't know that). What is siginh?
>
> Signal inheritance across exec().
More specifically, across domain transition. So if siginh is denied, no
signals are inherited.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Mon, 2011-02-14 at 20:03 +0100, Sven Vermeulen wrote:
> On Mon, Feb 14, 2011 at 09:44:04AM -0500, Christopher J. PeBenito wrote:
> > On 2/6/2011 10:16 AM, Sven Vermeulen wrote:
> > > We need to allow siginh; without it, xinit waits for 15 seconds
> > > before continuing (not really user friendly), even though the system
> > > functions properly afterwards.
> >
> > This needs a comment in the policy. Also, it should probably go in
> > xserver_restricted_role() instead.
>
> Why not both (xserver_role and xserver_restricted_role)? Both get the timeout otherwise.
>
> I'm trying to find some information on the SIGINH but am failing
> tremendously (all that I can find is that SELinux dontaudit's it and the
> fact that many people don't know that). What is siginh?
>From the code:
/* Check whether the new SID can inherit signal state from the old SID.
* If not, clear itimers to avoid subsequent signal generation and
* flush and unblock signals.
*
* This must occur _after_ the task SID has been updated so that any
* kill done after the flush will be checked against the new SID.
*/
One of a set of permission checks designed to help reduce the ability of
a caller to influence/control the behavior of a program that runs with
different permissions.
--
Stephen Smalley
National Security Agency
Allow xserver_restricted_role domains to call/start Xorg (using startx), fixes
15-second lag/timeout (needs siginh permission as provided by
xserver_domtrans).
Apparently, the 15-second lag (or some other behavior) was already detected
in the past, giving rise to the SIGINH permission in the xserver_domtrans()
interface.
However, domains that are given the xserver_(restricted_)role do not call
the xserver_domtrans but rather the "standard" domtrans_pattern.
The new patch suggests to use xserver_domtrans in the
xserver_restricted_role, which automatically includes the siginh permission
then.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/xserver.if | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index da2601a..130ced9 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -30,7 +30,6 @@ interface(`xserver_restricted_role',`
allow xserver_t $2:fd use;
allow xserver_t $2:shm rw_shm_perms;
- domtrans_pattern($2, xserver_exec_t, xserver_t)
allow xserver_t $2:process signal;
allow xserver_t $2:shm rw_shm_perms;
@@ -96,6 +95,7 @@ interface(`xserver_restricted_role',`
miscfiles_read_fonts($2)
xserver_common_x_domain_template(user, $2)
+ xserver_domtrans($2)
xserver_unconfined($2)
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
--
1.7.3.4
On 2/22/2011 3:30 PM, Sven Vermeulen wrote:
> Allow xserver_restricted_role domains to call/start Xorg (using startx), fixes
> 15-second lag/timeout (needs siginh permission as provided by
> xserver_domtrans).
>
>
> Apparently, the 15-second lag (or some other behavior) was already detected
> in the past, giving rise to the SIGINH permission in the xserver_domtrans()
> interface.
>
> However, domains that are given the xserver_(restricted_)role do not call
> the xserver_domtrans but rather the "standard" domtrans_pattern.
>
> The new patch suggests to use xserver_domtrans in the
> xserver_restricted_role, which automatically includes the siginh permission
> then.
Merged.
> Signed-off-by: Sven Vermeulen<[email protected]>
> ---
> policy/modules/services/xserver.if | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index da2601a..130ced9 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -30,7 +30,6 @@ interface(`xserver_restricted_role',`
> allow xserver_t $2:fd use;
> allow xserver_t $2:shm rw_shm_perms;
>
> - domtrans_pattern($2, xserver_exec_t, xserver_t)
> allow xserver_t $2:process signal;
>
> allow xserver_t $2:shm rw_shm_perms;
> @@ -96,6 +95,7 @@ interface(`xserver_restricted_role',`
> miscfiles_read_fonts($2)
>
> xserver_common_x_domain_template(user, $2)
> + xserver_domtrans($2)
> xserver_unconfined($2)
> xserver_xsession_entry_type($2)
> xserver_dontaudit_write_log($2)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com