From: sds@tycho.nsa.gov (Stephen Smalley) Date: Wed, 16 Feb 2011 09:59:58 -0500 Subject: [refpolicy] [PATCH 1/1] Without allow siginh, we get a huge timeout wait period (15 seconds) In-Reply-To: <20110214190352.GC13533@siphos.be> References: <20110206151633.GA13056@siphos.be> <4D593FB4.5030307@tresys.com> <20110214190352.GC13533@siphos.be> Message-ID: <1297868398.27031.31.camel@moss-pluto> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2011-02-14 at 20:03 +0100, Sven Vermeulen wrote: > On Mon, Feb 14, 2011 at 09:44:04AM -0500, Christopher J. PeBenito wrote: > > On 2/6/2011 10:16 AM, Sven Vermeulen wrote: > > > We need to allow siginh; without it, xinit waits for 15 seconds > > > before continuing (not really user friendly), even though the system > > > functions properly afterwards. > > > > This needs a comment in the policy. Also, it should probably go in > > xserver_restricted_role() instead. > > Why not both (xserver_role and xserver_restricted_role)? Both get the timeout otherwise. > > I'm trying to find some information on the SIGINH but am failing > tremendously (all that I can find is that SELinux dontaudit's it and the > fact that many people don't know that). What is siginh? >From the code: /* Check whether the new SID can inherit signal state from the old SID. * If not, clear itimers to avoid subsequent signal generation and * flush and unblock signals. * * This must occur _after_ the task SID has been updated so that any * kill done after the flush will be checked against the new SID. */ One of a set of permission checks designed to help reduce the ability of a caller to influence/control the behavior of a program that runs with different permissions. -- Stephen Smalley National Security Agency