From: sds@tycho.nsa.gov (Stephen Smalley)
Date: Wed, 16 Feb 2011 09:59:58 -0500
Subject: [refpolicy] [PATCH 1/1] Without allow siginh,
 we get a huge timeout wait period (15 seconds)
In-Reply-To: <20110214190352.GC13533@siphos.be>
References: <20110206151633.GA13056@siphos.be> <4D593FB4.5030307@tresys.com>
	<20110214190352.GC13533@siphos.be>
Message-ID: <1297868398.27031.31.camel@moss-pluto>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2011-02-14 at 20:03 +0100, Sven Vermeulen wrote:
> On Mon, Feb 14, 2011 at 09:44:04AM -0500, Christopher J. PeBenito wrote:
> > On 2/6/2011 10:16 AM, Sven Vermeulen wrote:
> > > We need to allow siginh; without it, xinit waits for 15 seconds
> > > before continuing (not really user friendly), even though the system
> > > functions properly afterwards.
> > 
> > This needs a comment in the policy.  Also, it should probably go in 
> > xserver_restricted_role() instead.
> 
> Why not both (xserver_role and xserver_restricted_role)? Both get the timeout otherwise.
> 
> I'm trying to find some information on the SIGINH but am failing
> tremendously (all that I can find is that SELinux dontaudit's it and the
> fact that many people don't know that). What is siginh?

>From the code:
        /* Check whether the new SID can inherit signal state from the old SID.
         * If not, clear itimers to avoid subsequent signal generation and
         * flush and unblock signals.
         *
         * This must occur _after_ the task SID has been updated so that any
         * kill done after the flush will be checked against the new SID.
         */

One of a set of permission checks designed to help reduce the ability of
a caller to influence/control the behavior of a program that runs with
different permissions.

-- 
Stephen Smalley
National Security Agency