On Thu, 2005-02-10 at 10:23, Tom London wrote: > Running targeted/enforcing, latest rawhide. > > After installing today's policy files and rebooting, had X/execmem > problems. Solved by 'setsebool -P allow_execmem 1'. > > Rebooting produces scads of use and sigchild denials. Attached is > /var/log/messages. > > In the past, use/fd denials were usually due to leaky file descriptors > across execs. That likely the case here? Not sure about sigchild.... No, I removed rules from the general unconfined_domain() macro that shouldn't be applied to _all_ unconfined domains, and no one has yet added them back to the specific unconfined.te file in the targeted policy (which is the only place they were needed). In the targeted policy, all other domains are launched from the unconfined_t domain, and these rules used to be covered by the domain_auto_trans rules, but the re-introduction of initrc_t into the targeted policy means that they have to be separately allowed. So the allow domain unconfined_t:fd use; allow domain unconfined_t:process sigchld; rules need to go into the targeted unconfined.te file. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
