Hello,
I am probably overlooking something, but it seems that SELinux prevents
the environment variables to be inherited to the new program over exec():
I have a daemon (running in its own domain mydaemon_t) which tries
to fork() and then exec() a program which has domain_auto_trans()
to a new domain myprogram_t. Now I want to pass a TMPDIR environment
variable from the daemon to the program. It does not work - I get
AVCs about myprogram_t trying to read the tmp_t directory (which means
it still tries to use /tmp, not whatever is written in TMPDIR.
I have created my own directory /var/myprogram/tmp which I also
put into the TMPDIR variable. When I add "sleep(100)" to the daemon
just before the exec() of myprogram, I can see the TMPDIR variable correctly
set in /proc/<pid>/environ.
When I do "setenforce 0", running the program from the daemon
causes the /var/myprogram/tmp mtime to be updated and no AVCs are logged,
so the program gets the TMPDIR variable correctly set up.
Does SELinux prevent the environment variables to be inherited
over exec()? If so, how can I enable it?
Thanks,
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
