Hi Grift,
I added these rules, and now it works! And I understood how it works:
###### TYPE TRANSITION FOR lvm_t #######################
role diskadm_role_r types lvm_t;
type_transition diskadm_role_t lvm_exec_t : process lvm_t;
allow diskadm_role_t lvm_exec_t : file { getattr read open execute};
allow diskadm_role_t lvm_t: process transition;
allow diskadm_role_t lvm_t: process { siginh rlimitinh sigchld };
allow lvm_t diskadm_role_t: process {sigchld};
allow lvm_t diskadm_role_t: fd use;
#########################################################
Thanks for your support.
Maurizio
-----Original Message-----
From: Dominick Grift [mailto:dominick.grift@xxxxxxxxx]
Sent: martedì 19 febbraio 2013 12:36
To: Maurizio Pagani Gmail
Cc: selinux@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: type_transition and sigchild
On Tue, 2013-02-19 at 07:55 +0100, Maurizio Pagani Gmail wrote:
>
> type=AVC msg=audit(1361254531.179:7044668): avc: denied { sigchld }
> for
> pid=3968 comm="bash" scontext=ssh_role_u:diskadm_role_r:lvm_t:s0
> tcontext=ssh_role_u:diskadm_role_r:diskadm_role_t:s0 tclass=process
>
sigchld permission is "child terminated" signal. child processes need to be able to send those to the parent process (in this case "lvdisplay(lvm_t)" executed by the user, using the "BASH shell(diskadm_role_t)"
This is a common event when doing a domain transition and therefore it is also part of the domtrans_pattern() pattern. This is a pattern in refpolicy that has all common permissions required to domain transition
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
