There has got to be something I am doing wrong. But on my blog someone asked about writing a program that does a fork and having SELinux block it.
Where is the fork access coming from?
In the tmp dir I see this policy being compiled.
# grep process.*fork fork.tmp
class process { fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate };
type_transition initrc_t fork_exec_t:process fork_t;
type_transition init_t fork_exec_t:process fork_t;
type_transition unconfined_t fork_exec_t:process fork_t;
neverallow fork_t self:process fork;
But if I install.
# semodule -i fork.pp
libsepol.check_assertion_helper: neverallow violated by allow fork_t fork_t:process { fork };
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
If I remove the neverallow line.
# sesearch -A -s fork_t -p fork
Found 1 semantic av rules:
allow fork_t fork_t : process { fork sigchld } ;
Something strange is going on.
Attachment:
fork.tgz
Description: application/compressed-tar
