On 04/16/2015 08:06 PM, Daniel J Walsh wrote: > > On 04/16/2015 05:28 AM, Florian Weimer wrote: >> The ABRT coredump handler has code to emulate default core file creation >> (as if no such pipe-based handler was installed). The handler runs in a >> separate process, initially as root. Currently, the handler just >> switches effective IDs and creates the file. This does not replicate >> the SELinux context of the zombie process. >> >> Is there a way to do that? Is there some recommended way to inherit >> all the security-related process attributes? >> > You have two choices. 1 would be to setcon() call to change the label > to the user process. > > The other choice would be to ask the kernel what label this user would > create if he created a file > in the specified directory. This is what systemd does. Dan, could you please double-check if this change (implementing the second option) looks reasonable? <https://github.com/abrt/abrt/commit/3e4155bfcd9f6f5a20964080fa05724503b20761> Thanks, Florian -- Florian Weimer / Red Hat Product Security _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
