On 04/20/2015 04:05 PM, Florian Weimer wrote: > On 04/16/2015 08:06 PM, Daniel J Walsh wrote: >> >> On 04/16/2015 05:28 AM, Florian Weimer wrote: >>> The ABRT coredump handler has code to emulate default core file creation >>> (as if no such pipe-based handler was installed). The handler runs in a >>> separate process, initially as root. Currently, the handler just >>> switches effective IDs and creates the file. This does not replicate >>> the SELinux context of the zombie process. >>> >>> Is there a way to do that? Is there some recommended way to inherit >>> all the security-related process attributes? >>> >> You have two choices. 1 would be to setcon() call to change the label >> to the user process. >> >> The other choice would be to ask the kernel what label this user would >> create if he created a file >> in the specified directory. This is what systemd does. > > Dan, could you please double-check if this change (implementing the > second option) looks reasonable? > > <https://github.com/abrt/abrt/commit/3e4155bfcd9f6f5a20964080fa05724503b20761> I would go with _raw interfaces how Stephen suggested above. Also we should take care about ABRT SELinux policy. > Thanks, > Florian > -- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
