On Sun, Jun 28, 2020 at 10:20 PM Ian Pilcher <arequipeno@xxxxxxxxx> wrote:
>
> I'm in the (hopefully) final stages of creating the policy module for a
> daemon that I've written to monitor my home NAS.
>
> The daemon is started by systemd (init_t) and runs as its own type
> (freecusd_t). In order to read the SMART attributes of the NAS drives,
> the daemon runs a helper application, which has its own type
> (freecusd_smart_t). So:
>
> systemd (init_t) --> freecusd (freecusd_t)
> --> freecusd_smart_helper (freecusd_smart_t)
>
> This is all working (although I can't help but think that there's likely
> a macro that I could have used to define the helper type that would have
> made things a lot easier). Every time that the daemon starts, however,
> I'm getting this denial repeated 4 times:
>
> type=AVC msg=audit(1593392372.230:9215): avc: denied { sigchld } for
> pid=1 comm="systemd" scontext=system_u:system_r:freecusd_smart_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=0
>
> (Note that the daemon spawns the helper repeatedly while it runs, but I
> only ever see the denial 4 times when the daemon first starts.)
>
> It appears that the helper process is trying to send SIGCHLD, which
> doesn't seem right, as its parent is still running. (I've already given
> the helper permission to send SIGCHLD to its parent, freecusd_t.)
>
> Has anyone ever seen this behavior or have any idea what could cause it?
Prior to commit 3a2f5a59a695a73e0cde9a61e0feae5fa730e936, SELinux
would check sigchld permission between each eligible target of a
wait*(2) system call and the process that invoked wait*() to filter
what processes could have their status checked. Hence, this is likely
the case that systemd is calling wait*() on the process.
