On 6/30/20 4:18 AM, Lennart Poettering wrote:
Maybe it double forks or forks a child off (callout script?) that
double forks somewhere?
I don't know your software, it's probably best to ping the authors of
it about this, they should know what their software does.
LOL! I am the author.
So I think I've figured out why I was getting the SELinux message. The
proximate cause was that I hadn't yet discovered the proper SELinux
policy macro to use when creating the type for the helper application,
so I was building the policy for the helper "from scratch" with low-
level rules. Now that the policy uses the domain_type() macro, I no
longer get the message.
As to what was causing the helper to send SIGCHLD to systemd ... I'm not
100% sure that it ever tried to do so. I have a feeling, however, that
it has something to do with systemd's GuessMainPID feature. I saw a
couple seemingly random denials (possibly when I had dontaudit rules
disabled) about systemd trying to access the helper application's /proc
directory (which didn't work, because I hadn't used the proper macro).
I don't presume to know the details of how the feature works, but it
makes sense that it might occasionally incorrectly guess that the
helper application is the daemon's main process (particularly when the
daemon first starts, which is when I reliably saw multiple denials).
If systemd somehow reparents the child process in that circumstance, it
might explain why the SIGCHLD would be sent to systemd, rather than its
parent daemon.
Looks like fixing this program to work properly with Type=simple just
moved up my to-do list.
--
========================================================================
In Soviet Russia, Google searches you!
========================================================================
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
