* [refpolicy] [PATCH 1/1] Without allow siginh, we get a huge timeout wait period (15 seconds)
@ 2011-02-06 15:16 Sven Vermeulen
2011-02-06 16:48 ` Dominick Grift
2011-02-14 14:44 ` Christopher J. PeBenito
0 siblings, 2 replies; 9+ messages in thread
From: Sven Vermeulen @ 2011-02-06 15:16 UTC (permalink / raw)
To: refpolicy
We need to allow siginh; without it, xinit waits for 15 seconds
before continuing (not really user friendly), even though the system
functions properly afterwards.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/services/xserver.if | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index da2601a..01274b4 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -142,6 +142,8 @@ interface(`xserver_role',`
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
+ allow $2 xserver_t:process { siginh };
+
allow $2 iceauth_home_t:file manage_file_perms;
allow $2 iceauth_home_t:file { relabelfrom relabelto };
--
1.7.3.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/1] Without allow siginh, we get a huge timeout wait period (15 seconds)
2011-02-06 15:16 [refpolicy] [PATCH 1/1] Without allow siginh, we get a huge timeout wait period (15 seconds) Sven Vermeulen
@ 2011-02-06 16:48 ` Dominick Grift
2011-02-14 14:44 ` Christopher J. PeBenito
1 sibling, 0 replies; 9+ messages in thread
From: Dominick Grift @ 2011-02-06 16:48 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/06/2011 04:16 PM, Sven Vermeulen wrote:
> We need to allow siginh; without it, xinit waits for 15 seconds
> before continuing (not really user friendly), even though the system
> functions properly afterwards.
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/services/xserver.if | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index da2601a..01274b4 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -142,6 +142,8 @@ interface(`xserver_role',`
> allow $2 xserver_t:shm rw_shm_perms;
> allow $2 xserver_tmpfs_t:file rw_file_perms;
>
> + allow $2 xserver_t:process { siginh };
nit: no brace expansion needed, nothing to expand here.
> +
> allow $2 iceauth_home_t:file manage_file_perms;
> allow $2 iceauth_home_t:file { relabelfrom relabelto };
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1O0MMACgkQMlxVo39jgT9MtACeLpmJxCVKdiigm6vmTAxWfCOE
pHMAoJBJdi/lE+QQFDA4lEQU9/1nnvic
=qHv2
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/1] Without allow siginh, we get a huge timeout wait period (15 seconds)
2011-02-06 15:16 [refpolicy] [PATCH 1/1] Without allow siginh, we get a huge timeout wait period (15 seconds) Sven Vermeulen
2011-02-06 16:48 ` Dominick Grift
@ 2011-02-14 14:44 ` Christopher J. PeBenito
2011-02-14 19:03 ` Sven Vermeulen
2011-02-22 20:30 ` [refpolicy] [PATCH v2 " Sven Vermeulen
1 sibling, 2 replies; 9+ messages in thread
From: Christopher J. PeBenito @ 2011-02-14 14:44 UTC (permalink / raw)
To: refpolicy
On 2/6/2011 10:16 AM, Sven Vermeulen wrote:
> We need to allow siginh; without it, xinit waits for 15 seconds
> before continuing (not really user friendly), even though the system
> functions properly afterwards.
This needs a comment in the policy. Also, it should probably go in
xserver_restricted_role() instead.
> Signed-off-by: Sven Vermeulen<sven.vermeulen@siphos.be>
> ---
> policy/modules/services/xserver.if | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index da2601a..01274b4 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -142,6 +142,8 @@ interface(`xserver_role',`
> allow $2 xserver_t:shm rw_shm_perms;
> allow $2 xserver_tmpfs_t:file rw_file_perms;
>
> + allow $2 xserver_t:process { siginh };
> +
> allow $2 iceauth_home_t:file manage_file_perms;
> allow $2 iceauth_home_t:file { relabelfrom relabelto };
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/1] Without allow siginh, we get a huge timeout wait period (15 seconds)
2011-02-14 14:44 ` Christopher J. PeBenito
@ 2011-02-14 19:03 ` Sven Vermeulen
2011-02-16 14:31 ` Christopher J. PeBenito
2011-02-16 14:59 ` Stephen Smalley
2011-02-22 20:30 ` [refpolicy] [PATCH v2 " Sven Vermeulen
1 sibling, 2 replies; 9+ messages in thread
From: Sven Vermeulen @ 2011-02-14 19:03 UTC (permalink / raw)
To: refpolicy
On Mon, Feb 14, 2011 at 09:44:04AM -0500, Christopher J. PeBenito wrote:
> On 2/6/2011 10:16 AM, Sven Vermeulen wrote:
> > We need to allow siginh; without it, xinit waits for 15 seconds
> > before continuing (not really user friendly), even though the system
> > functions properly afterwards.
>
> This needs a comment in the policy. Also, it should probably go in
> xserver_restricted_role() instead.
Why not both (xserver_role and xserver_restricted_role)? Both get the timeout otherwise.
I'm trying to find some information on the SIGINH but am failing
tremendously (all that I can find is that SELinux dontaudit's it and the
fact that many people don't know that). What is siginh?
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/1] Without allow siginh, we get a huge timeout wait period (15 seconds)
2011-02-14 19:03 ` Sven Vermeulen
@ 2011-02-16 14:31 ` Christopher J. PeBenito
2011-02-16 14:45 ` Christopher J. PeBenito
2011-02-16 14:59 ` Stephen Smalley
1 sibling, 1 reply; 9+ messages in thread
From: Christopher J. PeBenito @ 2011-02-16 14:31 UTC (permalink / raw)
To: refpolicy
On 02/14/11 14:03, Sven Vermeulen wrote:
> On Mon, Feb 14, 2011 at 09:44:04AM -0500, Christopher J. PeBenito wrote:
>> On 2/6/2011 10:16 AM, Sven Vermeulen wrote:
>>> We need to allow siginh; without it, xinit waits for 15 seconds
>>> before continuing (not really user friendly), even though the system
>>> functions properly afterwards.
>>
>> This needs a comment in the policy. Also, it should probably go in
>> xserver_restricted_role() instead.
>
> Why not both (xserver_role and xserver_restricted_role)? Both get the timeout otherwise.
xserver_role() calls xserver_restricted_role().
> I'm trying to find some information on the SIGINH but am failing
> tremendously (all that I can find is that SELinux dontaudit's it and the
> fact that many people don't know that). What is siginh?
Signal inheritance across exec().
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/1] Without allow siginh, we get a huge timeout wait period (15 seconds)
2011-02-16 14:31 ` Christopher J. PeBenito
@ 2011-02-16 14:45 ` Christopher J. PeBenito
0 siblings, 0 replies; 9+ messages in thread
From: Christopher J. PeBenito @ 2011-02-16 14:45 UTC (permalink / raw)
To: refpolicy
On 02/16/11 09:31, Christopher J. PeBenito wrote:
> On 02/14/11 14:03, Sven Vermeulen wrote:
>> On Mon, Feb 14, 2011 at 09:44:04AM -0500, Christopher J. PeBenito wrote:
>> I'm trying to find some information on the SIGINH but am failing
>> tremendously (all that I can find is that SELinux dontaudit's it and the
>> fact that many people don't know that). What is siginh?
>
> Signal inheritance across exec().
More specifically, across domain transition. So if siginh is denied, no
signals are inherited.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/1] Without allow siginh, we get a huge timeout wait period (15 seconds)
2011-02-14 19:03 ` Sven Vermeulen
2011-02-16 14:31 ` Christopher J. PeBenito
@ 2011-02-16 14:59 ` Stephen Smalley
1 sibling, 0 replies; 9+ messages in thread
From: Stephen Smalley @ 2011-02-16 14:59 UTC (permalink / raw)
To: refpolicy
On Mon, 2011-02-14 at 20:03 +0100, Sven Vermeulen wrote:
> On Mon, Feb 14, 2011 at 09:44:04AM -0500, Christopher J. PeBenito wrote:
> > On 2/6/2011 10:16 AM, Sven Vermeulen wrote:
> > > We need to allow siginh; without it, xinit waits for 15 seconds
> > > before continuing (not really user friendly), even though the system
> > > functions properly afterwards.
> >
> > This needs a comment in the policy. Also, it should probably go in
> > xserver_restricted_role() instead.
>
> Why not both (xserver_role and xserver_restricted_role)? Both get the timeout otherwise.
>
> I'm trying to find some information on the SIGINH but am failing
> tremendously (all that I can find is that SELinux dontaudit's it and the
> fact that many people don't know that). What is siginh?
>From the code:
/* Check whether the new SID can inherit signal state from the old SID.
* If not, clear itimers to avoid subsequent signal generation and
* flush and unblock signals.
*
* This must occur _after_ the task SID has been updated so that any
* kill done after the flush will be checked against the new SID.
*/
One of a set of permission checks designed to help reduce the ability of
a caller to influence/control the behavior of a program that runs with
different permissions.
--
Stephen Smalley
National Security Agency
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH v2 1/1] Without allow siginh, we get a huge timeout wait period (15 seconds)
2011-02-14 14:44 ` Christopher J. PeBenito
2011-02-14 19:03 ` Sven Vermeulen
@ 2011-02-22 20:30 ` Sven Vermeulen
2011-03-03 14:22 ` Christopher J. PeBenito
1 sibling, 1 reply; 9+ messages in thread
From: Sven Vermeulen @ 2011-02-22 20:30 UTC (permalink / raw)
To: refpolicy
Allow xserver_restricted_role domains to call/start Xorg (using startx), fixes
15-second lag/timeout (needs siginh permission as provided by
xserver_domtrans).
Apparently, the 15-second lag (or some other behavior) was already detected
in the past, giving rise to the SIGINH permission in the xserver_domtrans()
interface.
However, domains that are given the xserver_(restricted_)role do not call
the xserver_domtrans but rather the "standard" domtrans_pattern.
The new patch suggests to use xserver_domtrans in the
xserver_restricted_role, which automatically includes the siginh permission
then.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/services/xserver.if | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index da2601a..130ced9 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -30,7 +30,6 @@ interface(`xserver_restricted_role',`
allow xserver_t $2:fd use;
allow xserver_t $2:shm rw_shm_perms;
- domtrans_pattern($2, xserver_exec_t, xserver_t)
allow xserver_t $2:process signal;
allow xserver_t $2:shm rw_shm_perms;
@@ -96,6 +95,7 @@ interface(`xserver_restricted_role',`
miscfiles_read_fonts($2)
xserver_common_x_domain_template(user, $2)
+ xserver_domtrans($2)
xserver_unconfined($2)
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH v2 1/1] Without allow siginh, we get a huge timeout wait period (15 seconds)
2011-02-22 20:30 ` [refpolicy] [PATCH v2 " Sven Vermeulen
@ 2011-03-03 14:22 ` Christopher J. PeBenito
0 siblings, 0 replies; 9+ messages in thread
From: Christopher J. PeBenito @ 2011-03-03 14:22 UTC (permalink / raw)
To: refpolicy
On 2/22/2011 3:30 PM, Sven Vermeulen wrote:
> Allow xserver_restricted_role domains to call/start Xorg (using startx), fixes
> 15-second lag/timeout (needs siginh permission as provided by
> xserver_domtrans).
>
>
> Apparently, the 15-second lag (or some other behavior) was already detected
> in the past, giving rise to the SIGINH permission in the xserver_domtrans()
> interface.
>
> However, domains that are given the xserver_(restricted_)role do not call
> the xserver_domtrans but rather the "standard" domtrans_pattern.
>
> The new patch suggests to use xserver_domtrans in the
> xserver_restricted_role, which automatically includes the siginh permission
> then.
Merged.
> Signed-off-by: Sven Vermeulen<sven.vermeulen@siphos.be>
> ---
> policy/modules/services/xserver.if | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index da2601a..130ced9 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -30,7 +30,6 @@ interface(`xserver_restricted_role',`
> allow xserver_t $2:fd use;
> allow xserver_t $2:shm rw_shm_perms;
>
> - domtrans_pattern($2, xserver_exec_t, xserver_t)
> allow xserver_t $2:process signal;
>
> allow xserver_t $2:shm rw_shm_perms;
> @@ -96,6 +95,7 @@ interface(`xserver_restricted_role',`
> miscfiles_read_fonts($2)
>
> xserver_common_x_domain_template(user, $2)
> + xserver_domtrans($2)
> xserver_unconfined($2)
> xserver_xsession_entry_type($2)
> xserver_dontaudit_write_log($2)
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2011-03-03 14:22 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-06 15:16 [refpolicy] [PATCH 1/1] Without allow siginh, we get a huge timeout wait period (15 seconds) Sven Vermeulen
2011-02-06 16:48 ` Dominick Grift
2011-02-14 14:44 ` Christopher J. PeBenito
2011-02-14 19:03 ` Sven Vermeulen
2011-02-16 14:31 ` Christopher J. PeBenito
2011-02-16 14:45 ` Christopher J. PeBenito
2011-02-16 14:59 ` Stephen Smalley
2011-02-22 20:30 ` [refpolicy] [PATCH v2 " Sven Vermeulen
2011-03-03 14:22 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.