Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 256361 - SELinux is preventing /usr/bin/gdb (NetworkManager_t) "signal" to <Unknown> (unconfined_t).
Summary: SELinux is preventing /usr/bin/gdb (NetworkManager_t) "signal" to <Unknown> ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 7
Hardware: All
OS: All
medium
low
Target Milestone: ---
Assignee: Eric Paris
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 232371
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-08-27 13:27 UTC by Martin Jürgens
Modified: 2008-01-08 14:43 UTC (History)
2 users (show)

Fixed In Version: F8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-08 14:43:40 UTC


Attachments (Terms of Use)
selinux_alert (deleted)
2007-08-27 13:27 UTC, Martin Jürgens
no flags Details

Description Martin Jürgens 2007-08-27 13:27:49 UTC
Description of problem:
I was debugging NetworkManager with gdb, then I received this selinux alert.

Comment 1 Martin Jürgens 2007-08-27 13:27:49 UTC
Created attachment 173541 [details]
selinux_alert

Comment 2 Jan Kratochvil 2007-08-27 15:06:24 UTC
It is related to Bug 232371.
In some way it is correct - the debugged process must have the right to signal
the debugger.  NetworkManager has restricted rights, it must not be able to
signal anyone.

Daniel,
still it should be possible to get it working by permitting sending SIGCHLD to
the (unconfined) ptrace-parent if the confined process is under ptrace.  Is it
possible to make it working in the kernel part of SELinux or it was already
denied as too dangerous?


Comment 3 Daniel Walsh 2007-08-27 16:26:49 UTC
This is not sigchld  It is some other signal.  sigchld is special cased in SELinux.

SELinux differentiates:

signull, sigstop, sigchld, sigkill;

All others are grouped together as signal

So allowing NetworkManager to send signals to any unconfined process is still
considered dangerous.


Comment 4 Jan Kratochvil 2007-10-27 11:50:49 UTC
This problem has been fixed by Eric Paris in kernel-2.6.23.1-33.fc8:
* Tue Oct 23 2007 Eric Paris <eparis@redhat.com>
- check sigchld when waiting on a task (gdb/selinux interaction)

file: linux-2.6-selinux-sigchld-wait.patch

It is now just a question if it gets backported for F-7.


Comment 5 Eric Paris 2008-01-08 14:43:40 UTC
F8 has been out long enough without anyone else complaining about F7.  closing.


Note You need to log in before you can comment on or make changes to this bug.