Description of problem: I was debugging NetworkManager with gdb, then I received this selinux alert.
Created attachment 173541 [details] selinux_alert
It is related to Bug 232371. In some way it is correct - the debugged process must have the right to signal the debugger. NetworkManager has restricted rights, it must not be able to signal anyone. Daniel, still it should be possible to get it working by permitting sending SIGCHLD to the (unconfined) ptrace-parent if the confined process is under ptrace. Is it possible to make it working in the kernel part of SELinux or it was already denied as too dangerous?
This is not sigchld It is some other signal. sigchld is special cased in SELinux. SELinux differentiates: signull, sigstop, sigchld, sigkill; All others are grouped together as signal So allowing NetworkManager to send signals to any unconfined process is still considered dangerous.
This problem has been fixed by Eric Paris in kernel-2.6.23.1-33.fc8: * Tue Oct 23 2007 Eric Paris <eparis> - check sigchld when waiting on a task (gdb/selinux interaction) file: linux-2.6-selinux-sigchld-wait.patch It is now just a question if it gets backported for F-7.
F8 has been out long enough without anyone else complaining about F7. closing.