Bug 256361 - SELinux is preventing /usr/bin/gdb (NetworkManager_t) "signal" to <Unknown> (unconfined_t).
SELinux is preventing /usr/bin/gdb (NetworkManager_t) "signal" to <Unknown> ...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
7
All All
medium Severity low
: ---
: ---
Assigned To: Eric Paris
Fedora Extras Quality Assurance
:
Depends On: 232371
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-27 09:27 EDT by Martin Jürgens
Modified: 2008-01-08 09:43 EST (History)
2 users (show)

See Also:
Fixed In Version: F8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-08 09:43:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
selinux_alert (2.01 KB, text/plain)
2007-08-27 09:27 EDT, Martin Jürgens
no flags Details

  None (edit)
Description Martin Jürgens 2007-08-27 09:27:49 EDT
Description of problem:
I was debugging NetworkManager with gdb, then I received this selinux alert.
Comment 1 Martin Jürgens 2007-08-27 09:27:49 EDT
Created attachment 173541 [details]
selinux_alert
Comment 2 Jan Kratochvil 2007-08-27 11:06:24 EDT
It is related to Bug 232371.
In some way it is correct - the debugged process must have the right to signal
the debugger.  NetworkManager has restricted rights, it must not be able to
signal anyone.

Daniel,
still it should be possible to get it working by permitting sending SIGCHLD to
the (unconfined) ptrace-parent if the confined process is under ptrace.  Is it
possible to make it working in the kernel part of SELinux or it was already
denied as too dangerous?
Comment 3 Daniel Walsh 2007-08-27 12:26:49 EDT
This is not sigchld  It is some other signal.  sigchld is special cased in SELinux.

SELinux differentiates:

signull, sigstop, sigchld, sigkill;

All others are grouped together as signal

So allowing NetworkManager to send signals to any unconfined process is still
considered dangerous.
Comment 4 Jan Kratochvil 2007-10-27 07:50:49 EDT
This problem has been fixed by Eric Paris in kernel-2.6.23.1-33.fc8:
* Tue Oct 23 2007 Eric Paris <eparis@redhat.com>
- check sigchld when waiting on a task (gdb/selinux interaction)

file: linux-2.6-selinux-sigchld-wait.patch

It is now just a question if it gets backported for F-7.
Comment 5 Eric Paris 2008-01-08 09:43:40 EST
F8 has been out long enough without anyone else complaining about F7.  closing.

Note You need to log in before you can comment on or make changes to this bug.