FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-05-2009, 07:01 PM
Jan Kasprzak
 
Default Environment variables over exec()?

Hello,

I am probably overlooking something, but it seems that SELinux prevents
the environment variables to be inherited to the new program over exec():

I have a daemon (running in its own domain mydaemon_t) which tries
to fork() and then exec() a program which has domain_auto_trans()
to a new domain myprogram_t. Now I want to pass a TMPDIR environment
variable from the daemon to the program. It does not work - I get
AVCs about myprogram_t trying to read the tmp_t directory (which means
it still tries to use /tmp, not whatever is written in TMPDIR.

I have created my own directory /var/myprogram/tmp which I also
put into the TMPDIR variable. When I add "sleep(100)" to the daemon
just before the exec() of myprogram, I can see the TMPDIR variable correctly
set in /proc/<pid>/environ.

When I do "setenforce 0", running the program from the daemon
causes the /var/myprogram/tmp mtime to be updated and no AVCs are logged,
so the program gets the TMPDIR variable correctly set up.

Does SELinux prevent the environment variables to be inherited
over exec()? If so, how can I enable it?

Thanks,

-Yenya

--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-05-2009, 07:06 PM
Stephen Smalley
 
Default Environment variables over exec()?

On Thu, 2009-03-05 at 21:01 +0100, Jan Kasprzak wrote:
> Hello,
>
> I am probably overlooking something, but it seems that SELinux prevents
> the environment variables to be inherited to the new program over exec():
>
> I have a daemon (running in its own domain mydaemon_t) which tries
> to fork() and then exec() a program which has domain_auto_trans()
> to a new domain myprogram_t. Now I want to pass a TMPDIR environment
> variable from the daemon to the program. It does not work - I get
> AVCs about myprogram_t trying to read the tmp_t directory (which means
> it still tries to use /tmp, not whatever is written in TMPDIR.
>
> I have created my own directory /var/myprogram/tmp which I also
> put into the TMPDIR variable. When I add "sleep(100)" to the daemon
> just before the exec() of myprogram, I can see the TMPDIR variable correctly
> set in /proc/<pid>/environ.
>
> When I do "setenforce 0", running the program from the daemon
> causes the /var/myprogram/tmp mtime to be updated and no AVCs are logged,
> so the program gets the TMPDIR variable correctly set up.
>
> Does SELinux prevent the environment variables to be inherited
> over exec()? If so, how can I enable it?

On a domain transition, by default, SELinux will set the AT_SECURE auxv
flag and glibc will then sanitize the environment in the same manner as
for setuid/setgid program execution. You can disable that behavior on a
selective basis by allowing the "noatsecure" permission between the old
and new domains. You would add the following allow rule to your policy:

allow mydaemon_t myprogram_trocess noatsecure;

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:21 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org