On Thu, 2009-03-05 at 21:01 +0100, Jan Kasprzak wrote:
Hello,
I am probably overlooking something, but it seems that SELinux prevents
the environment variables to be inherited to the new program over exec():
I have a daemon (running in its own domain mydaemon_t) which tries
to fork() and then exec() a program which has domain_auto_trans()
to a new domain myprogram_t. Now I want to pass a TMPDIR environment
variable from the daemon to the program. It does not work - I get
AVCs about myprogram_t trying to read the tmp_t directory (which means
it still tries to use /tmp, not whatever is written in TMPDIR.
I have created my own directory /var/myprogram/tmp which I also
put into the TMPDIR variable. When I add "sleep(100)" to the daemon
just before the exec() of myprogram, I can see the TMPDIR variable correctly
set in /proc/<pid>/environ.
When I do "setenforce 0", running the program from the daemon
causes the /var/myprogram/tmp mtime to be updated and no AVCs are logged,
so the program gets the TMPDIR variable correctly set up.
Does SELinux prevent the environment variables to be inherited
over exec()? If so, how can I enable it?
On a domain transition, by default, SELinux will set the AT_SECURE auxv
flag and glibc will then sanitize the environment in the same manner as
for setuid/setgid program execution. You can disable that behavior on a
selective basis by allowing the "noatsecure" permission between the old
and new domains. You would add the following allow rule to your policy:
allow mydaemon_t myprogram_t:process noatsecure;
--
Stephen Smalley
National Security Agency