Daemon's child getting weird denial

Daemon's child getting weird denial

[Ian Pilcher]

I'm in the (hopefully) final stages of creating the policy module for a
daemon that I've written to monitor my home NAS.

The daemon is started by systemd (init_t) and runs as its own type
(freecusd_t).  In order to read the SMART attributes of the NAS drives,
the daemon runs a helper application, which has its own type
(freecusd_smart_t).  So:

   systemd (init_t) --> freecusd (freecusd_t)
                            --> freecusd_smart_helper (freecusd_smart_t)

This is all working (although I can't help but think that there's likely
a macro that I could have used to define the helper type that would have
made things a lot easier).  Every time that the daemon starts, however,
I'm getting this denial repeated 4 times:

type=AVC msg=audit(1593392372.230:9215): avc:  denied  { sigchld } for 
pid=1 comm="systemd" scontext=system_u:system_r:freecusd_smart_t:s0 
tcontext=system_u:system_r:init_t:s0 tclass=process permissive=0

(Note that the daemon spawns the helper repeatedly while it runs, but I
only ever see the denial 4 times when the daemon first starts.)

It appears that the helper process is trying to send SIGCHLD, which
doesn't seem right, as its parent is still running.  (I've already given
the helper permission to send SIGCHLD to its parent, freecusd_t.)

Has anyone ever seen this behavior or have any idea what could cause it?

Thanks!

-- 
========================================================================
                  In Soviet Russia, Google searches you!
========================================================================

Re: Daemon's child getting weird denial

[Stephen Smalley]

On Sun, Jun 28, 2020 at 10:20 PM Ian Pilcher <arequipeno@gmail.com> wrote:
>
> I'm in the (hopefully) final stages of creating the policy module for a
> daemon that I've written to monitor my home NAS.
>
> The daemon is started by systemd (init_t) and runs as its own type
> (freecusd_t).  In order to read the SMART attributes of the NAS drives,
> the daemon runs a helper application, which has its own type
> (freecusd_smart_t).  So:
>
>    systemd (init_t) --> freecusd (freecusd_t)
>                             --> freecusd_smart_helper (freecusd_smart_t)
>
> This is all working (although I can't help but think that there's likely
> a macro that I could have used to define the helper type that would have
> made things a lot easier).  Every time that the daemon starts, however,
> I'm getting this denial repeated 4 times:
>
> type=AVC msg=audit(1593392372.230:9215): avc:  denied  { sigchld } for
> pid=1 comm="systemd" scontext=system_u:system_r:freecusd_smart_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=0
>
> (Note that the daemon spawns the helper repeatedly while it runs, but I
> only ever see the denial 4 times when the daemon first starts.)
>
> It appears that the helper process is trying to send SIGCHLD, which
> doesn't seem right, as its parent is still running.  (I've already given
> the helper permission to send SIGCHLD to its parent, freecusd_t.)
>
> Has anyone ever seen this behavior or have any idea what could cause it?

Prior to commit 3a2f5a59a695a73e0cde9a61e0feae5fa730e936, SELinux
would check sigchld permission between each eligible target of a
wait*(2) system call and the process that invoked wait*() to filter
what processes could have their status checked. Hence, this is likely
the case that systemd is calling wait*() on the process.