[DSE-Dev] Bug#742966: selinux-policy-default: user programs denied access to SIGCHLD

[Tomasz Bialas]

Package: selinux-policy-default
Version: 2:2.20140311-1
Severity: important
Tags: upstream

Dear Maintainer,

When using a SELinux-mapped user (user_u), LightDM fails to login with
AVC denial messages, such as this one:
type=AVC msg=audit(1396092400.551:432): avc:  denied  { sigchld } for
pid=5823 comm="lightdm" scontext=user_u:user_r:user_ssh_agent_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process


It would seem that the usage of the SIGCHLD signal is blocked by SELinux
on all processes which are not a direct child of Init, thus not allowing
children of xdm_t login programs to send SIGCHLD signals to their parents.
The issue has been reported in the Red Hat bugtracker:
https://bugzilla.redhat.com/show_bug.cgi?id=903828

A fix has been applied in Fedora, with the comment "We should allow all
user programs to sigchld login programs."

Thank you very much for investigating this issue.


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (250, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-2
ii  libselinux1      2.2.2-1
ii  libsepol1        2.2-1
ii  policycoreutils  2.2.5-1
ii  python           2.7.5-5
ii  selinux-utils    2.2.2-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.2-1
ii  setools      3.3.8-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13]
Permission denied:
u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information