Bug 130100
| Summary: | open file descriptors across exec of /sbin/restorecon | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tom London <selinux> |
| Component: | udev | Assignee: | Harald Hoyer <harald> |
| Status: | CLOSED DUPLICATE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-02-21 19:05:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 123268 | ||
*** This bug has been marked as a duplicate of 130351 *** Changed to 'CLOSED' state since 'RESOLVED' has been deprecated. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3 Description of problem: Running strict enforcing off of Rawhide, udev is still leaking fds across execs, especially execs of /sbin/restorecon. Here is an example avc showing the leak: Aug 14 19:35:38 fedora kernel: audit(1092537300.503:0): avc: denied { read write } for pid=1214 exe=/sbin/restorecon path=socket:[1188] dev=sockfs ino=1188 scontext=system_u:system_r:restorecon_t tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket It appears that udev is not calling fcntl(fd, F_SETFD, FD_CLOEXEC) on some file descriptors. Here is a patch to /etc/dev.d/default/selinux.dev that closes enough (all?) of the problematic file descriptors before exec-ing /sbin/restorecon, but I think the proper fix is to call fcntl(..., ..., FD_CLOEXEC). --- selinux.dev 2004-08-15 08:58:13.000000000 -0700 +++ /etc/dev.d/default/selinux.dev 2004-08-14 20:19:12.000000000 -0700 @@ -10,5 +10,5 @@ if [ "$UDEV_LOG" = "yes" -a -x /usr/bin/logger ]; then /usr/bin/logger -t selinux.dev -p auth.debug "Restoring file security contexts for $DEVNAME" fi - /sbin/restorecon $DEVNAME 4<&- + /sbin/restorecon $DEVNAME 3<&- 4<&- 5<&- 6<&- fi Version-Release number of selected component (if applicable): udev-030-3 How reproducible: Always Steps to Reproduce: 1. run with SELinux strict/enforcing 2. look at log 3. Additional info: