Bug 130100

Summary: open file descriptors across exec of /sbin/restorecon
Product: [Fedora] Fedora Reporter: Tom London <selinux>
Component: udevAssignee: Harald Hoyer <harald>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-21 14:05:08 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 123268    

Description Tom London 2004-08-16 22:17:04 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)
Gecko/20040803 Firefox/0.9.3

Description of problem:
Running strict enforcing off of Rawhide, udev is 
still leaking fds across execs, especially
execs of /sbin/restorecon.

Here is an example avc showing the leak:

    Aug 14 19:35:38 fedora kernel: audit(1092537300.503:0): avc: 
denied  { read write } for  pid=1214 exe=/sbin/restorecon
path=socket:[1188] dev=sockfs ino=1188
scontext=system_u:system_r:restorecon_t
tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket

It appears that udev is not calling
fcntl(fd, F_SETFD, FD_CLOEXEC) on some
file descriptors.

Here is a patch to /etc/dev.d/default/selinux.dev
that closes enough (all?) of the problematic file descriptors before
exec-ing /sbin/restorecon, but I think the proper fix
is to call fcntl(..., ..., FD_CLOEXEC).


--- selinux.dev 2004-08-15 08:58:13.000000000 -0700
+++ /etc/dev.d/default/selinux.dev      2004-08-14 20:19:12.000000000
-0700
@@ -10,5 +10,5 @@
        if [ "$UDEV_LOG" = "yes" -a -x /usr/bin/logger ]; then
                /usr/bin/logger -t selinux.dev -p auth.debug
"Restoring file security contexts for $DEVNAME"
        fi
-       /sbin/restorecon $DEVNAME 4<&-
+       /sbin/restorecon $DEVNAME 3<&- 4<&- 5<&- 6<&-
 fi



Version-Release number of selected component (if applicable):
udev-030-3

How reproducible:
Always

Steps to Reproduce:
1. run with SELinux strict/enforcing
2. look at log
3.
    

Additional info:
Comment 1 Harald Hoyer 2004-08-19 10:50:58 EDT

*** This bug has been marked as a duplicate of 130351 ***
Comment 2 Red Hat Bugzilla 2006-02-21 14:05:08 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.