Bug 171331

Summary: all descendants of init have FD 63 open to swap file partition
Product: [Fedora] Fedora Reporter: Jason Vas Dias <jvdias>
Component: mkinitrdAssignee: Peter Jones <pjones>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, notting
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-12-10 18:05:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jason Vas Dias 2005-10-20 20:56:40 UTC
Description of problem:

I'm not sure if this a kernel or init bug.

For a while now with 2.6.13+ kernels, all descendants of the init process that
do not explicitly close all their file descriptors seem to have an FD left open
to the swap device. 

The IBM T41 laptop on which this problem occurs started out life with pre-FC3
rawhide, and has been upgraded to rawhide ever since (now at rawhide-20051019).
During initial installation, I formatted a 1GB swap partition on /dev/hda5 :
 
/dev/hda5           25240       27320     1048792+  82  Linux swap / Solaris

I THINK I started noticing this a @ 6 weeks ago with first 2.6.13 kernel, and 
kept hoping it would be fixed - it hasn't been - all init descendants that do
not explictly close all their FDs have FD 63 open to /dev/hda5, as shown by
the output of this command, run as root:

# ls -l /proc/[0-9]*/fd/* | grep hda5 | 
  while read m l u g s M d t f a r ; do 
    pid=${f#/proc/}; pid=${pid%%/*}; 
    echo $pid `readlink /proc/$pid/exe` $f $r; 
  done  | sort -n
1 /sbin/init /proc/1/fd/63 /hda5
691 /sbin/kmodule /proc/691/fd/63 /hda5
1703 /usr/sbin/named_sdb /proc/1703/fd/63 /hda5
2052 /usr/sbin/gpm /proc/2052/fd/63 /hda5
2061 /usr/sbin/crond /proc/2061/fd/63 /hda5
2115 /usr/X11R6/bin/xfs /proc/2115/fd/63 /hda5
2124 /usr/sbin/atd /proc/2124/fd/63 /hda5
2387 /bin/bash /proc/2387/fd/63 /hda5
2444 /usr/bin/kdm /proc/2444/fd/63 /hda5
2446 /usr/X11R6/bin/Xorg /proc/2446/fd/63 /hda5
2447 /usr/bin/kdm /proc/2447/fd/63 /hda5
2517 /bin/bash /proc/2517/fd/63 /hda5
2566 /usr/bin/ssh-agent /proc/2566/fd/63 /hda5
2569 /usr/bin/dbus-daemon /proc/2569/fd/63 /hda5
2570 /usr/bin/dbus-launch /proc/2570/fd/63 /hda5
2634 /usr/bin/kdeinit /proc/2634/fd/63 /hda5
...
EVERY PROCESS ON THE SYSTEM !

There is no /hda5 path on the system : 
$ ls /hda5
ls: /hda5: No such file or directory

I think these FDs for /hda5 are actually to /dev/hda5 , as shown by all 
the AVCs these processes generate, which are for the 'tmpfs' device :

type=AVC msg=audit(1129837114.125:61): avc:  denied  { use } for  pid=1800
comm="rpc.idmapd" name="hda5" dev=tmpfs ino=623
scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:kernel_t:s0
tclass=fd
type=AVC_PATH msg=audit(1129837114.125:61):  path="/hda5"
type=AVC msg=audit(1129837114.341:62): avc:  denied  { use } for  pid=1820
comm="ypbind" name="hda5" dev=tmpfs ino=623
scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:system_r:kernel_t:s0
tclass=fd
type=AVC_PATH msg=audit(1129837114.341:62):  path="/hda5"
type=AVC msg=audit(1129837114.761:63): avc:  denied  { use } for  pid=1853
comm="rpc.statd" name="hda5" dev=tmpfs ino=623
scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:kernel_t:s0
tclass=fd
type=AVC_PATH msg=audit(1129837114.761:63):  path="/hda5"
type=AVC msg=audit(1129837115.633:64): avc:  denied  { use } for  pid=1889
comm="mDNSResponder" name="hda5" dev=tmpfs ino=623
scontext=system_u:system_r:howl_t:s0 tcontext=system_u:system_r:kernel_t:s0
tclass=fd
...
HUNDREDS MORE !

This bug causes no other problem than these AVC messages with SELinux Enforcing.

However, if I did not have SELinux in Enforcing mode, then perhaps EVERY 
process would be able to "use" / read the swap device on FD 63, which is bad . 

Version-Release number of selected component (if applicable):
kernel-2.6.13-1.1617_FC5
SysVinit-2.85-42

How reproducible:
100%


Steps to Reproduce:
boot system
  
Actual results:

observe hda5 AVC for every process launched in /var/log/messages and
/var/log/audit/audit.log, eg.:

Oct 20 15:36:53 jvdias kernel: audit(1129837013.522:108): avc:  denied  { use }
for  pid=3318 comm="auditctl" name="hda5" dev=tmpfs ino=623
scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:system_r:kernel_t:s0
tclass=fd
Oct 20 15:36:53 jvdias kernel: audit(1129837013.522:108):  path="/hda5"
Oct 20 15:36:53 jvdias kernel: audit(1129837013.694:111): avc:  denied  { use }
for  pid=3329 comm="rndc" name="hda5" dev=tmpfs ino=623
scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd
Oct 20 15:36:53 jvdias kernel: audit(1129837013.694:111):  path="/hda5"
Oct 20 15:38:38 jvdias kernel: audit(1129837059.648:2): avc:  denied  { use }
for  pid=421 comm="hwclock" name="hda5" dev=tmpfs ino=623
scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:system_r:kernel_t:s0
tclass=fd


Expected results:
No extra FD 63 for each process open to swap device

Comment 1 Daniel Walsh 2005-12-10 18:05:00 UTC
Fixed in mkinitrd.