Bug 130100 - open file descriptors across exec of /sbin/restorecon
Summary: open file descriptors across exec of /sbin/restorecon
Status: CLOSED DUPLICATE of bug 130351
Alias: None
Product: Fedora
Classification: Fedora
Component: udev
Version: rawhide
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact:
Depends On:
Blocks: FC3Target
TreeView+ depends on / blocked
Reported: 2004-08-17 02:17 UTC by Tom London
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-02-21 19:05:08 UTC

Attachments (Terms of Use)

Description Tom London 2004-08-17 02:17:04 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)
Gecko/20040803 Firefox/0.9.3

Description of problem:
Running strict enforcing off of Rawhide, udev is 
still leaking fds across execs, especially
execs of /sbin/restorecon.

Here is an example avc showing the leak:

    Aug 14 19:35:38 fedora kernel: audit(1092537300.503:0): avc: 
denied  { read write } for  pid=1214 exe=/sbin/restorecon
path=socket:[1188] dev=sockfs ino=1188
tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket

It appears that udev is not calling
fcntl(fd, F_SETFD, FD_CLOEXEC) on some
file descriptors.

Here is a patch to /etc/dev.d/default/selinux.dev
that closes enough (all?) of the problematic file descriptors before
exec-ing /sbin/restorecon, but I think the proper fix
is to call fcntl(..., ..., FD_CLOEXEC).

--- selinux.dev 2004-08-15 08:58:13.000000000 -0700
+++ /etc/dev.d/default/selinux.dev      2004-08-14 20:19:12.000000000
@@ -10,5 +10,5 @@
        if [ "$UDEV_LOG" = "yes" -a -x /usr/bin/logger ]; then
                /usr/bin/logger -t selinux.dev -p auth.debug
"Restoring file security contexts for $DEVNAME"
-       /sbin/restorecon $DEVNAME 4<&-
+       /sbin/restorecon $DEVNAME 3<&- 4<&- 5<&- 6<&-

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. run with SELinux strict/enforcing
2. look at log

Additional info:

Comment 1 Harald Hoyer 2004-08-19 14:50:58 UTC

*** This bug has been marked as a duplicate of 130351 ***

Comment 2 Red Hat Bugzilla 2006-02-21 19:05:08 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.