Bug 130100 - open file descriptors across exec of /sbin/restorecon
open file descriptors across exec of /sbin/restorecon
Status: CLOSED DUPLICATE of bug 130351
Product: Fedora
Classification: Fedora
Component: udev (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
Depends On:
Blocks: FC3Target
  Show dependency treegraph
Reported: 2004-08-16 22:17 EDT by Tom London
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 14:05:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tom London 2004-08-16 22:17:04 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)
Gecko/20040803 Firefox/0.9.3

Description of problem:
Running strict enforcing off of Rawhide, udev is 
still leaking fds across execs, especially
execs of /sbin/restorecon.

Here is an example avc showing the leak:

    Aug 14 19:35:38 fedora kernel: audit(1092537300.503:0): avc: 
denied  { read write } for  pid=1214 exe=/sbin/restorecon
path=socket:[1188] dev=sockfs ino=1188
tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket

It appears that udev is not calling
fcntl(fd, F_SETFD, FD_CLOEXEC) on some
file descriptors.

Here is a patch to /etc/dev.d/default/selinux.dev
that closes enough (all?) of the problematic file descriptors before
exec-ing /sbin/restorecon, but I think the proper fix
is to call fcntl(..., ..., FD_CLOEXEC).

--- selinux.dev 2004-08-15 08:58:13.000000000 -0700
+++ /etc/dev.d/default/selinux.dev      2004-08-14 20:19:12.000000000
@@ -10,5 +10,5 @@
        if [ "$UDEV_LOG" = "yes" -a -x /usr/bin/logger ]; then
                /usr/bin/logger -t selinux.dev -p auth.debug
"Restoring file security contexts for $DEVNAME"
-       /sbin/restorecon $DEVNAME 4<&-
+       /sbin/restorecon $DEVNAME 3<&- 4<&- 5<&- 6<&-

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. run with SELinux strict/enforcing
2. look at log

Additional info:
Comment 1 Harald Hoyer 2004-08-19 10:50:58 EDT

*** This bug has been marked as a duplicate of 130351 ***
Comment 2 Red Hat Bugzilla 2006-02-21 14:05:08 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.