Bug 133373 - /proc/modules is allowed to be inherited by child processes
Summary: /proc/modules is allowed to be inherited by child processes
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: kudzu
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks: FC3Target FC3SELinux
TreeView+ depends on / blocked
 
Reported: 2004-09-23 16:09 UTC by Russell Coker
Modified: 2014-03-17 02:48 UTC (History)
2 users (show)

Fixed In Version: 1.1.91-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-09-30 05:06:36 UTC


Attachments (Terms of Use)
Fix FILE leak in kudzu (995 bytes, patch)
2004-09-30 00:30 UTC, Miloslav Trmač
no flags Details | Diff

Description Russell Coker 2004-09-23 16:09:04 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux) (KHTML, like Gecko)

Description of problem:
As can be seen in the below messages a file handle for /proc/modules is inherited by child processes of firstboot (in this case ntpdate).  The file handle should either be closed before process execution or should be marked close-on-exec.

audit(1095950199.466:0): avc:  denied  { use } for  pid=2841 exe=/usr/sbin/ntpdate path=/proc/modules dev=proc ino=-268435437 scontext=system_u:system_r:ntpd_ttcontext=system_u:system_r:firstboot_t tclass=fd
audit(1095950199.488:0): avc:  denied  { use } for  pid=2841 exe=/usr/sbin/ntpdate path=/proc/modules dev=proc ino=-268435437 scontext=system_u:system_r:ntpd_ttcontext=system_u:system_r:firstboot_t tclass=fd


Version-Release number of selected component (if applicable):
1.3.25-1

How reproducible:
Always

Steps to Reproduce:
boot with SE Linux strict policy and observe the avc messages.

Additional info:

Comment 1 Miloslav Trmač 2004-09-30 00:30:41 UTC
Created attachment 104556 [details]
Fix FILE leak in kudzu

Seems to be caused by a FILE leak in kudzu.

Comment 2 Russell Coker 2004-09-30 01:52:43 UTC
The file handle is labeled with domain firstboot_t.  This means that 
a program running in the firstboot_t domain opened the file handle.  
kudzu runs in domain kudzu_t. 
 
Unless firstboot links in code from kudzu.c I don't think that the 
patch will entirely fix the problem.  That's OK, it'll probably fix 
other problems so it's worth doing. 

Comment 3 Miloslav Trmač 2004-09-30 02:00:24 UTC
The whole chain (I think) is:
firstboot
/usr/share/firstboot/modules/soundcard_gui.py
system-config-soundcard
/usr/lib/python2.3/site-packages/kudzu.py
/usr/lib/python2.3/site-packages/_kudzumodule.so
... which indeed shares code with kudzu.

Comment 4 Bill Nottingham 2004-09-30 03:20:04 UTC
Fixed in CVS, will be in 1.1.89-1.

Comment 5 Bill Nottingham 2004-09-30 05:06:36 UTC
Erm, make that 1.1.91-1.


Note You need to log in before you can comment on or make changes to this bug.