Bug 153009 - Init seems to be leaving a file descriptor open
Init seems to be leaving a file descriptor open
Status: CLOSED DUPLICATE of bug 145601
Product: Fedora
Classification: Fedora
Component: sysvinit (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-31 16:27 EST by Daniel Walsh
Modified: 2014-03-16 22:53 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-01 15:18:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2005-03-31 16:27:02 EST
Description of problem:
Several apps are reporting the need read access to /init in SELinux


type=KERNEL msg=audit(1112272973.337:8151995): avc:  denied  { use } for 
pid=7254 exe=/usr/sbin/tmpwatch path=/null dev=selinuxfs ino=279
scontext=system_u:system_r:tmpreaper_t tcontext=system_u:system_r:init_t tclass=fd

This usually means a file descriptor was not closed on exec.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Bill Nottingham 2005-03-31 17:08:07 EST
How is a process spawned via cron having a FD open to /dev/null an init bug?
Comment 2 Daniel Walsh 2005-04-01 13:20:11 EST
Init owns the FD.  It gets handed down to all the process init starts and all
the process started by them and so on.  So we end up with errors like the following

allow logrotate_t init_t:fd use;
allow system_mail_t init_t:fd use;
allow tmpreaper_t init_t:fd use;
allow kernel_t init_t:fd use;
allow acct_t init_t:fd use;
allow httpd_t init_t:fd use;
allow apmd_t init_t:fd use;
allow arpwatch_t init_t:fd use;
allow auditd_t init_t:fd use;
allow automount_t init_t:fd use;
allow bluetooth_t init_t:fd use;
allow canna_t init_t:fd use;
allow cardmgr_t init_t:fd use;
allow checkpolicy_t init_t:fd use;
allow clockspeed_t init_t:fd use;
allow cpucontrol_t init_t:fd use;
allow cpuspeed_t init_t:fd use;
allow crond_t init_t:fd use;
allow system_crond_t init_t:fd use;
dontaudit system_crond_su_t init_t:fd use;
allow cupsd_t init_t:fd use;
allow ptal_t init_t:fd use;
allow cupsd_config_t init_t:fd use;
allow cyrus_t init_t:fd use;
allow system_dbusd_t init_t:fd use;
allow dhcpc_t init_t:fd use;
allow dhcpd_t init_t:fd use;
allow dictd_t init_t:fd use;
allow dmesg_t init_t:fd use;
allow dovecot_t init_t:fd use;
allow fetchmail_t init_t:fd use;
allow fingerd_t init_t:fd use;
allow fsadm_t init_t:fd use;
allow fsdaemon_t init_t:fd use;
allow ftpd_t init_t:fd use;
allow games_t init_t:fd use;
allow getty_t init_t:fd use;
allow getty_t init_t:fd use;
allow gpm_t init_t:fd use;
allow hald_t init_t:fd use;
allow hostname_t init_t:fd use;
allow hotplug_t init_t:fd use;
allow howl_t init_t:fd use;
allow hwclock_t init_t:fd use;
allow i18n_input_t init_t:fd use;
allow ifconfig_t run_init_t:fd use;
allow inetd_t init_t:fd use;
dontaudit initrc_su_t init_t:fd use;
allow sysadm_t run_init_t:fd use;
allow sysadm_chkpwd_t run_init_t:fd use;
allow initrc_t run_init_t:fd use;
allow initrc_t init_t:fd use;
allow sysadm_t init_t:fd use;
allow innd_t init_t:fd use;
allow ipsec_t init_t:fd use;
allow iptables_t init_t:fd use;
allow irqbalance_t init_t:fd use;
allow krb5kdc_t init_t:fd use;
allow kadmind_t init_t:fd use;
allow klogd_t init_t:fd use;
allow kudzu_t init_t:fd use;
dontaudit local_login_t init_t:fd use;
allow lpd_t init_t:fd use;
allow checkpc_t init_t:fd use;
allow lvm_t init_t:fd use;
allow lvm_t init_t:fd use;
allow mdadm_t init_t:fd use;
allow update_modules_t init_t:fd use;
allow mount_t init_t:fd use;
allow mrtg_t init_t:fd use;
allow mysqld_t init_t:fd use;
allow named_t init_t:fd use;
allow NetworkManager_t init_t:fd use;
allow nscd_t init_t:fd use;
allow ntpd_t init_t:fd use;
allow pam_console_t init_t:fd use;
allow portmap_t init_t:fd use;
allow postfix_master_t init_t:fd use;
allow postfix_smtp_t init_t:fd use;
allow postfix_smtpd_t init_t:fd use;
allow postfix_local_t init_t:fd use;
allow postfix_cleanup_t init_t:fd use;
allow postfix_postqueue_t init_t:fd use;
allow postfix_showq_t init_t:fd use;
allow postfix_postdrop_t init_t:fd use;
allow postfix_pickup_t init_t:fd use;
allow postfix_qmgr_t init_t:fd use;
allow postfix_bounce_t init_t:fd use;
allow postfix_pipe_t init_t:fd use;
allow postgresql_t init_t:fd use;
allow pppd_t init_t:fd use;
allow prelink_t init_t:fd use;
allow privoxy_t init_t:fd use;
allow quota_t init_t:fd use;
allow radiusd_t init_t:fd use;
allow radvd_t init_t:fd use;
allow rhgb_t init_t:fd use;
allow rpcd_t init_t:fd use;
allow nfsd_t init_t:fd use;
allow gssd_t init_t:fd use;
allow smbd_t init_t:fd use;
allow nmbd_t init_t:fd use;
allow saslauthd_t init_t:fd use;
allow sendmail_t init_t:fd use;
allow slapd_t init_t:fd use;
allow locate_t init_t:fd use;
allow slrnpull_t init_t:fd use;
allow snmpd_t init_t:fd use;
allow sound_t init_t:fd use;
allow spamd_t init_t:fd use;
allow squid_t init_t:fd use;
allow { sshd_t sshd_extern_t } init_t:fd use;
allow ssh_keygen_t init_t:fd use;
allow syslogd_t init_t:fd use;
allow sysstat_t init_t:fd use;
allow tftpd_t init_t:fd use;
allow timidity_t init_t:fd use;
allow udev_t init_t:fd use;
allow uml_switch_t init_t:fd use;
allow updfstab_t init_t:fd use;
allow usbmodules_t init_t:fd use;
allow vmware_t init_t:fd use;
allow vpnc_t init_t:fd use;
allow winbind_t init_t:fd use;
allow xdm_t init_t:fd use;
allow xdm_t init_t:fd use;
allow xdm_xserver_t init_t:fd use;
allow xfs_t init_t:fd use;
allow ypbind_t init_t:fd use;
allow ypserv_t init_t:fd use;
allow zebra_t init_t:fd use;
Comment 3 Daniel Walsh 2005-04-01 13:23:23 EST
On Thu, 2005-03-31 at 14:00 -0500, Ivan Gyurdiev wrote:

>> What's causing those?
>> 
>> audit(1112259892.387:9374931): avc:  denied  { use } for  pid=10993
>> exe=/usr/sbin/sendmail.sendmail path=/null dev=selinuxfs ino=245
>> scontext=system_u:system_r:system_mail_t
>> tcontext=system_u:system_r:init_t tclass=fd
>> 
>> audit(1112259892.551:9376543): avc:  denied  { use } for  pid=10996
>> exe=/usr/sbin/tmpwatch path=/null dev=selinuxfs ino=245
>> scontext=system_u:system_r:tmpreaper_t tcontext=system_u:system_r:init_t
>> tclass=fd
>> 
>> audit(1112259892.620:9377236): avc:  denied  { use } for  pid=10999
>> exe=/usr/sbin/logrotate path=/null dev=selinuxfs ino=245
>> scontext=system_u:system_r:logrotate_t tcontext=system_u:system_r:init_t
>> tclass=fd


Looks like /sbin/init is leaking a descriptor to something, and then
SELinux is closing it and re-opening it to the null device node in
selinuxfs upon the domain transition to crond (which is then passed on
to its children).

-- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency 
Comment 4 Bill Nottingham 2005-04-01 14:23:49 EST
When did this start? The only recent changes were the sepol_genusers changes,
and looking at the code, that could imply a leak in libselinux.
Comment 5 Daniel Walsh 2005-04-01 14:36:51 EST
No I think this is old.  Most of the allow messages above are in current policy,
and were generated back when we were using strict policy.  So I think this has
been there for a while.  The report came from some new people who are playing
with  strict policy.  I am now running with strict and am seeing the first three.

Dan
Comment 6 Bill Nottingham 2005-04-01 15:18:04 EST

*** This bug has been marked as a duplicate of 145601 ***
Comment 7 David Lawrence 2007-06-21 22:11:07 EDT
Package name is now sysvinit in Fedora.

Note You need to log in before you can comment on or make changes to this bug.