Bug 433313 - rgmanager leaks file descriptors for /var/run/cluster/rgmanager.sk
rgmanager leaks file descriptors for /var/run/cluster/rgmanager.sk
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: rgmanager (Show other bugs)
5.2
All Linux
low Severity low
: rc
: ---
Assigned To: Lon Hohberger
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-18 11:04 EST by David Juran
Modified: 2009-04-16 18:56 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 15:57:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix (733 bytes, patch)
2008-02-25 16:04 EST, Lon Hohberger
no flags Details | Diff
Fixed patch; previous one uses wrong fcntl (733 bytes, patch)
2008-02-25 16:06 EST, Lon Hohberger
no flags Details | Diff

  None (edit)
Description David Juran 2008-02-18 11:04:27 EST
Description of problem:
When running httpd as a script-type resource in the RHCS I get the following avc
denial:

avc: denied { read, write } for comm="httpd" dev=sockfs egid=0 euid=0
exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0
path="socket:[1953890]" pid=23542 scontext=user_u:system_r:httpd_t:s0 sgid=0
subj=user_u:system_r:httpd_t:s0 suid=0 tclass=unix_stream_socket
tcontext=user_u:system_r:initrc_t:s0-s0:c0.c1023 tty=(none) uid=0

The socket in question happens to be /var/run/cluster/rgmanager.sk

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-106.el5_1.3
httpd-2.2.3-11.el5_1.3
rgmanager-2.0.31-1.el5

How reproducible:
Every time

Steps to Reproduce:
1. Create a cluster service with a script-type resource that manages
/etc/ini.d/httpd
2. start your service
Comment 1 Daniel Walsh 2008-02-18 12:03:23 EST
Is the stdout/stderr of the exec command set to /var/run/cluster/rgmanager.sk?

I believe this will just work, and the avc can be ignored.

rgmanager is not currently a confined application so there is not an easy way to
fix this. 
Comment 2 David Juran 2008-02-19 04:07:46 EST
No, it's seems like it's FD 13 and 14 whatever they might be that are pointing
to /var/run/cluster/rgmanager.sk 
But if rgmanager isn't a confined app (yet), i.e. can't really be expected to
work well with the targeted policy I think I will need to disable selinux for
now, this was just the first one of the denials that I came upon.
Comment 3 Daniel Walsh 2008-02-19 11:16:33 EST
No rgmanager.sk should not be leaking file descriptors.  This is not an SELinux
bug, this is a rgmanager.sk bug

If you are going to exec another application you should close on exec all open
file descritors.

fcntl(fd, F_SETFD, FD_CLOEXEC)

Not sure what package rgmanager.sk belongs to, but this bug should be reassigned
there.

Comment 4 David Juran 2008-02-20 06:11:21 EST
sorry, I didn't realise it was a leaked file descriptor. Reassigning and
changing summary. 
Lon, if I understood this correctly, when httpd is ran a script-resource  by
rgmanager, a file descriptor is leaked from rgmanager to
/var/run/cluster/rgmanager.sk causing a avc warning.
Comment 5 David Juran 2008-02-20 06:12:41 EST
slippery fingers )-: Changing summary as promised.
Comment 6 Lon Hohberger 2008-02-25 16:04:18 EST
Created attachment 295840 [details]
Fix

Not in CVS^Wgit yet.
Comment 7 Lon Hohberger 2008-02-25 16:06:19 EST
Created attachment 295843 [details]
Fixed patch; previous one uses wrong fcntl
Comment 10 Lon Hohberger 2008-03-05 09:29:05 EST
This is in my git repository but has not been pushed to the central repository yet.
Comment 12 David Juran 2008-03-12 06:53:53 EDT
Well, there still seems to be a problem, even with the patch from comment 7.
When starting rgmanager, everything works without any AVC messages but then I
tried running clusvcadm -r <service> and the service failed to restart with the
following AVC logged:

avc: denied { read, write } for comm="httpd" dev=sockfs egid=0 euid=0
exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 path="socket:[20617]"
pid=6091 scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0
suid=0 tclass=unix_stream_socket tcontext=root:system_r:initrc_t:s0-s0:c0.c1023
tty=(none) uid=0

And again, the socket is /var/run/cluster/rgmanager.sk
Comment 13 Lon Hohberger 2008-03-17 12:39:25 EDT
I had a second patch which fixes it correctly; basically, I needed to set
CLOEXEC after accept() as well.

Comment 15 David Juran 2008-03-25 11:50:28 EDT
Thanks, now it seems to work fine (-:
Comment 20 errata-xmlrpc 2009-01-20 15:57:11 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0101.html

Note You need to log in before you can comment on or make changes to this bug.