Bug 433313 - rgmanager leaks file descriptors for /var/run/cluster/rgmanager.sk
rgmanager leaks file descriptors for /var/run/cluster/rgmanager.sk
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: rgmanager (Show other bugs)
All Linux
low Severity low
: rc
: ---
Assigned To: Lon Hohberger
Depends On:
  Show dependency treegraph
Reported: 2008-02-18 11:04 EST by David Juran
Modified: 2009-04-16 18:56 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-20 15:57:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Fix (733 bytes, patch)
2008-02-25 16:04 EST, Lon Hohberger
no flags Details | Diff
Fixed patch; previous one uses wrong fcntl (733 bytes, patch)
2008-02-25 16:06 EST, Lon Hohberger
no flags Details | Diff

  None (edit)
Description David Juran 2008-02-18 11:04:27 EST
Description of problem:
When running httpd as a script-type resource in the RHCS I get the following avc

avc: denied { read, write } for comm="httpd" dev=sockfs egid=0 euid=0
exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0
path="socket:[1953890]" pid=23542 scontext=user_u:system_r:httpd_t:s0 sgid=0
subj=user_u:system_r:httpd_t:s0 suid=0 tclass=unix_stream_socket
tcontext=user_u:system_r:initrc_t:s0-s0:c0.c1023 tty=(none) uid=0

The socket in question happens to be /var/run/cluster/rgmanager.sk

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Create a cluster service with a script-type resource that manages
2. start your service
Comment 1 Daniel Walsh 2008-02-18 12:03:23 EST
Is the stdout/stderr of the exec command set to /var/run/cluster/rgmanager.sk?

I believe this will just work, and the avc can be ignored.

rgmanager is not currently a confined application so there is not an easy way to
fix this. 
Comment 2 David Juran 2008-02-19 04:07:46 EST
No, it's seems like it's FD 13 and 14 whatever they might be that are pointing
to /var/run/cluster/rgmanager.sk 
But if rgmanager isn't a confined app (yet), i.e. can't really be expected to
work well with the targeted policy I think I will need to disable selinux for
now, this was just the first one of the denials that I came upon.
Comment 3 Daniel Walsh 2008-02-19 11:16:33 EST
No rgmanager.sk should not be leaking file descriptors.  This is not an SELinux
bug, this is a rgmanager.sk bug

If you are going to exec another application you should close on exec all open
file descritors.

fcntl(fd, F_SETFD, FD_CLOEXEC)

Not sure what package rgmanager.sk belongs to, but this bug should be reassigned

Comment 4 David Juran 2008-02-20 06:11:21 EST
sorry, I didn't realise it was a leaked file descriptor. Reassigning and
changing summary. 
Lon, if I understood this correctly, when httpd is ran a script-resource  by
rgmanager, a file descriptor is leaked from rgmanager to
/var/run/cluster/rgmanager.sk causing a avc warning.
Comment 5 David Juran 2008-02-20 06:12:41 EST
slippery fingers )-: Changing summary as promised.
Comment 6 Lon Hohberger 2008-02-25 16:04:18 EST
Created attachment 295840 [details]

Not in CVS^Wgit yet.
Comment 7 Lon Hohberger 2008-02-25 16:06:19 EST
Created attachment 295843 [details]
Fixed patch; previous one uses wrong fcntl
Comment 10 Lon Hohberger 2008-03-05 09:29:05 EST
This is in my git repository but has not been pushed to the central repository yet.
Comment 12 David Juran 2008-03-12 06:53:53 EDT
Well, there still seems to be a problem, even with the patch from comment 7.
When starting rgmanager, everything works without any AVC messages but then I
tried running clusvcadm -r <service> and the service failed to restart with the
following AVC logged:

avc: denied { read, write } for comm="httpd" dev=sockfs egid=0 euid=0
exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 path="socket:[20617]"
pid=6091 scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0
suid=0 tclass=unix_stream_socket tcontext=root:system_r:initrc_t:s0-s0:c0.c1023
tty=(none) uid=0

And again, the socket is /var/run/cluster/rgmanager.sk
Comment 13 Lon Hohberger 2008-03-17 12:39:25 EDT
I had a second patch which fixes it correctly; basically, I needed to set
CLOEXEC after accept() as well.

Comment 15 David Juran 2008-03-25 11:50:28 EDT
Thanks, now it seems to work fine (-:
Comment 20 errata-xmlrpc 2009-01-20 15:57:11 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.