Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 433313

Summary: rgmanager leaks file descriptors for /var/run/cluster/rgmanager.sk
Product: Red Hat Enterprise Linux 5 Reporter: David Juran <djuran>
Component: rgmanagerAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.2CC: cluster-maint
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 20:57:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Fix
none
Fixed patch; previous one uses wrong fcntl none

Description David Juran 2008-02-18 16:04:27 UTC 
Description of problem:
When running httpd as a script-type resource in the RHCS I get the following avc
denial:

avc: denied { read, write } for comm="httpd" dev=sockfs egid=0 euid=0
exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0
path="socket:[1953890]" pid=23542 scontext=user_u:system_r:httpd_t:s0 sgid=0
subj=user_u:system_r:httpd_t:s0 suid=0 tclass=unix_stream_socket
tcontext=user_u:system_r:initrc_t:s0-s0:c0.c1023 tty=(none) uid=0

The socket in question happens to be /var/run/cluster/rgmanager.sk

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-106.el5_1.3
httpd-2.2.3-11.el5_1.3
rgmanager-2.0.31-1.el5

How reproducible:
Every time

Steps to Reproduce:
1. Create a cluster service with a script-type resource that manages
/etc/ini.d/httpd
2. start your service
Comment 1 Daniel Walsh 2008-02-18 17:03:23 UTC 
Is the stdout/stderr of the exec command set to /var/run/cluster/rgmanager.sk?

I believe this will just work, and the avc can be ignored.

rgmanager is not currently a confined application so there is not an easy way to
fix this.
Comment 2 David Juran 2008-02-19 09:07:46 UTC 
No, it's seems like it's FD 13 and 14 whatever they might be that are pointing
to /var/run/cluster/rgmanager.sk 
But if rgmanager isn't a confined app (yet), i.e. can't really be expected to
work well with the targeted policy I think I will need to disable selinux for
now, this was just the first one of the denials that I came upon.
Comment 3 Daniel Walsh 2008-02-19 16:16:33 UTC 
No rgmanager.sk should not be leaking file descriptors.  This is not an SELinux
bug, this is a rgmanager.sk bug

If you are going to exec another application you should close on exec all open
file descritors.

fcntl(fd, F_SETFD, FD_CLOEXEC)

Not sure what package rgmanager.sk belongs to, but this bug should be reassigned
there.
Comment 4 David Juran 2008-02-20 11:11:21 UTC 
sorry, I didn't realise it was a leaked file descriptor. Reassigning and
changing summary. 
Lon, if I understood this correctly, when httpd is ran a script-resource  by
rgmanager, a file descriptor is leaked from rgmanager to
/var/run/cluster/rgmanager.sk causing a avc warning.
Comment 5 David Juran 2008-02-20 11:12:41 UTC 
slippery fingers )-: Changing summary as promised.
Comment 6 Lon Hohberger 2008-02-25 21:04:18 UTC 
Created attachment 295840 [details]
Fix

Not in CVS^Wgit yet.
Comment 7 Lon Hohberger 2008-02-25 21:06:19 UTC 
Created attachment 295843 [details]
Fixed patch; previous one uses wrong fcntl
Comment 10 Lon Hohberger 2008-03-05 14:29:05 UTC 
This is in my git repository but has not been pushed to the central repository yet.
Comment 12 David Juran 2008-03-12 10:53:53 UTC 
Well, there still seems to be a problem, even with the patch from comment 7.
When starting rgmanager, everything works without any AVC messages but then I
tried running clusvcadm -r <service> and the service failed to restart with the
following AVC logged:

avc: denied { read, write } for comm="httpd" dev=sockfs egid=0 euid=0
exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 path="socket:[20617]"
pid=6091 scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0
suid=0 tclass=unix_stream_socket tcontext=root:system_r:initrc_t:s0-s0:c0.c1023
tty=(none) uid=0

And again, the socket is /var/run/cluster/rgmanager.sk
Comment 13 Lon Hohberger 2008-03-17 16:39:25 UTC 
I had a second patch which fixes it correctly; basically, I needed to set
CLOEXEC after accept() as well.
Comment 14 Lon Hohberger 2008-03-20 18:57:48 UTC 
http://sources.redhat.com/git/?p=cluster.git;a=blobdiff;f=rgmanager/src/clulib/msg_socket.c;h=c3927570209c566672e1bda9a4d0cb3257c177aa;hp=9e88ed7c5744b3a8d6027d2b5ed22ce720d88d49;hb=674aec455c8f4506c390532276d1392aa017f1b6;hpb=f49cfa0cdb5d5f3c739b361392f6c9a7e6ae6d53

Corrected patch ^^
Comment 15 David Juran 2008-03-25 15:50:28 UTC 
Thanks, now it seems to work fine (-:
Comment 17 Lon Hohberger 2008-05-08 21:03:19 UTC 
http://sources.redhat.com/git/?p=cluster.git;a=commit;h=fd57f9e4023cbeadecba15e7093213e507661de9
Comment 20 errata-xmlrpc 2009-01-20 20:57:11 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0101.html