Red Hat Bugzilla – Bug 496973
Crond leaks its inotify file descriptor
Last modified: 2009-04-23 05:30:44 EDT
src/cron.c::main() has this call to set up the inotify file descriptor
database.ifd = fd = inotify_init();
if (fd < 0)
log_it("CRON", pid, "INFO", "Inotify init failed", errno);
But this means that fd is going to be leaked to it's children on exec. SELinux spotted denials that are almost certainly because of this leaked file descriptor across execve.
I suggest using
databse.ifd = fd = inotify_init1(IN_CLOEXEC)
instead of just inotify_init()
Thanks for report.
It's better to use fcntl here, because inotify_init1 is used since kernel-2.6.27 and cronie should be used also with older kernels.