While testing qdiskd with a ping heuristic on a cluster system with
SELinux in enforcing mode I noticed some odd AVC denial messages. It
eventually led me to discover that the qdisk_open function wasn't
properly closing open file descriptors to some of my block devices
before returning on certain errors. The end result was that the ping
heuristic inherited these open FDs which were in violation of the ping
SELinux policy.
In my specific case the lseek() call was failing for the partitions
corresponding to my extended partition container on my boot drives.
I scanned the rest of the function and noticed a couple of other calls
where it seemed like closing the file descriptor before returning was
also appropriate.
With this patch I haven't been able to reproduce the SELinux denial
messages.
This patch is against the RHEL52 code, but seems to also be applicable
on Fedora 9 and the git master branch.
What is the proper way to submit patches? Should I open a bug report
somewhere?
Thanks,
Sean
diff -ru cman-2.0.84/cman/qdisk/disk.c cman-2.0.84-fixed/cman/qdisk/disk.c
--- cman-2.0.84/cman/qdisk/disk.c 2008-04-15 16:15:23.000000000 -0400
+++ cman-2.0.84-fixed/cman/qdisk/disk.c 2008-08-29 00:03:38.000000000 -0400
@@ -228,6 +228,7 @@
ret = ioctl(disk->d_fd, BLKSSZGET, &ssz);
if (ret < 0) {
perror("qdisk_open: ioctl(BLKSSZGET)");
+ close(disk->d_fd);
return -1;
}
@@ -238,12 +239,14 @@
ret = lseek(disk->d_fd, END_OF_DISK(disk->d_blksz), SEEK_SET);
if (ret < 0) {
perror("open_partition: seek");
+ close(disk->d_fd);
return -1;
}
if (ret < END_OF_DISK(disk->d_blksz)) {
fprintf(stderr, "Partition %s too small\n", name);
errno = EINVAL;
+ close(disk->d_fd);
return -1;
}
--
Linux-cluster mailing list
Linux-cluster@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/linux-cluster
