Running strict enforcing off of Rawhide, udev is
still leaking fds across execs, especially
execs of /sbin/restorecon.
Here is an example avc showing the leak:
Aug 14 19:35:38 fedora kernel: audit(1092537300.503:0): avc: denied { read write } for pid=1214 exe=/sbin/restorecon path=socket:[1188] dev=sockfs ino=1188 scontext=system_u:system_r:restorecon_t tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket
Probing a bit (and using Russell's suggestion to 'wrap' /sbin/restorecon), I figured
out that udev is still 'leaking' open files across the exec of
/etc/dev.d/default/selinux.dev. [udev is not calling
fcntl(fd, F_SETFD, FD_CLOEXEC) .]
I'll bugzilla this here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130100
but here is a patch to /etc/dev.d/default/selinux.dev
that closes enough (all?) of the problematic file descriptors before
exec-ing /sbin/restorecon.
tom
--- selinux.dev 2004-08-15 08:58:13.000000000 -0700
+++ /etc/dev.d/default/selinux.dev 2004-08-14 20:19:12.000000000 -0700
@@ -10,5 +10,5 @@
if [ "$UDEV_LOG" = "yes" -a -x /usr/bin/logger ]; then
/usr/bin/logger -t selinux.dev -p auth.debug "Restoring file security contexts for $DEVNAME"
fi
- /sbin/restorecon $DEVNAME 4<&-
+ /sbin/restorecon $DEVNAME 3<&- 4<&- 5<&- 6<&-
fi
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
