On Tue, 2004-08-17 at 07:27, Stephen Smalley wrote: > I've seen udev leaking a descriptor to a Unix datagram socket to its > helper programs, but that is usually labeled udev_t (but would be > kernel_t if you didn't install the udev policy or label udev properly, > so that kernel_t failed to transition to udev_t when running udev). > > I've also seen the kernel leaking descriptors to rootfs entries unpacked > from the initramfs to all processes; SELinux stomps on those and resets > them to the null device. BTW, I don't know whether the udev helper socket inheritance is intentional (e.g. to collect output from the helper program) or an accident - I haven't looked at the code. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
