Re: dhclient-script avc error f7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tim Fenn wrote:
> On Tue, 2 Oct 2007 11:07:09 -0700 Tim Fenn <fenn@xxxxxxxxxxxx> wrote:
> 
>> I recently dove into policy writing, but will rewrite my policy based
>> on the domain transfer suggestion and report back once I have
>> something working.
>>
> 
> Here is the policy I cooked up:
> 
> <policy>
> policy_module(mydhcp,1.0.0)
> 
> ########################################
> #
> # Declarations
> #
> require {
>         type dhcpc_t;
>         type insmod_t;
>         type iptables_t;
>         class rawip_socket { read write };
> }
> 
> iptables_domtrans(dhcpc_t)
> 
> #============= insmod_t ==============
> allow insmod_t iptables_t:rawip_socket { read write };
> </policy>
> 
> Not sure if it would be best to transfer iptables_t to modutils here?
> 
> -Tim
> 
This looks like iptables is leaking a file descriptor, and the kernel is
checking if insmod_t has access to it.  It does not so the kernel closes
it and replaces it with /dev/null.  So this is not going to affect you
code, but should be reported as a bug in iptables.

fcntl(fd, F_SETFD, FD_CLOEXEC)

should be closed on on open file descriptors before fork/exec.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHBpH0rlYvE4MpobMRAtwMAKDTSbyTUSeXvaMWafn8lxDQ9JpRLgCgzSNU
KV2dnNk+NphbkQRFeZiWehg=
=OY/M
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux