-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tim Fenn wrote:
> On Tue, 2 Oct 2007 11:07:09 -0700 Tim Fenn <fenn@xxxxxxxxxxxx> wrote:
>
>> I recently dove into policy writing, but will rewrite my policy based
>> on the domain transfer suggestion and report back once I have
>> something working.
>>
>
> Here is the policy I cooked up:
>
> <policy>
> policy_module(mydhcp,1.0.0)
>
> ########################################
> #
> # Declarations
> #
> require {
> type dhcpc_t;
> type insmod_t;
> type iptables_t;
> class rawip_socket { read write };
> }
>
> iptables_domtrans(dhcpc_t)
>
> #============= insmod_t ==============
> allow insmod_t iptables_t:rawip_socket { read write };
> </policy>
>
> Not sure if it would be best to transfer iptables_t to modutils here?
>
> -Tim
>
This looks like iptables is leaking a file descriptor, and the kernel is
checking if insmod_t has access to it. It does not so the kernel closes
it and replaces it with /dev/null. So this is not going to affect you
code, but should be reported as a bug in iptables.
fcntl(fd, F_SETFD, FD_CLOEXEC)
should be closed on on open file descriptors before fork/exec.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHBpH0rlYvE4MpobMRAtwMAKDTSbyTUSeXvaMWafn8lxDQ9JpRLgCgzSNU
KV2dnNk+NphbkQRFeZiWehg=
=OY/M
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
