Hi Maciej, On Wed, Mar 21, 2012 at 01:50:59PM -0700, Maciej Żenczykowski wrote: > > True, but CLOEXEC on iptables... I mean... how is it mandatory ? > > I'm not sure what you mean by mandatory. If this patch is needed, I think we have to stick to fcntl for backward compatibility reasons as well. > iptables does potentially fork/exec modprobe to load modules. > That can cause a selinux 'domain'/'role'/whatever-it-is-called crossing. > You can do automated inspection of what gets carried across such > privilege changes and any unexpected open file descriptors flag > problems, patches like this cut down on the noise. Could you resend the patch including the description of the precise problem that this fixes in selinux? IMO, if the patch description would have include since the beginnging why that CLOEXEC is needed, we would have save a couple of emails. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
