Otherwise the fd will leak to subprocesses (e.g. modprobe). That's mostly benign, but it may trigger an SELinux denial when the modprobe process transitions to another domain. Fixes: 8b5594d7c21f ("add logic to support the --concurrent option: use a file lock to support concurrent scripts running ebtables") Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> --- libebtc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libebtc.c b/libebtc.c index 2a9ab87..1b058ef 100644 --- a/libebtc.c +++ b/libebtc.c @@ -144,7 +144,7 @@ static int lock_file() int fd, try = 0; retry: - fd = open(LOCKFILE, O_CREAT, 00600); + fd = open(LOCKFILE, O_CREAT|O_CLOEXEC, 00600); if (fd < 0) { if (try == 1 || mkdir(dirname(pathbuf), 00700)) return -2; -- 2.29.2