Trying SELinux again on CentOS 5.1 - not quite HOPELESS
Robert Nichols
rnicholsNOSPAM at comcast.net
Wed Mar 5 01:52:26 UTC 2008
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Robert Nichols wrote:
>> That still leaves the 2nd AVC, path="socket[63191]".
>> I have no idea what that socket is for. OK, I just ran an strace on
>> grephistory, and the only socket it uses is to /dev/log. What, innd_t
>> isn't
>> allowed to talk to syslogd?!?!?
>>
> NO this is a leaked file descriptor. You have a process running
> unconfined_t that is transitioning to innd_t and leaking an open file
> descriptor to innd_t. Without SELinux innd_t would be able to
> communicate on this open tcp_socket. SELinux closes the descriptor and
> reports the AVC.
Good call. The socket to the upstream news server was indeed being
leaked. I'll set the close-on-exec flag on its file descriptor.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
More information about the fedora-selinux-list
mailing list