[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Trying SELinux again on CentOS 5.1 - not quite HOPELESS

From: Robert Nichols <rnicholsNOSPAM comcast net>
To: fedora-selinux-list redhat com
Subject: Re: Trying SELinux again on CentOS 5.1 - not quite HOPELESS
Date: Tue, 04 Mar 2008 19:52:26 -0600

Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert Nichols wrote:

  That still leaves the 2nd AVC, path="socket[63191]".
I have no idea what that socket is for.  OK, I just ran an strace on
grephistory, and the only socket it uses is to /dev/log.  What, innd_t
isn't
allowed to talk to syslogd?!?!?

NO this is a leaked file descriptor.  You have a process running
unconfined_t that is transitioning to innd_t and leaking an open file
descriptor to innd_t.  Without SELinux innd_t would be able to
communicate on this open tcp_socket.  SELinux closes the descriptor and
reports the AVC.


Good call.  The socket to the upstream news server was indeed being
leaked.  I'll set the close-on-exec flag on its file descriptor.

--
Bob Nichols     "NOSPAM" is really part of my email address.
                Do NOT delete it.

References:
- Trying SELinux again on CentOS 5.1 - local script problems
  - From: Robert Nichols
- Re: Trying SELinux again on CentOS 5.1 - local script problems
  - From: Daniel J Walsh
- Re: Trying SELinux again on CentOS 5.1 - HOPELESS
  - From: Robert Nichols
- Re: Trying SELinux again on CentOS 5.1 - HOPELESS
  - From: Arthur Pemberton
- Re: Trying SELinux again on CentOS 5.1 - HOPELESS
  - From: Robert Nichols
- Re: Trying SELinux again on CentOS 5.1 - not quite HOPELESS
  - From: Eric Paris
- Re: Trying SELinux again on CentOS 5.1 - not quite HOPELESS
  - From: Robert Nichols
- Re: Trying SELinux again on CentOS 5.1 - not quite HOPELESS
  - From: Daniel J Walsh

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]