Mark some files FD_CLOEXEC to protect sendmail from them.
From: Doug Ledford <dledford@redhat.com> When running with SELinux enabled and using mdadm to monitor devices, attempts to send emails to an admin will be blocked because mdadm is holding open /proc/mdstat without setting the FD_CLOEXEC flag. As a result, sendmail has an open descriptor to /proc/mdstat after the popen() call, which SELinux decides isn't really any of sendmail's business and so sendmail gets denied.
This commit is contained in:
parent
32e5a4ee4c
commit
e4dc510628
|
@ -234,6 +234,7 @@ int Monitor(mddev_dev_t devlist,
|
|||
*/ st->err=1;
|
||||
continue;
|
||||
}
|
||||
fcntl(fd, F_SETFD, FD_CLOEXEC);
|
||||
if (ioctl(fd, GET_ARRAY_INFO, &array)<0) {
|
||||
if (!st->err)
|
||||
alert("DeviceDisappeared", dev, NULL,
|
||||
|
|
6
mdstat.c
6
mdstat.c
|
@ -114,6 +114,8 @@ struct mdstat_ent *mdstat_read(int hold, int start)
|
|||
f = fopen("/proc/mdstat", "r");
|
||||
if (f == NULL)
|
||||
return NULL;
|
||||
else
|
||||
fcntl(fileno(f), F_SETFD, FD_CLOEXEC);
|
||||
|
||||
all = NULL;
|
||||
end = &all;
|
||||
|
@ -221,8 +223,10 @@ struct mdstat_ent *mdstat_read(int hold, int start)
|
|||
end = &ent->next;
|
||||
}
|
||||
}
|
||||
if (hold && mdstat_fd == -1)
|
||||
if (hold && mdstat_fd == -1) {
|
||||
mdstat_fd = dup(fileno(f));
|
||||
fcntl(mdstat_fd, F_SETFD, FD_CLOEXEC);
|
||||
}
|
||||
fclose(f);
|
||||
|
||||
/* If we might want to start array,
|
||||
|
|
Loading…
Reference in New Issue