From: Doug Ledford <dledford@redhat.com>
When running with SELinux enabled and using mdadm to monitor devices,
attempts to send emails to an admin will be blocked because mdadm is
holding open /proc/mdstat without setting the FD_CLOEXEC flag. As a
result, sendmail has an open descriptor to /proc/mdstat after the
popen() call, which SELinux decides isn't really any of sendmail's
business and so sendmail gets denied.
*/ st->err=1;
continue;
}
+ fcntl(fd, F_SETFD, FD_CLOEXEC);
if (ioctl(fd, GET_ARRAY_INFO, &array)<0) {
if (!st->err)
alert("DeviceDisappeared", dev, NULL,
f = fopen("/proc/mdstat", "r");
if (f == NULL)
return NULL;
+ else
+ fcntl(fileno(f), F_SETFD, FD_CLOEXEC);
all = NULL;
end = &all;
end = &ent->next;
}
}
- if (hold && mdstat_fd == -1)
+ if (hold && mdstat_fd == -1) {
mdstat_fd = dup(fileno(f));
+ fcntl(mdstat_fd, F_SETFD, FD_CLOEXEC);
+ }
fclose(f);
/* If we might want to start array,