Mark some files FD_CLOEXEC to protect sendmail from them.

From: Doug Ledford <dledford@redhat.com>

When running with SELinux enabled and using mdadm to monitor devices,
attempts to send emails to an admin will be blocked because mdadm is
holding open /proc/mdstat without setting the FD_CLOEXEC flag.  As a
result, sendmail has an open descriptor to /proc/mdstat after the
popen() call, which SELinux decides isn't really any of sendmail's
business and so sendmail gets denied.

diff --git a/Monitor.c b/Monitor.c
index 92936374163a6a5508833d2d4bf6ccfbd3d03700..79a88a7d8feabbad8c64e43ad076cddff63ea552 100644 (file)
--- a/Monitor.c
+++ b/Monitor.c
@@ -234,6 +234,7 @@ int Monitor(mddev_dev_t devlist,
 */                             st->err=1;
                                continue;
                        }
+                       fcntl(fd, F_SETFD, FD_CLOEXEC);
                        if (ioctl(fd, GET_ARRAY_INFO, &array)<0) {
                                if (!st->err)
                                        alert("DeviceDisappeared", dev, NULL,

diff --git a/mdstat.c b/mdstat.c
index de31acbf305ea96c6101857ff1b228ee23eb1719..335e1e58b78aac7b12fb6137e4479db8b0ae928d 100644 (file)
--- a/mdstat.c
+++ b/mdstat.c
@@ -114,6 +114,8 @@ struct mdstat_ent *mdstat_read(int hold, int start)
                f = fopen("/proc/mdstat", "r");
        if (f == NULL)
                return NULL;
+       else
+               fcntl(fileno(f), F_SETFD, FD_CLOEXEC);
 
        all = NULL;
        end = &all;
@@ -221,8 +223,10 @@ struct mdstat_ent *mdstat_read(int hold, int start)
                        end = &ent->next;
                }
        }
-       if (hold && mdstat_fd == -1)
+       if (hold && mdstat_fd == -1) {
                mdstat_fd = dup(fileno(f));
+               fcntl(mdstat_fd, F_SETFD, FD_CLOEXEC);
+       }
        fclose(f);
 
        /* If we might want to start array,