From e4dc510628a8c2d7b92c8ed537987716175a23a2 Mon Sep 17 00:00:00 2001 From: Doug Ledford Date: Mon, 9 Jul 2007 09:59:54 +1000 Subject: [PATCH] Mark some files FD_CLOEXEC to protect sendmail from them. From: Doug Ledford When running with SELinux enabled and using mdadm to monitor devices, attempts to send emails to an admin will be blocked because mdadm is holding open /proc/mdstat without setting the FD_CLOEXEC flag. As a result, sendmail has an open descriptor to /proc/mdstat after the popen() call, which SELinux decides isn't really any of sendmail's business and so sendmail gets denied. --- Monitor.c | 1 + mdstat.c | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/Monitor.c b/Monitor.c index 92936374..79a88a7d 100644 --- a/Monitor.c +++ b/Monitor.c @@ -234,6 +234,7 @@ int Monitor(mddev_dev_t devlist, */ st->err=1; continue; } + fcntl(fd, F_SETFD, FD_CLOEXEC); if (ioctl(fd, GET_ARRAY_INFO, &array)<0) { if (!st->err) alert("DeviceDisappeared", dev, NULL, diff --git a/mdstat.c b/mdstat.c index de31acbf..335e1e58 100644 --- a/mdstat.c +++ b/mdstat.c @@ -114,6 +114,8 @@ struct mdstat_ent *mdstat_read(int hold, int start) f = fopen("/proc/mdstat", "r"); if (f == NULL) return NULL; + else + fcntl(fileno(f), F_SETFD, FD_CLOEXEC); all = NULL; end = &all; @@ -221,8 +223,10 @@ struct mdstat_ent *mdstat_read(int hold, int start) end = &ent->next; } } - if (hold && mdstat_fd == -1) + if (hold && mdstat_fd == -1) { mdstat_fd = dup(fileno(f)); + fcntl(mdstat_fd, F_SETFD, FD_CLOEXEC); + } fclose(f); /* If we might want to start array, -- 2.39.2