diff options
| author | Doug Ledford <dledford@redhat.com> | 2007-07-09 01:59:54 +0200 |
|---|---|---|
| committer | Neil Brown <neilb@suse.de> | 2007-07-09 01:59:54 +0200 |
| commit | e4dc510628a8c2d7b92c8ed537987716175a23a2 (patch) | |
| tree | 079411e5d3d0226bd440a8d6ddc3b3593a511d71 /mdstat.c | |
| parent | Improve error message when trying to create an array that already exists. (diff) | |
| download | mdadm-e4dc510628a8c2d7b92c8ed537987716175a23a2.tar.xz mdadm-e4dc510628a8c2d7b92c8ed537987716175a23a2.zip | |
Mark some files FD_CLOEXEC to protect sendmail from them.
From: Doug Ledford <dledford@redhat.com>
When running with SELinux enabled and using mdadm to monitor devices,
attempts to send emails to an admin will be blocked because mdadm is
holding open /proc/mdstat without setting the FD_CLOEXEC flag. As a
result, sendmail has an open descriptor to /proc/mdstat after the
popen() call, which SELinux decides isn't really any of sendmail's
business and so sendmail gets denied.
Diffstat (limited to 'mdstat.c')
| -rw-r--r-- | mdstat.c | 6 |
1 files changed, 5 insertions, 1 deletions
@@ -114,6 +114,8 @@ struct mdstat_ent *mdstat_read(int hold, int start) f = fopen("/proc/mdstat", "r"); if (f == NULL) return NULL; + else + fcntl(fileno(f), F_SETFD, FD_CLOEXEC); all = NULL; end = &all; @@ -221,8 +223,10 @@ struct mdstat_ent *mdstat_read(int hold, int start) end = &ent->next; } } - if (hold && mdstat_fd == -1) + if (hold && mdstat_fd == -1) { mdstat_fd = dup(fileno(f)); + fcntl(mdstat_fd, F_SETFD, FD_CLOEXEC); + } fclose(f); /* If we might want to start array, |