[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-ha-dev
Subject: Re: [Linux-ha-dev] Re: Bug#420637: heartbeat-2: File descriptor leak?
From: Dejan Muhamedagic <dejanmm () fastmail ! fm>
Date: 2007-04-26 14:34:54
Message-ID: 20070426143454.GB12616 () bork ! homenet
[Download RAW message or body]
Hi,
On Thu, Apr 26, 2007 at 11:14:46AM +0900, Simon Horman wrote:
> On Tue, Apr 24, 2007 at 09:51:45AM +0900, Simon Horman wrote:
> > forwarded 420637 linux-ha-dev@linux-ha.org
> > thanks
> >
> > On Mon, Apr 23, 2007 at 07:28:53PM +0200, Erich Schubert wrote:
> > > Package: heartbeat-2
> > > Version: 2.0.7-2
> > > Severity: normal
> > >
> > > It seems that heartbeat-2 leaks a file descriptor to it's child
> > > processes. From the SELinux audit log:
> > >
> > > avc: denied { read } for pid=2403 comm="ip" name="heartbeat.pid"
> > > dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ifconfig_t:s0
> > > tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> > >
> > > avc: denied { read } for pid=3210 comm="rndc" name="heartbeat.pid"
> > > dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ndc_t:s0
> > > tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> > >
> > > avc: denied { read } for pid=3303 comm="openvpn" name="heartbeat.pid"
> > > dev=ida/c0d0p5 ino=86181 scontext=root:system_r:openvpn_t:s0
> > > tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
I don't speak SElinux: comm= denotes a program? I suppose that ip
is from IPaddr2 then. Do you have openvpn and bind in your
heartbeat config? Perhaps you could also post your heartbeat
configuration (ha.cf and haresources/cib.xml).
Thanks.
> > >
> > > The best explanaition for these errors I have is that a file descriptor
> > > (such as STDIN) of these processes points to the heartbeat.pid file.
> > > I havn't verified it in the heartbeat-2 code yet. It's not very likely
> > > that this is exploitable; the heartbeat scripts are started with root
> > > privileges anyway. But in theory it could be possible to trick one of
> > > these scripts into writing a differend PID into the pidfile maybe?
> >
> > Hi Eric,
> >
> > that does indeed look like a bit of a problem. Thanks for reporting it.
> > Hopefully it isn't too hard to track down and fix.
> >
> > I'm CCing the linux-ha-dev list so their eyes pass over this problem.
>
> Re CCing, as I used the wrong address the first time around.
>
> --
> Horms
> H: http://www.vergenet.net/~horms/
> W: http://www.valinux.co.jp/en/
>
> _______________________________________________________
> Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> Home Page: http://linux-ha.org/
--
Dejan
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic