[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: run_init patch
From: Chris PeBenito <pebenito () gentoo ! org>
Date: 2003-09-20 16:36:17
[Download RAW message or body]
Here is a patch for policycoreutils (against 1.1) which closes the file
descriptor in run_init on successfully getting the context out of
/etc/security/initrc_context. It is closed on a failed read, but was
missing on the successful read.
This prevents a denial similar to:
avc: denied { use } for pid=13041 exe=/usr/sbin/smbd
path=/etc/security/initrc_context dev=03:03 ino=722489
scontext=system_u:system_r:smbd_t tcontext=pebenito:sysadm_r:run_init_t
tclass=fd
--
Chris PeBenito
<pebenito@gentoo.org>
Developer, SELinux
Hardened Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
["policycoreutils-1.1-close_init_fp.diff" (policycoreutils-1.1-close_init_fp.diff)]
diff -urN policycoreutils-1.1.orig/run_init/run_init.c policycoreutils-1.1/run_init/run_init.c
--- policycoreutils-1.1.orig/run_init/run_init.c 2003-06-02 15:23:07.000000000 -0500
+++ policycoreutils-1.1/run_init/run_init.c 2003-09-20 11:21:44.000000000 -0500
@@ -288,6 +288,7 @@
*context = strdup(bufp);
if (!(*context))
goto out;
+ fclose(fp);
return 0;
}
}
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic