[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    run_init patch
From:       Chris PeBenito <pebenito () gentoo ! org>
Date:       2003-09-20 16:36:17
[Download RAW message or body]

Here is a patch for policycoreutils (against 1.1) which closes the file
descriptor in run_init on successfully getting the context out of
/etc/security/initrc_context.  It is closed on a failed read, but was
missing on the successful read.

This prevents a denial similar to:
avc:  denied  { use } for  pid=13041 exe=/usr/sbin/smbd
path=/etc/security/initrc_context dev=03:03 ino=722489
scontext=system_u:system_r:smbd_t tcontext=pebenito:sysadm_r:run_init_t
tclass=fd

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer, SELinux
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

["policycoreutils-1.1-close_init_fp.diff" (policycoreutils-1.1-close_init_fp.diff)]

diff -urN policycoreutils-1.1.orig/run_init/run_init.c policycoreutils-1.1/run_init/run_init.c
--- policycoreutils-1.1.orig/run_init/run_init.c	2003-06-02 15:23:07.000000000 -0500
+++ policycoreutils-1.1/run_init/run_init.c	2003-09-20 11:21:44.000000000 -0500
@@ -288,6 +288,7 @@
       *context = strdup(bufp);
       if (!(*context))
 	goto out;
+      fclose(fp);
       return 0;
     }
   }

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[prev in list] [next in list] [prev in thread] [next in thread]