On Tue, 2004-08-17 at 07:27, Stephen Smalley wrote:
I've seen udev leaking a descriptor to a Unix datagram socket to
its
helper programs, but that is usually labeled udev_t (but would be
kernel_t if you didn't install the udev policy or label udev properly,
so that kernel_t failed to transition to udev_t when running udev).
I've also seen the kernel leaking descriptors to rootfs entries unpacked
from the initramfs to all processes; SELinux stomps on those and resets
them to the null device.
BTW, I don't know whether the udev helper socket inheritance is
intentional (e.g. to collect output from the helper program) or an
accident - I haven't looked at the code.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency