AVC denials when using RH Cluster Suite's qdiskd and ping heuristic
Sean E. Millichamp
sean at bruenor.org
Wed Sep 3 17:00:45 UTC 2008
On Wed, 2008-09-03 at 12:56 -0400, Daniel J Walsh wrote:
> Sean E. Millichamp wrote:
> > These messages are because qdiskd doesn't properly clean up its file
> > descriptors before forking and execing ping. I will clean up my
> > findings and submit a patch/open a bug report against qdisk.
> Great, I was just about to suggest this. Whenever you see something
> bizarre like ping trying to read write raw disks, I think of leaked file
> descriptors. or redirection of stdout.
It turns out qdiskd was (is) leaking a number of file descriptors to its
forked heuristics - and not always predictably because of the threading
qdiskd uses. It would have been a very hard bug to spot if not for
SELinux - mark a win for security!
For those interested the qdisk bug report against RHEL 5 (with suggested
patches) is here: https://bugzilla.redhat.com/show_bug.cgi?id=460645
Sean
More information about the selinux
mailing list