Opened 11 years ago
Last modified 11 years ago
#10991 closed defect
Avoid log file descriptor leakage — at Initial Version
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | 1.0.1 |
| Component: | general | Version: | |
| Severity: | normal | Keywords: | selinux |
| Cc: | bunk@… | Branch: | |
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
When trac is configured to log to a file and sends mail notifications via sendmail, SELinux complains:
type=AVC msg=audit(1356034258.828:30164):
avc: denied { append } for pid=28546 comm="sendmail"
path="/tmp/trac.log" dev=sda1 ino=673386
scontext=system_u:system_r:system_mail_t:s0
tcontext=unconfined_u:object_r:httpd_tmp_t:s0 tclass=file
Attached patch against the current trunk revision r11179 sets the FD_CLOEXEC flag on the log file descriptor to avoid leaking it to forked children including sendmail.
More info about fd leaks and SELinux: http://danwalsh.livejournal.com/53603.html
Note:
See TracTickets
for help on using tickets.
