Opened 11 years ago
Last modified 11 years ago
#10991 closed defect
Avoid log file descriptor leakage — at Initial Version
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | normal | Milestone: | 1.0.1 |
Component: | general | Version: | |
Severity: | normal | Keywords: | selinux |
Cc: | bunk@… | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
When trac is configured to log to a file and sends mail notifications via sendmail, SELinux complains:
type=AVC msg=audit(1356034258.828:30164): avc: denied { append } for pid=28546 comm="sendmail" path="/tmp/trac.log" dev=sda1 ino=673386 scontext=system_u:system_r:system_mail_t:s0 tcontext=unconfined_u:object_r:httpd_tmp_t:s0 tclass=file
Attached patch against the current trunk revision r11179 sets the FD_CLOEXEC flag on the log file descriptor to avoid leaking it to forked children including sendmail.
More info about fd leaks and SELinux: http://danwalsh.livejournal.com/53603.html
Note:
See TracTickets
for help on using tickets.