Mark some files FD_CLOEXEC to protect sendmail from them.

From: Doug Ledford <dledford@redhat.com> When running with SELinux enabled and using mdadm to monitor devices, attempts to send emails to an admin will be blocked because mdadm is holding open /proc/mdstat without setting the FD_CLOEXEC flag. As a result, sendmail has an open descriptor to /proc/mdstat after the popen() call, which SELinux decides isn't really any of sendmail's business and so sendmail gets denied.
author: Doug Ledford <dledford@redhat.com> 2007-07-09 09:59:54 +1000
committer: Neil Brown <neilb@suse.de> 2007-07-09 09:59:54 +1000
commit: e4dc510628a8c2d7b92c8ed537987716175a23a2 (patch)
tree: 079411e5d3d0226bd440a8d6ddc3b3593a511d71 /mdstat.c
parent: 32e5a4ee4c7a310c67faa7d1301af2ae6d75e884 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/mdstat.c b/mdstat.c
index de31acbf..335e1e58 100644
--- a/mdstat.c
+++ b/mdstat.c
@@ -114,6 +114,8 @@ struct mdstat_ent *mdstat_read(int hold, int start)
 		f = fopen("/proc/mdstat", "r");
 	if (f == NULL)
 		return NULL;
+	else
+		fcntl(fileno(f), F_SETFD, FD_CLOEXEC);
 
 	all = NULL;
 	end = &all;
@@ -221,8 +223,10 @@ struct mdstat_ent *mdstat_read(int hold, int start)
 			end = &ent->next;
 		}
 	}
-	if (hold && mdstat_fd == -1)
+	if (hold && mdstat_fd == -1) {
 		mdstat_fd = dup(fileno(f));
+		fcntl(mdstat_fd, F_SETFD, FD_CLOEXEC);
+	}
 	fclose(f);
 
 	/* If we might want to start array,
author	Doug Ledford <dledford@redhat.com>	2007-07-09 09:59:54 +1000
committer	Neil Brown <neilb@suse.de>	2007-07-09 09:59:54 +1000
commit	e4dc510628a8c2d7b92c8ed537987716175a23a2 (patch)
tree	079411e5d3d0226bd440a8d6ddc3b3593a511d71 /mdstat.c
parent	32e5a4ee4c7a310c67faa7d1301af2ae6d75e884 (diff)