On Tue, Apr 24, 2007 at 09:51:45AM +0900, Simon Horman wrote:
> forwarded 420637 [EMAIL PROTECTED]
> thanks
>
> On Mon, Apr 23, 2007 at 07:28:53PM +0200, Erich Schubert wrote:
> > Package: heartbeat-2
> > Version: 2.0.7-2
> > Severity: normal
> >
> > It seems that heartbeat-2 leaks a file descriptor to it's child
> > processes. From the SELinux audit log:
> >
> > avc: denied { read } for pid=2403 comm="ip" name="heartbeat.pid"
> > dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ifconfig_t:s0
> > tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> >
> > avc: denied { read } for pid=3210 comm="rndc" name="heartbeat.pid"
> > dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ndc_t:s0
> > tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> >
> > avc: denied { read } for pid=3303 comm="openvpn" name="heartbeat.pid"
> > dev=ida/c0d0p5 ino=86181 scontext=root:system_r:openvpn_t:s0
> > tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> >
> > The best explanaition for these errors I have is that a file descriptor
> > (such as STDIN) of these processes points to the heartbeat.pid file.
> > I havn't verified it in the heartbeat-2 code yet. It's not very likely
> > that this is exploitable; the heartbeat scripts are started with root
> > privileges anyway. But in theory it could be possible to trick one of
> > these scripts into writing a differend PID into the pidfile maybe?
>
> Hi Eric,
>
> that does indeed look like a bit of a problem. Thanks for reporting it.
> Hopefully it isn't too hard to track down and fix.
>
> I'm CCing the linux-ha-dev list so their eyes pass over this problem.
Re CCing, as I used the wrong address the first time around.
--
Horms
H: http://www.vergenet.net/~horms/
W: http://www.valinux.co.jp/en/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
