On Tue, May 01, 2007 at 01:27:20PM -0600, Alan Robertson wrote:
> Dejan Muhamedagic wrote:
> > Hi,
> >
> > On Thu, Apr 26, 2007 at 11:14:46AM +0900, Simon Horman wrote:
> >> On Tue, Apr 24, 2007 at 09:51:45AM +0900, Simon Horman wrote:
> >>> forwarded 420637 [EMAIL PROTECTED]
> >>> thanks
> >>>
> >>> On Mon, Apr 23, 2007 at 07:28:53PM +0200, Erich Schubert wrote:
> >>>> Package: heartbeat-2
> >>>> Version: 2.0.7-2
> >>>> Severity: normal
> >>>>
> >>>> It seems that heartbeat-2 leaks a file descriptor to it's child
> >>>> processes. From the SELinux audit log:
> >>>>
> >>>> avc: denied { read } for pid=2403 comm="ip" name="heartbeat.pid"
> >>>> dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ifconfig_t:s0
> >>>> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> >>>>
> >>>> avc: denied { read } for pid=3210 comm="rndc" name="heartbeat.pid"
> >>>> dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ndc_t:s0
> >>>> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> >>>>
> >>>> avc: denied { read } for pid=3303 comm="openvpn" name="heartbeat.pid"
> >>>> dev=ida/c0d0p5 ino=86181 scontext=root:system_r:openvpn_t:s0
> >>>> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> >
> > I don't speak SElinux: comm= denotes a program? I suppose that ip
> > is from IPaddr2 then. Do you have openvpn and bind in your
> > heartbeat config? Perhaps you could also post your heartbeat
> > configuration (ha.cf and haresources/cib.xml).
>
> I don't see any pidfile fd leaks in the code. This code handling
> pidfiles is in lib/clplumbing/cl_pidfile.c.
>
> I also looked for references to "heartbeat.pid" which appears only in
> the #define PIDFILE - from outside the functions in cl_pidfile. I can't
> find any.
>
> I could easily believe that there are file descriptor leaks from the
> LRM, but I don't know how a file descriptor pointing at "heartbeat.pid"
> could have leaked. Do I understand this correctly?
>
> So, I wonder if I understand what's in the logs, I don't see how that
> could have come from heartbeat 2.0.7.
>
> Never mind. This was apparently fixed sometime after 2.0.7.
> http://hg.linux-ha.org/dev/rev/549c74fc1e33
Thanks Alan. I'll work out weather that change went into 2.0.8 or will
be going into 2.0.9 and mangle the bug's status accordingly.
Eric, are you in a poisition to test if this patch resolves the problem?
I can make a package for you to test if that helps you.
--
Horms
H: http://www.vergenet.net/~horms/
W: http://www.valinux.co.jp/en/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
