rlh100 wrote: > But in the /var/log/messages file I got the following SELinux error: > Jun 10 16:09:13 vopssrv-02 setroubleshoot: SELinux is preventing the > rndc from using potentially mislabeled files (/tmp/puppet.5020.0). For > complete SELinux messages. run sealert -l 67cf31ee- > d618-4df7-87cf-777f5abcf277 > > Which sealert translated to: > SELinux is preventing the rndc from using potentially mislabeled files > (/tmp/puppet.5020.0). > . . . > Allowing Access: > If you want rndc to access this files, you need to relabel them using > restorecon > -v '/tmp/puppet.5020.0'. You might want to relabel the entire > directory using > restorecon -R -v '/tmp'. > > Having seen a similar problem with nagios and ping: >> This is a classic leaked file descriptor. Obviously ping has no business >> reading the nagios spool file, it would know nothing about this >> file, but nagios has a open file descriptor to the fifo_file when it >> execs ping. ping inherits the open file descriptor. The kernel checks >> the ping policy to see if ping can read the fifo file, when it finds it >> can not, it reports a violation, closes the file desctriptor for ping >> and reopens it with /dev/null. It then completes the startup of ping. > >> You should report this as a bug to nagios. They should execute >> fcntl(fd, F_SETFD, FD_CLOEXEC) on all open file descriptors before >> fork/exec of any subprocess. > > So does this make any sense to one of the ruby programmers among you?
FWIW, the general issue of leaked file descriptors was reported by Fedora/RHEL SELinux maintainer Dan Walsh in the Red Hat bugzilla as https://bugzilla.redhat.com/show_bug.cgi?id=460039. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A moment's insight is sometimes worth a life's experience. -- Oliver Wendell Holmes (1809-1894)
pgp8I3VhC4wWf.pgp
Description: PGP signature
