On Fri, 09 Nov 2007 10:03:40 -0800, Russ Allbery <email@example.com> said:
> Petter Reinholdtsen <firstname.lastname@example.org> writes:
>> This might work, but the correct fix is to get the daemon to close
>> all file descriptors when it daemonizes.
> Those file descriptor close loops are somewhat controversial. Not
> everyone agrees that they're a good idea, and some upstreams will push
> back on doing it. I find them a bit dubious myself; there are various
> hacks that, while hacks, come in very handy but are broken by daemons
> that do this. (Process-inherited Kerberos caches, for example.)
Wearing my SELinux hat on, I find that daemons not closing file
descriptors when forking children result in a large number of AVC
denied messages. Of course, sometimes there are legitimate reasons for
not closing the descriptors (and these use cases can then be explicitly
allowed in the security policy). Most cases, though, it seems like the
authors are just being lazy.
Absence makes the heart forget.
Manoj Srivastava <email@example.com> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C