[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dh_installinit

On Fri, 09 Nov 2007 10:03:40 -0800, Russ Allbery <rra@debian.org> said: 

> Petter Reinholdtsen <pere@hungry.com> writes:
>> This might work, but the correct fix is to get the daemon to close
>> all file descriptors when it daemonizes.

> Those file descriptor close loops are somewhat controversial.  Not
> everyone agrees that they're a good idea, and some upstreams will push
> back on doing it.  I find them a bit dubious myself; there are various
> hacks that, while hacks, come in very handy but are broken by daemons
> that do this.  (Process-inherited Kerberos caches, for example.)

        Wearing my SELinux hat on, I find that daemons not closing file
 descriptors when forking children result in a large number of AVC
 denied messages. Of course, sometimes there are legitimate reasons for
 not closing the descriptors (and these use cases can then be explicitly
 allowed in the security policy).  Most cases, though, it seems like the
 authors are just being lazy.

Absence makes the heart forget.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: