On Sat, 10 Nov 2007 23:45:01 -0800, Russ Allbery <email@example.com> said:
> Manoj Srivastava <firstname.lastname@example.org> writes:
>> Wearing my SELinux hat on, I find that daemons not closing file
>> descriptors when forking children result in a large number of AVC
>> denied messages. Of course, sometimes there are legitimate reasons
>> for not closing the descriptors (and these use cases can then be
>> explicitly allowed in the security policy). Most cases, though, it
>> seems like the authors are just being lazy.
> From a security standpoint, isn't it clearly better to manage the file
> descriptors before invoking the daemon rather than just handing them
> all off to the daemon and trusting the daemon to close them?
I would agree that no entity should be passing open file
descriptors off to other processes unless this is deliberate, and in
that case a proper policy has been written for it.
> Insofar as there is any security impact here (which is dubious in most
Why do you say that? If a process acquires a file handle on a
privileged file while running as dpkg_t; and passes it to debconf
running as debconf_t; why is there no security impact? dpkg_t might
have more access than debconf_t in the policy being run.
> I'd say that passing the open debconf file descriptor to the
> daemon is wrong regardless of whether the daemon closes it or not.
QOTD: "I thought I saw a unicorn on the way over, but it was just a
horse with one of the horns broken off."
Manoj Srivastava <email@example.com> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C