Full_Name: Jan Safranek Version: 2.4.9 OS: Linux (Fedora 8) URL: Submission from: (NULL) (62.40.79.66)
On system protected by SELinux, when an application with active LDAP connection tries to exec() binary with different security context, SELinux inspects all opened filedescriptors, including the ldap one, and denies access to the ones, which do not conform active policy (the executed binary is not authorized to contact LDAP servers). Users are then annoyed by security warnings in the logs.
There is simple fix - set CLOEXEC flag on the socket, which will force the filedescriptor to close on exec(), see patch below.
--- a/libraries/libldap/os-ip.c +++ b/libraries/libldap/os-ip.c @@ -36,6 +36,9 @@ #ifdef HAVE_IO_H #include <io.h> #endif /* HAVE_IO_H */ +#ifdef HAVE_FCNTL_H +#include <fcntl.h> +#endif
#include "ldap-int.h"
@@ -110,6 +113,9 @@ ldap_int_socket(LDAP *ld, int family, int type ) { ber_socket_t s = socket(family, type, 0); osip_debug(ld, "ldap_new_socket: %d\n",s,0,0); +#ifdef _GNU_SOURCE + fcntl(s, F_SETFD, FD_CLOEXEC); +#endif return ( s ); }