Bug 146684

Summary: policy does not allow sysstat or mrtg crons to run
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-01 17:44:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2005-01-31 18:56:23 UTC 
Description of problem:

Get failure emails from /usr/lib/sa/sa1 and /usr/bin/mrtg crons:

execl: couldn't exec `/bin/sh'
execl: Permission denied

audit(1107197402.053:0): avc:  denied  { transition } for  pid=4235
exe=/usr/sbin/crond path=/bin/bash dev=dm-1 ino=47140
scontext=user_u:system_r:crond_t tcontext=system_u:system_r:unconfined_t
tclass=process

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.21.5-1

How reproducible:
Every time

Steps to Reproduce:
1.  Install selinux targeted system
2.  Install sysstat
3.  Install and configure mrtg
  
Actual results:

Crons fail to run

Expected results:


Additional info:
Comment 1 Orion Poplawski 2005-01-31 19:02:02 UTC 
Also, cron.hourly (and others?) can't run.
Comment 2 Daniel Walsh 2005-01-31 20:36:55 UTC 
Did you do a service crond restart after updating policy?
Comment 3 Daniel Walsh 2005-01-31 20:43:19 UTC 
Oops never mind.  Please try out selinux-policy-targeted-1.21.5-4
Available now on ftp://people.redhat.com/dwalsh/SELinux/Fedora
Or via Rawhide tomorrow.
Comment 4 Orion Poplawski 2005-01-31 21:13:08 UTC 
Still getting it:

Jan 31 14:10:01 hawk crond(pam_unix)[4205]: session opened for user root by (uid=0)
Jan 31 14:10:01 hawk kernel: audit(1107205801.774:0): avc:  denied  { transition
} for  pid=4206 exe=/usr/sbin/crond path=/bin/bash dev=dm-1 ino=47140
scontext=root:system_r:crond_t tcontext=system_u:system_r:unconfined_t
tclass=process
Jan 31 14:10:01 hawk crond(pam_unix)[4205]: session closed for user root

I restarted the crond ervice after applying the update.  Anything else to be done?
Comment 5 Daniel Walsh 2005-01-31 21:25:09 UTC 
That is weird.  I am running

rpm -q selinux-policy-targeted
selinux-policy-targeted-1.21.5-4

Jan 31 16:20:01 localhost crond(pam_unix)[18904]: session opened for user root
by (uid=0)
Jan 31 16:20:01 localhost crond(pam_unix)[18905]: session opened for user root
by (uid=0)
Jan 31 16:20:01 localhost crond(pam_unix)[18904]: session closed for user root
Jan 31 16:20:02 localhost crond(pam_unix)[18905]: session closed for user root

I am not seeing this at all anymore.
Comment 6 Daniel Walsh 2005-01-31 21:48:49 UTC 
selinux-policy-targeted-1.21.5-5 has this fix.

Dan
Comment 7 Orion Poplawski 2005-02-01 17:44:22 UTC 
After a reinstall, this looks good.