Bug 445564

Summary: selinux complains about sysstat and crond_t
Product: [Fedora] Fedora Reporter: Carl Roth <roth>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: jkubin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-07 19:54:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Carl Roth 2008-05-07 17:03:45 UTC 
Description of problem:

I get the following complaints in my selinux logs when I have sysstat installed:

host=huggy.ursus.net type=AVC msg=audit(1210179601.462:1765): avc: denied { read
write } for pid=2244 comm="sadc" path="socket:[180862]" dev=sockfs ino=180862
scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket
host=huggy.ursus.net type=SYSCALL msg=audit(1210179601.462:1765): arch=c000003e
syscall=59 success=yes exit=0 a0=28018d0 a1=2800d90 a2=2802bb0 a3=8 items=0
ppid=2240 pid=2244 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=285 comm="sadc" exe="/usr/lib64/sa/sadc"
subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null) 

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.3.1-42.fc9.noarch
sysstat-8.0.4-3.fc9.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

I don't know if it's important for sysstat to have access to cron, but if it is
this appears to be a workaround:

  gen_require(`
    type sysstat_t;
    type crond_t;
  ')

  cron_rw_tcp_sockets(sysstat_t)
Comment 1 Daniel Walsh 2008-05-07 18:56:12 UTC 
This is probably a pam module leaking an open file descriptor.  How do you
authorize users on your machine?
Comment 2 Carl Roth 2008-05-07 19:33:21 UTC 
My system uses ldap/nss_ndap to authorize.
Comment 3 Daniel Walsh 2008-05-07 19:54:45 UTC 
That is what I figured...



*** This bug has been marked as a duplicate of 445584 ***