Bug 477998

Summary:	rawhide at Cannot open lockfile /var/spool/at/.SEQ: Permission denied
Product:	[Fedora] Fedora	Reporter:	Jerry Amundson <jamundso>
Component:	at	Assignee:	Marcela Mašláňová <mmaslano>
Status:	CLOSED RAWHIDE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	low
Version:	rawhide	CC:	dwalsh, mfuruta, mmaslano
Target Milestone:	---	Keywords:	SELinux
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2009-01-21 20:21:46 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jerry Amundson 2008-12-27 04:50:09 UTC

Description of problem:
rawhide at Cannot open lockfile /var/spool/at/.SEQ: Permission denied

Version-Release number of selected component (if applicable):
at-3.1.10-27.fc11.i386

How reproducible:
always

Steps to Reproduce:
1. at <valid-future-time>
2.
3.
  
Actual results:
Error

Expected results:
Submitted at job

Additional info:
First noted with selinux permissive, but currently disabled.
[root@walnut ~]# rpmverify at
[root@walnut ~]# ll -d /var/spool/at
drwx------ 3 daemon daemon 4096 2008-12-26 22:35 /var/spool/at
[root@walnut ~]# ll  /var/spool/at -a
total 12
drwx------  3 daemon daemon 4096 2008-12-26 22:35 .
drwxr-xr-x 13 root   root   4096 2008-11-14 16:35 ..
drwx------  2 daemon daemon 4096 2008-12-03 07:56 spool
[root@walnut ~]# service atd status
atd (pid  2171) is running...
[root@walnut ~]# ps -fwwp 2171
UID        PID  PPID  C STIME TTY      STAT   TIME CMD
root      2171     1  0 20:47 ?        Ss     0:00 /usr/sbin/atd

Comment 1 Marcela Mašláňová 2009-01-05 09:51:20 UTC

Could you tell me whether /etc/at.allow exists? Could you please attach /var/log/audit/audit.log, which is denying at?

Comment 2 Jerry Amundson 2009-01-05 16:51:40 UTC

(In reply to comment #1)
> Could you tell me whether /etc/at.allow exists? 

There is no /etc/at.allow file.

Comment 3 Jerry Amundson 2009-01-05 17:06:07 UTC

Entries from audit.log:

type=USER_ACCT msg=audit(1231175062.620:949): user pid=18563 uid=0 auid=500 ses=21 subj=unconfined_u:unconfined_r:crontab_t:s0 msg='op=PAM:accounting acct="jerry" exe="/usr/bin/at" (hostname=?, addr=?, terminal=atd res=success)'
type=LOGIN msg=audit(1231175062.621:950): login pid=18563 uid=0 old auid=500 new auid=500 old ses=21 new ses=22
type=USER_START msg=audit(1231175062.624:951): user pid=18563 uid=0 auid=500 ses=22 subj=unconfined_u:unconfined_r:crontab_t:s0 msg='op=PAM:session_open acct="jerry" exe="/usr/bin/at" (hostname=?, addr=?, terminal=atd res=success)'
type=CRED_ACQ msg=audit(1231175062.624:952): user pid=18563 uid=0 auid=500 ses=22 subj=unconfined_u:unconfined_r:crontab_t:s0 msg='op=PAM:setcred acct="jerry" exe="/usr/bin/at" (hostname=?, addr=?, terminal=atd res=success)'
type=CRED_DISP msg=audit(1231175062.625:953): user pid=18563 uid=0 auid=500 ses=22 subj=unconfined_u:unconfined_r:crontab_t:s0 msg='op=PAM:setcred acct="jerry" exe="/usr/bin/at" (hostname=?, addr=?, terminal=atd res=success)'
type=USER_END msg=audit(1231175062.626:954): user pid=18563 uid=0 auid=500 ses=22 subj=unconfined_u:unconfined_r:crontab_t:s0 msg='op=PAM:session_close acct="jerry" exe="/usr/bin/at" (hostname=?, addr=?, terminal=atd res=success)'

Comment 4 Jerry Amundson 2009-01-21 05:30:26 UTC

Still a problem, not to the point of being annoying.., not yet anyway.

Comment 5 Marcela Mašláňová 2009-01-21 09:57:18 UTC

Ok, I finally updated to rawhide. I see it too. The only one difference between F-10 and F-11 is the selinux context.
F-10
-rw-------  daemon daemon unconfined_u:object_r:user_cron_spool_t:s0 /var/spool/at/.SEQ
F-11
ls -Z /var/spool/at/.SEQ
-rw-------  daemon daemon system_u:object_r:user_cron_spool_t:s0 /var/spool/at/.SEQ

The audit log mentions at only in permissive mode:

type=AVC msg=audit(1232531683.981:56): avc:  denied  { write } for  pid=25692 comm="at" name="at" dev=dm-0 ino=163886 scontext=unconfined_u:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
type=AVC msg=audit(1232531683.981:56): avc:  denied  { add_name } for  pid=25692 comm="at" name="a00004013972f2" scontext=unconfined_u:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1232531683.981:56): arch=c000003e syscall=2 success=yes exit=4 a0=60bb80 a1=2c1 a2=100 a3=7fff060c6940 items=0 ppid=1986 pid=25692 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="at" exe="/usr/bin/at" subj=unconfined_u:unconfined_r:crontab_t:s0-s0:c0.c1023 key=(null)
type=USER_ACCT msg=audit(1232531686.895:57): user pid=25709 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/atd" (hostname=?, addr=?, terminal=atd res=success)'
type=LOGIN msg=audit(1232531686.928:58): login pid=25709 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=8
type=USER_START msg=audit(1232531687.052:59): user pid=25709 uid=0 auid=0 ses=8 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/atd" (hostname=?, addr=?, terminal=atd res=success)'
type=CRED_ACQ msg=audit(1232531687.128:60): user pid=25709 uid=0 auid=0 ses=8 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root"exe="/usr/sbin/atd" (hostname=?, addr=?, terminal=atd res=success)'

Comment 6 Daniel Walsh 2009-01-21 20:21:46 UTC

Fixed in selinux-policy-3.6.4-5.f11