Bug 477998
Summary: | rawhide at Cannot open lockfile /var/spool/at/.SEQ: Permission denied | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jerry Amundson <jamundso> |
Component: | at | Assignee: | Marcela Mašláňová <mmaslano> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | dwalsh, mfuruta, mmaslano |
Target Milestone: | --- | Keywords: | SELinux |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-01-21 20:21:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jerry Amundson
2008-12-27 04:50:09 UTC
Could you tell me whether /etc/at.allow exists? Could you please attach /var/log/audit/audit.log, which is denying at? (In reply to comment #1) > Could you tell me whether /etc/at.allow exists? There is no /etc/at.allow file. Entries from audit.log: type=USER_ACCT msg=audit(1231175062.620:949): user pid=18563 uid=0 auid=500 ses=21 subj=unconfined_u:unconfined_r:crontab_t:s0 msg='op=PAM:accounting acct="jerry" exe="/usr/bin/at" (hostname=?, addr=?, terminal=atd res=success)' type=LOGIN msg=audit(1231175062.621:950): login pid=18563 uid=0 old auid=500 new auid=500 old ses=21 new ses=22 type=USER_START msg=audit(1231175062.624:951): user pid=18563 uid=0 auid=500 ses=22 subj=unconfined_u:unconfined_r:crontab_t:s0 msg='op=PAM:session_open acct="jerry" exe="/usr/bin/at" (hostname=?, addr=?, terminal=atd res=success)' type=CRED_ACQ msg=audit(1231175062.624:952): user pid=18563 uid=0 auid=500 ses=22 subj=unconfined_u:unconfined_r:crontab_t:s0 msg='op=PAM:setcred acct="jerry" exe="/usr/bin/at" (hostname=?, addr=?, terminal=atd res=success)' type=CRED_DISP msg=audit(1231175062.625:953): user pid=18563 uid=0 auid=500 ses=22 subj=unconfined_u:unconfined_r:crontab_t:s0 msg='op=PAM:setcred acct="jerry" exe="/usr/bin/at" (hostname=?, addr=?, terminal=atd res=success)' type=USER_END msg=audit(1231175062.626:954): user pid=18563 uid=0 auid=500 ses=22 subj=unconfined_u:unconfined_r:crontab_t:s0 msg='op=PAM:session_close acct="jerry" exe="/usr/bin/at" (hostname=?, addr=?, terminal=atd res=success)' Still a problem, not to the point of being annoying.., not yet anyway. Ok, I finally updated to rawhide. I see it too. The only one difference between F-10 and F-11 is the selinux context. F-10 -rw------- daemon daemon unconfined_u:object_r:user_cron_spool_t:s0 /var/spool/at/.SEQ F-11 ls -Z /var/spool/at/.SEQ -rw------- daemon daemon system_u:object_r:user_cron_spool_t:s0 /var/spool/at/.SEQ The audit log mentions at only in permissive mode: type=AVC msg=audit(1232531683.981:56): avc: denied { write } for pid=25692 comm="at" name="at" dev=dm-0 ino=163886 scontext=unconfined_u:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir type=AVC msg=audit(1232531683.981:56): avc: denied { add_name } for pid=25692 comm="at" name="a00004013972f2" scontext=unconfined_u:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir type=SYSCALL msg=audit(1232531683.981:56): arch=c000003e syscall=2 success=yes exit=4 a0=60bb80 a1=2c1 a2=100 a3=7fff060c6940 items=0 ppid=1986 pid=25692 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="at" exe="/usr/bin/at" subj=unconfined_u:unconfined_r:crontab_t:s0-s0:c0.c1023 key=(null) type=USER_ACCT msg=audit(1232531686.895:57): user pid=25709 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/atd" (hostname=?, addr=?, terminal=atd res=success)' type=LOGIN msg=audit(1232531686.928:58): login pid=25709 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=8 type=USER_START msg=audit(1232531687.052:59): user pid=25709 uid=0 auid=0 ses=8 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/atd" (hostname=?, addr=?, terminal=atd res=success)' type=CRED_ACQ msg=audit(1232531687.128:60): user pid=25709 uid=0 auid=0 ses=8 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root"exe="/usr/sbin/atd" (hostname=?, addr=?, terminal=atd res=success)' Fixed in selinux-policy-3.6.4-5.f11 |