Bug 751555

Summary: audit logs show crond_t requesting nlmsg_tty_audit
Product: Red Hat Enterprise Linux 6 Reporter: Josh <jokajak>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 6.2CC: dwalsh, ksrot, mmalik, sgrubb
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-136.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 12:28:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Josh 2011-11-05 13:07:38 UTC 
Description of problem:
audit logs show a denial for crond_t every 10 minutes

Version-Release number of selected component (if applicable):
3.7.19-93.el6_1.7.noarch

How reproducible:
always

Steps to Reproduce:
1. enable tty auditing in system-auth for the root user
2. let cron run
3.
  
Actual results:
audit messages

Expected results:
no audit messages

Additional info:
cron pam.d file:
auth       sufficient pam_rootok.so
auth       required   pam_env.so
auth       include    system-auth
account    required   pam_access.so
account    include    system-auth
session    required   pam_loginuid.so
session    include    system-auth

system-auth pam.d file:

auth        required      pam_env.so
auth        required      pam_faillock.so preauth silent audit deny=5
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        [default=die] pam_faillock.so authfail audit deny=5
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 maxrepeats=3 minlen=12 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2    difok=5
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required      pam_tty_audit.so disable=* enable=root
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
Comment 2 Milos Malik 2011-11-07 08:16:45 UTC 
Could you please copy&paste the AVCs you are seeing ?
Comment 3 Miroslav Grepl 2011-11-07 09:06:39 UTC 
Also did you disable unconfined module?
Comment 4 Josh 2011-11-07 12:01:15 UTC 
unconfined module is disable

----
time->Mon Nov  7 03:10:01 2011
type=SOCKADDR msg=audit(1320653401.203:53934): saddr=100000000000000000000000
type=SYSCALL msg=audit(1320653401.203:53934): arch=c000003e syscall=46 success=yes exit=20 a0=3 a1=7fff1e386a70 a2=0 a3=8 items=0 ppid=2075 pid=8602 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=818 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320653401.203:53934): avc:  denied  { nlmsg_tty_audit } for  pid=8602 comm="crond" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
Comment 5 Daniel Walsh 2011-11-07 17:01:50 UTC 
Steve does it make sense that crond would be turning this audit flag on, or is this a problem in the pam setup?
Comment 6 Steve Grubb 2011-11-07 17:13:49 UTC 
Crond should not be needing keystroke logging because its not interactive. I suppose its pulled in by the general config. I don't think it harms anything either way. Crond won't be doing any typing, so it would log nothing if it were allowed. But if you denied and don't audit, then you get the same thing.
Comment 10 Daniel Walsh 2012-01-16 17:26:13 UTC 
Added dontaudit in Rawhide.
Comment 11 Miroslav Grepl 2012-01-26 09:21:41 UTC 
Fixed in selinux-policy-3.7.19-136.el6
Comment 14 errata-xmlrpc 2012-06-20 12:28:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html