120925 – at doesn't work in enforcing mode

Bug 120925 - at doesn't work in enforcing mode

Summary: at doesn't work in enforcing mode

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jens Petersen
QA Contact:	Mike McLean
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-04-15 11:58 UTC by Tim Waugh
Modified:	2007-11-30 22:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:	1.11.2-7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-04-19 23:03:11 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tim Waugh 2004-04-15 11:58:22 UTC

Description of problem:
Running 'at 5pm', say, in enforcing mode gives this error:

[tim@cyberelk tim]$ id -Z
user_u:user_r:user_t
[tim@cyberelk tim]$ at 5pm
Cannot open lockfile /var/spool/at/.SEQ: Permission denied

[root@cyberelk root]# ls -Z /var/spool/at/.SEQ
-rw-------+ daemon   daemon   system_u:object_r:at_spool_t    
/var/spool/at/.SEQ

Version-Release number of selected component (if applicable):
at-3.1.8-50
policy-1.11.2-6

How reproducible:
100%

Comment 1 Daniel Walsh 2004-04-15 12:52:06 UTC

Fixed in policy-1.11.2-7

Comment 2 Tim Waugh 2004-04-15 15:19:53 UTC

Thanks, works for me.

Comment 3 Tim Waugh 2004-04-15 16:21:26 UTC

Spoke too soon.  I got audit messages when a job (just to 'mail -s
test ...') tried to execute.  These are (obviously!) from
non-enforcing mode:

Apr 15 17:20:00 cyberelk kernel: audit(1082046000.256:0): avc:  denied
 { read } for  pid=23064 exe=/usr/sbin/atd name=sh dev=hda2
ino=3850250 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:bin_t tclass=lnk_file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.256:0): avc:  denied
 { execute } for  pid=23064 exe=/usr/sbin/atd name=bash dev=hda2
ino=3850326 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:shell_exec_t tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.256:0): avc:  denied
 { execute_no_trans } for  pid=23064 exe=/usr/sbin/atd path=/bin/bash
dev=hda2 ino=3850326 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:shell_exec_t tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.256:0): avc:  denied
 { read } for  pid=23064 exe=/usr/sbin/atd path=/bin/bash dev=hda2
ino=3850326 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:shell_exec_t tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.258:0): avc:  denied
 { read } for  pid=23064 exe=/bin/bash name=mtab dev=hda2 ino=3835834
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:etc_runtime_t tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.259:0): avc:  denied
 { getattr } for  pid=23064 exe=/bin/bash path=/etc/mtab dev=hda2
ino=3835834 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:etc_runtime_t tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.259:0): avc:  denied
 { getattr } for  pid=23064 exe=/bin/bash path=/proc/meminfo dev=
ino=4098 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:proc_t tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.261:0): avc:  denied
 { getattr } for  pid=23064 exe=/bin/bash path=/bin/bash dev=hda2
ino=3850326 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:shell_exec_t tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.264:0): avc:  denied
 { search } for  pid=23064 exe=/bin/bash name=mail dev=hda2
ino=1015845 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:mail_spool_t tclass=dir
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.266:0): avc:  denied
 { getattr } for  pid=23064 exe=/bin/bash path=/home dev=hda6 ino=2
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:home_root_t tclass=dir
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.266:0): avc:  denied
 { search } for  pid=23064 exe=/bin/bash dev=hda6 ino=2
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:home_root_t tclass=dir
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.266:0): avc:  denied
 { getattr } for  pid=23064 exe=/bin/bash path=/home/tim dev=hda6
ino=243361 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.266:0): avc:  denied
 { search } for  pid=23064 exe=/bin/bash name=tim dev=hda6 ino=243361
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.273:0): avc:  denied
 { read } for  pid=23065 exe=/bin/bash name=.bashrc dev=hda6
ino=245635 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:user_home_t tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.273:0): avc:  denied
 { getattr } for  pid=23065 exe=/bin/bash path=/home/tim/.bashrc
dev=hda6 ino=245635 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:user_home_t tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.275:0): avc:  denied
 { getattr } for  pid=23066 exe=/bin/bash path=/usr/bin/id dev=hda2
ino=1251966 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:bin_t tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.276:0): avc:  denied
 { execute } for  pid=23067 exe=/bin/bash name=id dev=hda2 ino=1251966
scontext=system_u:system_r:atd_t tcontext=system_u:object_r:bin_t
tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.276:0): avc:  denied
 { execute_no_trans } for  pid=23067 exe=/bin/bash path=/usr/bin/id
dev=hda2 ino=1251966
scontext=system_u:system_r:atd_t tcontext=system_u:object_r:bin_t
tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.276:0): avc:  denied
 { read } for  pid=23067 exe=/bin/bash path=/usr/bin/id dev=hda2
ino=1251966 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:bin_t tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.279:0): avc:  denied
 { getattr } for  pid=23067 exe=/usr/bin/id path=pipe:[107801] dev=
ino=107801 scontext=system_u:system_r:atd_t
tcontext=system_u:system_r:atd_t tclass=fifo_file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.280:0): avc:  denied
 { write
} for  pid=23067 exe=/usr/bin/id path=pipe:[107801] dev= ino=107801
scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t
tclass=fifo_file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.281:0): avc:  denied
 { read } for  pid=23065 exe=/bin/bash path=pipe:[107801] dev=
ino=107801 scontext=system_u:system_r:atd_t
tcontext=system_u:system_r:atd_t tclass=fifo_file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.373:0): avc:  denied
 { search } for  pid=23073 exe=/bin/mail name=sbin dev=hda2
ino=1245245 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:sbin_t tclass=dir
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.373:0): avc:  denied
 { read } for  pid=23073 exe=/bin/mail name=sendmail dev=hda2
ino=1252731 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:sbin_t tclass=lnk_file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.503:0): avc:  denied
 { execute } for  pid=23073 exe=/bin/mail name=sendmail.sendmail
dev=hda2 ino=1252719 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:sendmail_exec_t tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.503:0): avc:  denied
 { execute_no_trans } for  pid=23073 exe=/bin/mail
path=/usr/sbin/sendmail.sendmail dev=hda2 ino=1252719
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:sendmail_exec_t tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.503:0): avc:  denied
 { read } for  pid=23073 exe=/bin/mail
path=/usr/sbin/sendmail.sendmail dev=hda2 ino=1252719
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:sendmail_exec_t
tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.790:0): avc:  denied
 { create } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t
tclass=tcp_socket
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.793:0): avc:  denied
 { read } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
name=resolv.conf dev=hda2 ino=3834860 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:net_conf_t tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.793:0): avc:  denied
 { getattr } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
path=/etc/resolv.conf dev=hda2 ino=3834860
scontext=system_u:system_r:atd_t tcontext=system_u:object_r:net_conf_t
tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.795:0): avc:  denied
 { search } for  pid=23073 exe=/usr/sbin/sendmail.sendmail name=mail
dev=hda2 ino=3834696 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:etc_mail_t tclass=dir
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.852:0): avc:  denied
 { getattr } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
path=/etc/mail/submit.cf dev=hda2 ino=3834746
scontext=system_u:system_r:atd_t tcontext=system_u:object_r:etc_mail_t
tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.852:0): avc:  denied
 { getattr } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
path=/etc/mail dev=hda2 ino=3834696 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:etc_mail_t tclass=dir
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.852:0): avc:  denied
 { read } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
name=submit.cf dev=hda2 ino=3834746 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:etc_mail_t tclass=file
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.890:0): avc:  denied
 { search } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
name=clientmqueue dev=hda2 ino=1015923
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:mqueue_spool_t tclass=dir
Apr 15 17:20:00 cyberelk kernel: audit(1082046000.890:0): avc:  denied
 { getattr } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
path=/var/spool/clientmqueue
dev=hda2 ino=1015923 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:mqueue_spool_t tclass=dir
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.034:0): avc:  denied
 { create } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t
tclass=udp_socket
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.034:0): avc:  denied
 { connect } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t
tclass=udp_socket
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.035:0): avc:  denied
 { write
} for  pid=23073 exe=/usr/sbin/sendmail.sendmail laddr=192.168.1.1
lport=34439 faddr=192.168.1.1 fport=53
scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t
tclass=udp_socket
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.035:0): avc:  denied
 { udp_send } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
saddr=192.168.1.1 src=34439
daddr=192.168.1.1 dest=53 netif=lo scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:netif_lo_t tclass=netif
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.035:0): avc:  denied
 { udp_send } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
saddr=192.168.1.1 src=34439
daddr=192.168.1.1 dest=53 netif=lo scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:node_t tclass=node
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.035:0): avc:  denied
 { send_msg } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
saddr=192.168.1.1 src=34439
daddr=192.168.1.1 dest=53 netif=lo scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:dns_port_t tclass=udp_socket
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.209:0): avc:  denied
 { udp_recv } for  pid=1914 exe=/usr/sbin/named saddr=192.168.1.1
src=53 daddr=192.168.1.1 dest=34439 netif=lo
scontext=system_u:system_r:atd_t tcontext=system_u:object_r:netif_lo_t
tclass=netif
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.209:0): avc:  denied
 { udp_recv } for  pid=1914 exe=/usr/sbin/named saddr=192.168.1.1
src=53 daddr=192.168.1.1 dest=34439 netif=lo
scontext=system_u:system_r:atd_t tcontext=system_u:object_r:node_t
tclass=node
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.209:0): avc:  denied
 { recv_msg } for  pid=1914 exe=/usr/sbin/named saddr=192.168.1.1
src=53 daddr=192.168.1.1 dest=34439 netif=lo
scontext=system_u:system_r:atd_t tcontext=system_u:object_r:dns_port_t
tclass=udp_socket
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.210:0): avc:  denied
 { read } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
laddr=192.168.1.1 lport=34439 faddr=192.168.1.1 fport=53
scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t
tclass=udp_socket
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.390:0): avc:  denied
 { write
} for  pid=23073 exe=/usr/sbin/sendmail.sendmail name=clientmqueue
dev=hda2 ino=1015923 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:mqueue_spool_t tclass=dir
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.390:0): avc:  denied
 { add_name } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
name=dfi3FGK07j023073 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:mqueue_spool_t tclass=dir
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.390:0): avc:  denied
 { create } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
name=dfi3FGK07j023073 scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:mqueue_spool_t tclass=file
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.391:0): avc:  denied
 { getattr } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
path=/var/spool/clientmqueue/dfi3FGK07j023073 dev=hda2 ino=1015911
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:mqueue_spool_t tclass=file
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.392:0): avc:  denied
 { lock } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
path=/var/spool/clientmqueue/dfi3FGK07j023073 dev=hda2 ino=1015911
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:mqueue_spool_t tclass=file
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.392:0): avc:  denied
 { write
} for  pid=23073 exe=/usr/sbin/sendmail.sendmail
path=/var/spool/clientmqueue/dfi3FGK07j023073 dev=hda2 ino=1015911
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:mqueue_spool_t tclass=file
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.397:0): avc:  denied
 { read } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
name=dfi3FGK07j023073 dev=hda2 ino=1015911
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:mqueue_spool_t tclass=file
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.430:0): avc:  denied
 { connect } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t
tclass=tcp_socket
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.430:0): avc:  denied
 { tcp_send } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
saddr=127.0.0.1 src=33954 daddr=127.0.0.1 dest=25 netif=lo
scontext=system_u:system_r:atd_t tcontext=system_u:object_r:netif_lo_t
tclass=netif
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.430:0): avc:  denied
 { tcp_send } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
saddr=127.0.0.1 src=33954 daddr=127.0.0.1 dest=25 netif=lo
scontext=system_u:system_r:atd_t tcontext=system_u:object_r:node_lo_t
tclass=node
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.430:0): avc:  denied
 { send_msg } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
saddr=127.0.0.1 src=33954 daddr=127.0.0.1 dest=25 netif=lo
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.430:0): avc:  denied
 { tcp_recv } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=33954 netif=lo
scontext=system_u:system_r:atd_t tcontext=system_u:object_r:netif_lo_t
tclass=netif
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.430:0): avc:  denied
 { tcp_recv } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=33954 netif=lo
scontext=system_u:system_r:atd_t tcontext=system_u:object_r:node_lo_t
tclass=node
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.430:0): avc:  denied
 { recv_msg } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=33954 netif=lo
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.441:0): avc:  denied
 { getattr } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
laddr=127.0.0.1 lport=33954 faddr=127.0.0.1 fport=25
scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t
tclass=tcp_socket
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.442:0): avc:  denied
 { read } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
path=socket:[107830] dev= ino=107830 scontext=system_u:system_r:atd_t
tcontext=system_u:system_r:atd_t tclass=tcp_socket
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.622:0): avc:  denied
 { write
} for  pid=23073 exe=/usr/sbin/sendmail.sendmail path=socket:[107830]
dev= ino=107830 scontext=system_u:system_r:atd_t
tcontext=system_u:system_r:atd_t tclass=tcp_socket
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.797:0): avc:  denied
 { remove_name } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
name=dfi3FGK07j023073 dev=hda2 ino=1015911
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:mqueue_spool_t tclass=dir
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.797:0): avc:  denied
 { unlink } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
name=dfi3FGK07j023073 dev=hda2 ino=1015911
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:mqueue_spool_t tclass=file
Apr 15 17:20:01 cyberelk kernel: audit(1082046001.798:0): avc:  denied
 { read } for  pid=23073 exe=/usr/sbin/sendmail.sendmail
name=clientmqueue dev=hda2 ino=1015923
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:mqueue_spool_t tclass=dir

Comment 4 Colin Walters 2004-04-19 23:03:11 UTC

There is no longer an atd_t; it runs as crond_t since Dan's latest
changes. I did however fix one or two bugs in the policy relating to
this.  Could you try the latest policy?  Note you will need to relabel
/var/spool/at and /usr/sbin/atd and /usr/bin/at at least.

Comment 5 Tim Waugh 2004-04-20 08:52:58 UTC

With policy-1.11.2-9, I get no audit messages when running:

at "now + 2 minutes"
echo hello world
^D

When the job fires I get this (permissive mode):

audit(1082449920.313:0): avc:  denied  { write } for  pid=15079
exe=/usr/sbin/atd name=spool dev=hda2 ino=1015866
scontext=root:system_r:crond_t tcontext=system_u:object_r:var_spool_t
tclass=dir
audit(1082449920.313:0): avc:  denied  { add_name } for  pid=15079
exe=/usr/sbin/atd name=a0000801134800 scontext=root:system_r:crond_t
tcontext=system_u:object_r:var_spool_t tclass=dir
audit(1082449920.313:0): avc:  denied  { create } for  pid=15079
exe=/usr/sbin/atd name=a0000801134800 scontext=root:system_r:crond_t
tcontext=root:object_r:var_spool_t tclass=file
audit(1082449920.313:0): avc:  denied  { write } for  pid=15079
exe=/usr/sbin/atd path=/var/spool/at/spool/a0000801134800 dev=hda2
ino=1017281 scontext=root:system_r:crond_t
tcontext=root:object_r:var_spool_t tclass=file
audit(1082449920.318:0): avc:  denied  { write } for  pid=15080
exe=/bin/bash path=/var/spool/at/spool/a0000801134800 dev=hda2
ino=1017281 scontext=user_u:user_r:user_crond_t
tcontext=root:object_r:var_spool_t tclass=file
audit(1082449920.354:0): avc:  denied  { getattr } for  pid=15081
exe=/bin/bash path=/var/spool/at/spool/a0000801134800 dev=hda2
ino=1017281 scontext=user_u:user_r:user_crond_t
tcontext=root:object_r:var_spool_t tclass=file
audit(1082449920.357:0): avc:  denied  { remove_name } for  pid=15079
exe=/usr/sbin/atd name=a0000801134800 dev=hda2 ino=1017281
scontext=root:system_r:crond_t tcontext=system_u:object_r:var_spool_t
tclass=dir
audit(1082449920.357:0): avc:  denied  { unlink } for  pid=15079
exe=/usr/sbin/atd name=a0000801134800 dev=hda2 ino=1017281
scontext=root:system_r:crond_t tcontext=root:object_r:var_spool_t
tclass=file
audit(1082449920.360:0): avc:  denied  { read } for  pid=15079
exe=/usr/sbin/sendmail.sendmail
path=/var/spool/at/spool/a0000801134800 (deleted) dev=hda2 ino=1017281
scontext=root:system_r:system_mail_t
tcontext=root:object_r:var_spool_t tclass=file
audit(1082449920.374:0): avc:  denied  { getattr } for  pid=15079
exe=/usr/sbin/sendmail.sendmail
path=/var/spool/at/spool/a0000801134800 (deleted) dev=hda2 ino=1017281
scontext=root:system_r:system_mail_t
tcontext=root:object_r:var_spool_t tclass=file
audit(1082449920.385:0): avc:  denied  { ioctl } for  pid=15079
exe=/usr/sbin/sendmail.sendmail
path=/var/spool/at/spool/a0000801134800 (deleted) dev=hda2 ino=1017281
scontext=root:system_r:system_mail_t
tcontext=root:object_r:var_spool_t tclass=file

Comment 6 Tim Waugh 2004-04-20 10:07:04 UTC

..but with policy-1.11.2-12 everything works fine.  Seems fixed now.

Note You need to log in before you can comment on or make changes to this bug.