Bug 244915 - SELinux is preventing /usr/sbin/crond (crond_t) "audit_control" to (crond_t).
SELinux is preventing /usr/sbin/crond (crond_t) "audit_control" to (crond_t).
Product: Fedora
Classification: Fedora
Component: samba (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Simo Sorce
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-06-19 16:13 EDT by Darwin H. Webb
Modified: 2008-08-02 19:40 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-25 00:11:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
auditlogafterboot-21 (5.73 KB, text/plain)
2007-06-21 13:05 EDT, Darwin H. Webb
no flags Details
copyalerts for bug 199631 (15.15 KB, text/plain)
2007-06-21 13:11 EDT, Darwin H. Webb
no flags Details

  None (edit)
Description Darwin H. Webb 2007-06-19 16:13:36 EDT
Description of problem:
SELinux is preventing /usr/sbin/crond (crond_t) "audit_control" to (crond_t).

avc: denied { audit_control } for comm="crond" egid=0 euid=0
exe="/usr/sbin/crond" exit=-1 fsgid=0 fsuid=0 gid=0 items=0 pid=3131
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 suid=0 tclass=capability
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tty=(none) uid=0 

Version-Release number of selected component (if applicable):
vixie-cron-4.1-82.fc7 [application]

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Darwin H. Webb 2007-06-19 16:15:12 EDT
 from updates-testing 20070619
Comment 2 Daniel Walsh 2007-06-19 16:21:21 EDT
Fixed in selinux-policy-2.6.4-20.fc7
Comment 3 Darwin H. Webb 2007-06-20 03:12:18 EDT

SELinux is preventing /usr/sbin/crond (crond_t) "transition" to /bin/bash

vixie-cron-4.1-82.fc7 [application]bash-3.2-9.fc7 [target]

avc: denied { transition } for comm="crond" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/crond" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="bash"
path="/bin/bash" pid=4029 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
sgid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 suid=0 tclass=process
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=0 

SELinux is preventing /usr/sbin/anacron (crond_t) "write" to cron.daily

avc: denied { write } for comm="anacron" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/anacron" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="cron.daily"
pid=2578 scontext=system_u:system_r:crond_t:s0 sgid=0
subj=system_u:system_r:crond_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:var_spool_t:s0 tty=(none) uid=0
Comment 4 Daniel Walsh 2007-06-20 07:36:11 EDT
restorecon -R -v /var/spool

Are you sure you are still seeing the transition problem after upgrading the policy?
Comment 5 Darwin H. Webb 2007-06-21 13:05:28 EDT
Created attachment 157556 [details]

Looks good for cron
Attachment shows fairly clean boot up and running for a couple of hours.

I still have the cups issue for shared windows printing.
See next attachment.
Comment 6 Darwin H. Webb 2007-06-21 13:11:31 EDT
Created attachment 157557 [details]
copyalerts for bug 199631

for bug 199631 followup

Copy alerts from cups printing Linux to Win Xp.

cups uses smb, /tmp/spool, 

note first alert - seems to be a general note about higher level dirs not label

relabel dos not affect it.

than you,

Comment 7 Daniel Walsh 2007-06-21 13:38:54 EDT
Why would cups use /tmp/spool instead of /var/run?  Also why is smbspool doing a
getattr on all files in /tmp?
Comment 8 Darwin H. Webb 2007-06-22 14:01:53 EDT
I can't answer that.
From my view it is a point and click operation.
This has been like this since mid-fc6 when the new print system was installed.

Aside from clearing up the avc , I then have the real problem to address, why
won't the Windows auth my request?
It hasn't changed since FC3 and samba and cups worked fine through the first
part if FC6.

In fact, running ubuntu 5.10 I could set up the samba sever, samba client and
cups on two Linux machines, pointing at the win Xp and everything would be
working in a half an hour - both ways to every machine. Then it all stooped and
the only thing that works now is the smb-client to a win share.

And that's all I know.

Comment 9 Daniel Walsh 2007-06-22 14:27:58 EDT
Sorry Darwin,  I meant the question to Simo and Tim who I added as CC to the list.

You can get this to work on your machine with SELinux by executing

# yum install checkpolicy
# grep cups /var/log/audit/audit.log | audit2why -M mycups
# semodule -i mycups.pp
Comment 10 Simo Sorce 2007-06-22 16:58:18 EDT
I don't know why cups want to use /tmp/spool, for smbspool, it may be searching
for a kerberos cache file in /tmp (at least I see code that opens TICKET_CC_DIR
and do a readdir). It may or may not be that.
Comment 11 Tim Waugh 2007-06-25 11:18:13 EDT
The default /etc/samba/smb.conf file incorrectly contains:

   path = /tmp/spool/samba

in the [printing] section.  It ought to be changed to /var/spool/samba.
Comment 12 Simo Sorce 2007-06-25 11:21:48 EDT
That is just an example, but I'll change it, thanks for spotting it.
Comment 13 Simo Sorce 2007-06-25 11:26:24 EDT
Actually I just checked and the shipped packages have the right path.
Do you have an older smb.conf? (FC6?)
Comment 14 Daniel Walsh 2007-08-14 08:23:54 EDT
This looks like it has morphed in to a samba bug
Comment 15 Simo Sorce 2007-09-12 10:01:11 EDT
Darwin, do you still have the auth problem?
Or was it solved upgrading the selinux policies?
Comment 16 Brian Powell 2008-04-25 00:11:58 EDT
The information we've requested above is required in order
to review this problem report further and diagnose/fix the
issue if it is still present.  Since there have not been any
updates to the report since thirty (30) days or more since we
requested additional information, we're assuming the problem
is either no longer present in the current Fedora release, or
that there is no longer any interest in tracking the problem.

Setting status to "CLOSED INSUFFICIENT_DATA".  If you still
experience this problem after updating to our latest Fedora
release and can provide the information previously requested, 
please feel free to reopen the bug report.

Thank you in advance.

Note that maintenance for Fedora 7 will end 30 days after the GA of Fedora 9.

Note You need to log in before you can comment on or make changes to this bug.