249870 – crond: PAM audit_log_acct_message() failed: Operation not permitted

Bug 249870 - crond: PAM audit_log_acct_message() failed: Operation not permitted

Summary: crond: PAM audit_log_acct_message() failed: Operation not permitted

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	cronie
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Marcela Mašláňová
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-07-27 15:58 UTC by Jonathan Kamens
Modified:	2009-05-20 12:59 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-05-20 12:59:00 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
output of strace -f on crond PID while log message is being generated (49.65 KB, application/x-bzip2) 2007-08-01 02:44 UTC, Jonathan Kamens	no flags	Details
View All

Description Jonathan Kamens 2007-07-27 15:58:08 UTC

With audit-1.5.5-5.fc8, vixie-cron-4.1-84.fc8, and pam-0.99.8.1-2.fc8, crond is
reporting "PAM audit_log_acct_message() failed: Operation not permitted"
regularly in the logs.  Since pam is the package I updated today, I'm suspecting
that pam is the package causing the problem, so that's where I'm logging this under.

Comment 1 Tomas Mraz 2007-07-30 11:13:34 UTC

Is this with latest selinux-policy? And if in SELinux enforcing mode - are there
related AVC messages in /var/log/audit/audit.log? Also please try to switch to
permissive mode temporarily whether that helps.

Comment 2 Jonathan Kamens 2007-07-30 14:33:04 UTC

Latest everything, including selinux-policy, from devel.
I have selinux completely disabled at runtime -- SELINUX is set to "disabled" 
in /etc/selinux/config.

Comment 3 Tomas Mraz 2007-07-31 09:43:01 UTC

Could you please try to strace the crond process (attach to its pid) with -f in
the time it is issuing these messages?

Comment 4 Jonathan Kamens 2007-08-01 02:44:14 UTC

Created attachment 160387 [details]
output of strace -f on crond PID while log message is being generated

I don't see anything useful in the strace output, but here it is.

Comment 5 Tomas Mraz 2007-08-01 08:25:04 UTC

Cron calls pam_session_close in the same process which already called
setuid(user) so the failure is real. Cron should call setuid(user) only in the
child which execs the user's job.

PAM should be changed too so it doesn't report this error to syslog because on
the auth and account stacks it might be legitimate to call pam as non-root.
Or it should use just a DEBUG log level.

Comment 6 Jonathan Kamens 2007-08-01 16:19:08 UTC

I believe it's already using DEBUG log level for this message, but I monitor 
DEBUG messages to catch issues like this.  If it's not an error, it shouldn't 
be logged as an error.

If there is a cron issue, then are you going to file a cron ticket about it, or 
should I?

Comment 7 Jonathan Kamens 2007-08-01 16:19:46 UTC

Oh, wait, I see you changed the component to vixie-cron.  But you said in your 
comment above "PAM should be changed too," so shouldn't there also be a PAM 
ticket about this?

Comment 8 Tomas Mraz 2007-08-01 18:22:20 UTC

The problem is the pam syslog message is sometimes error and sometimes not
depending on various things like which service generated it and in what pam
function call.

There is no need to file a separate ticket against pam as I am already fixing it
there.

Comment 9 Bug Zapper 2008-05-14 03:05:38 UTC

Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 10 Marcela Mašláňová 2009-05-20 12:59:00 UTC

This will be fixed in next release of cronie.

Note You need to log in before you can comment on or make changes to this bug.