Bug 249870 - crond: PAM audit_log_acct_message() failed: Operation not permitted
crond: PAM audit_log_acct_message() failed: Operation not permitted
Product: Fedora
Classification: Fedora
Component: cronie (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Marcela Mašláňová
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-07-27 11:58 EDT by Jonathan Kamens
Modified: 2009-05-20 08:59 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-20 08:59:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
output of strace -f on crond PID while log message is being generated (49.65 KB, application/x-bzip2)
2007-07-31 22:44 EDT, Jonathan Kamens
no flags Details

  None (edit)
Description Jonathan Kamens 2007-07-27 11:58:08 EDT
With audit-1.5.5-5.fc8, vixie-cron-4.1-84.fc8, and pam-, crond is
reporting "PAM audit_log_acct_message() failed: Operation not permitted"
regularly in the logs.  Since pam is the package I updated today, I'm suspecting
that pam is the package causing the problem, so that's where I'm logging this under.
Comment 1 Tomas Mraz 2007-07-30 07:13:34 EDT
Is this with latest selinux-policy? And if in SELinux enforcing mode - are there
related AVC messages in /var/log/audit/audit.log? Also please try to switch to
permissive mode temporarily whether that helps.
Comment 2 Jonathan Kamens 2007-07-30 10:33:04 EDT
Latest everything, including selinux-policy, from devel.
I have selinux completely disabled at runtime -- SELINUX is set to "disabled" 
in /etc/selinux/config.
Comment 3 Tomas Mraz 2007-07-31 05:43:01 EDT
Could you please try to strace the crond process (attach to its pid) with -f in
the time it is issuing these messages?
Comment 4 Jonathan Kamens 2007-07-31 22:44:14 EDT
Created attachment 160387 [details]
output of strace -f on crond PID while log message is being generated

I don't see anything useful in the strace output, but here it is.
Comment 5 Tomas Mraz 2007-08-01 04:25:04 EDT
Cron calls pam_session_close in the same process which already called
setuid(user) so the failure is real. Cron should call setuid(user) only in the
child which execs the user's job.

PAM should be changed too so it doesn't report this error to syslog because on
the auth and account stacks it might be legitimate to call pam as non-root.
Or it should use just a DEBUG log level.
Comment 6 Jonathan Kamens 2007-08-01 12:19:08 EDT
I believe it's already using DEBUG log level for this message, but I monitor 
DEBUG messages to catch issues like this.  If it's not an error, it shouldn't 
be logged as an error.

If there is a cron issue, then are you going to file a cron ticket about it, or 
should I?
Comment 7 Jonathan Kamens 2007-08-01 12:19:46 EDT
Oh, wait, I see you changed the component to vixie-cron.  But you said in your 
comment above "PAM should be changed too," so shouldn't there also be a PAM 
ticket about this?
Comment 8 Tomas Mraz 2007-08-01 14:22:20 EDT
The problem is the pam syslog message is sometimes error and sometimes not
depending on various things like which service generated it and in what pam
function call.

There is no need to file a separate ticket against pam as I am already fixing it
Comment 9 Bug Zapper 2008-05-13 23:05:38 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
Comment 10 Marcela Mašláňová 2009-05-20 08:59:00 EDT
This will be fixed in next release of cronie.

Note You need to log in before you can comment on or make changes to this bug.