Red Hat Bugzilla – Bug 249870
crond: PAM audit_log_acct_message() failed: Operation not permitted
Last modified: 2009-05-20 08:59:00 EDT
With audit-1.5.5-5.fc8, vixie-cron-4.1-84.fc8, and pam-0.99.8.1-2.fc8, crond is
reporting "PAM audit_log_acct_message() failed: Operation not permitted"
regularly in the logs. Since pam is the package I updated today, I'm suspecting
that pam is the package causing the problem, so that's where I'm logging this under.
Is this with latest selinux-policy? And if in SELinux enforcing mode - are there
related AVC messages in /var/log/audit/audit.log? Also please try to switch to
permissive mode temporarily whether that helps.
Latest everything, including selinux-policy, from devel.
I have selinux completely disabled at runtime -- SELINUX is set to "disabled"
Could you please try to strace the crond process (attach to its pid) with -f in
the time it is issuing these messages?
Created attachment 160387 [details]
output of strace -f on crond PID while log message is being generated
I don't see anything useful in the strace output, but here it is.
Cron calls pam_session_close in the same process which already called
setuid(user) so the failure is real. Cron should call setuid(user) only in the
child which execs the user's job.
PAM should be changed too so it doesn't report this error to syslog because on
the auth and account stacks it might be legitimate to call pam as non-root.
Or it should use just a DEBUG log level.
I believe it's already using DEBUG log level for this message, but I monitor
DEBUG messages to catch issues like this. If it's not an error, it shouldn't
be logged as an error.
If there is a cron issue, then are you going to file a cron ticket about it, or
Oh, wait, I see you changed the component to vixie-cron. But you said in your
comment above "PAM should be changed too," so shouldn't there also be a PAM
ticket about this?
The problem is the pam syslog message is sometimes error and sometimes not
depending on various things like which service generated it and in what pam
There is no need to file a separate ticket against pam as I am already fixing it
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
This will be fixed in next release of cronie.