Description of problem: Getting one of these every ten minutes when sadc runs: Mar 6 09:00:01 xenfdev32 kernel: audit(1204819201.798:914): avc: denied { read write } for pid=2142 comm="sadc" name="[1138193]" dev=sockfs ino=1138193 scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket Version-Release number of selected component (if applicable): selinux-policy-3.3.1-11.fc9.noarch
This is a leaked file descriptor. I don't think crond is using tcp_sockets, So some app crond is launching and eventually executes sadc is leaking a file descriptor. THis bug should be reported on that app. You can use grep sysstat /var/log/audit/audit.log | audit2allow -M mysystat semodule -i mysystat to allow the avc for now.
sadc should not use tcp_sockets. So please could you attach here the strace of cron when in executes sadc command? Thanks.
Sorry, likes like an open file descriptor from crond. If I have a crontab of: * * * * * /usr/sbin/lsof -p $$ > /tmp/cron.lsof I get: COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME sh 24512 root cwd DIR 202,1 4096 457857 /root sh 24512 root rtd DIR 202,1 4096 2 / sh 24512 root txt REG 202,1 755624 555983 /bin/bash sh 24512 root mem REG 202,1 96724 1537198 /lib/libtinfo.so.5.6 sh 24512 root mem REG 202,1 147604 1537208 /lib/ld-2.7.90.so sh 24512 root mem REG 202,1 1808576 1539159 /lib/i686/nosegneg/libc-2.7.90.so sh 24512 root mem REG 202,1 20568 1537153 /lib/libdl-2.7.90.so sh 24512 root 0r FIFO 0,6 1193423 pipe sh 24512 root 1w FIFO 0,6 1193424 pipe sh 24512 root 2w FIFO 0,6 1193424 pipe sh 24512 root 8u sock 0,5 1193425 can't identify protocol So it looks like crond is leaving an open socket. An selinux message in generated in the sadc case because it changes contexts.
Did you reproduce it without using xen? I didn't. My output of /usr/sbin/lsof -p $$ is different. [root@cosikdesi ~]# cat /tmp/cron.lsof COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME sh 2628 root cwd DIR 253,0 4096 1671169 /root sh 2628 root rtd DIR 253,0 4096 2 / sh 2628 root txt REG 253,0 755624 393231 /bin/bash sh 2628 root mem REG 253,0 147604 229379 /lib/ld-2.7.90.so sh 2628 root mem REG 253,0 1796316 229414 /lib/libc-2.7.90.so sh 2628 root mem REG 253,0 20568 229459 /lib/libdl-2.7.90.so sh 2628 root mem REG 253,0 97556 229573 /lib/libtinfo.so.5.6 sh 2628 root 0r FIFO 0,5 9516 pipe sh 2628 root 1w FIFO 0,5 9517 pipe sh 2628 root 2w FIFO 0,5 9517 pipe
I cannot reproduce without xen either. Now what?
I wasn't able to run xen on my computer. We could possibly see this error earlier, if it's cron bug. I can go through cron code and look for open file descriptors...
So this could be the app that start cron that is leaking tcp_socket. Since I don't believe that cron does any tcp connections?
Well, whatever it was, it has since gone away. I can't reproduce anymore.