Bug 436334 - crond is leaking a file descriptor, causing selinux errors.
crond is leaking a file descriptor, causing selinux errors.
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: cronie (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Marcela Mašláňová
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-06 11:06 EST by Orion Poplawski
Modified: 2008-04-01 11:36 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-01 11:36:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2008-03-06 11:06:22 EST
Description of problem:

Getting one of these every ten minutes when sadc runs:

Mar  6 09:00:01 xenfdev32 kernel: audit(1204819201.798:914): avc:  denied  {
read write } for  pid=2142 comm="sadc" name="[1138193]" dev=sockfs ino=1138193
scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-11.fc9.noarch
Comment 1 Daniel Walsh 2008-03-06 11:32:18 EST
This is a leaked file descriptor.  I don't think crond is using tcp_sockets,  So
some app crond is launching and eventually executes sadc is leaking a file
descriptor.  THis bug should be reported on that app.

You can use 

grep sysstat /var/log/audit/audit.log | audit2allow -M mysystat 
semodule -i mysystat 

to allow the avc for now.
Comment 2 Ivana Varekova 2008-03-07 03:15:10 EST
sadc should not use tcp_sockets. So please could you attach here the strace of
cron when in executes sadc command?
Thanks.
Comment 3 Orion Poplawski 2008-03-07 12:28:59 EST
Sorry, likes like an open file descriptor from crond.

If I have a crontab of:

* * * * * /usr/sbin/lsof -p $$ > /tmp/cron.lsof

I get:

COMMAND   PID USER   FD   TYPE DEVICE    SIZE    NODE NAME
sh      24512 root  cwd    DIR  202,1    4096  457857 /root
sh      24512 root  rtd    DIR  202,1    4096       2 /
sh      24512 root  txt    REG  202,1  755624  555983 /bin/bash
sh      24512 root  mem    REG  202,1   96724 1537198 /lib/libtinfo.so.5.6
sh      24512 root  mem    REG  202,1  147604 1537208 /lib/ld-2.7.90.so
sh      24512 root  mem    REG  202,1 1808576 1539159
/lib/i686/nosegneg/libc-2.7.90.so
sh      24512 root  mem    REG  202,1   20568 1537153 /lib/libdl-2.7.90.so
sh      24512 root    0r  FIFO    0,6         1193423 pipe
sh      24512 root    1w  FIFO    0,6         1193424 pipe
sh      24512 root    2w  FIFO    0,6         1193424 pipe
sh      24512 root    8u  sock    0,5         1193425 can't identify protocol

So it looks like crond is leaving an open socket.

An selinux message in generated in the sadc case because it changes contexts.
Comment 4 Marcela Mašláňová 2008-03-12 04:59:50 EDT
Did you reproduce it without using xen? I didn't. My output of /usr/sbin/lsof -p
$$ is different.
[root@cosikdesi ~]# cat /tmp/cron.lsof
COMMAND  PID USER   FD   TYPE DEVICE    SIZE    NODE NAME
sh      2628 root  cwd    DIR  253,0    4096 1671169 /root
sh      2628 root  rtd    DIR  253,0    4096       2 /
sh      2628 root  txt    REG  253,0  755624  393231 /bin/bash
sh      2628 root  mem    REG  253,0  147604  229379 /lib/ld-2.7.90.so
sh      2628 root  mem    REG  253,0 1796316  229414 /lib/libc-2.7.90.so
sh      2628 root  mem    REG  253,0   20568  229459 /lib/libdl-2.7.90.so
sh      2628 root  mem    REG  253,0   97556  229573 /lib/libtinfo.so.5.6
sh      2628 root    0r  FIFO    0,5            9516 pipe
sh      2628 root    1w  FIFO    0,5            9517 pipe
sh      2628 root    2w  FIFO    0,5            9517 pipe
Comment 5 Orion Poplawski 2008-03-12 13:32:06 EDT
I cannot reproduce without xen either.  Now what?
Comment 6 Marcela Mašláňová 2008-03-13 08:42:02 EDT
I wasn't able to run xen on my computer.
We could possibly see this error earlier, if it's cron bug. I can go through
cron code and look for open file descriptors...
Comment 7 Daniel Walsh 2008-04-01 03:35:03 EDT
So this could be the app that start cron that is leaking tcp_socket.  Since I
don't believe that cron does any tcp connections?

Comment 8 Orion Poplawski 2008-04-01 11:36:10 EDT
Well, whatever it was, it has since gone away.  I can't reproduce anymore.

Note You need to log in before you can comment on or make changes to this bug.