436334 – crond is leaking a file descriptor, causing selinux errors.

Bug 436334 - crond is leaking a file descriptor, causing selinux errors.

Summary: crond is leaking a file descriptor, causing selinux errors.

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	cronie
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Marcela Mašláňová
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-03-06 16:06 UTC by Orion Poplawski
Modified:	2008-04-01 15:36 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-04-01 15:36:10 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Orion Poplawski 2008-03-06 16:06:22 UTC

Description of problem:

Getting one of these every ten minutes when sadc runs:

Mar  6 09:00:01 xenfdev32 kernel: audit(1204819201.798:914): avc:  denied  {
read write } for  pid=2142 comm="sadc" name="[1138193]" dev=sockfs ino=1138193
scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-11.fc9.noarch

Comment 1 Daniel Walsh 2008-03-06 16:32:18 UTC

This is a leaked file descriptor.  I don't think crond is using tcp_sockets,  So
some app crond is launching and eventually executes sadc is leaking a file
descriptor.  THis bug should be reported on that app.

You can use 

grep sysstat /var/log/audit/audit.log | audit2allow -M mysystat 
semodule -i mysystat 

to allow the avc for now.

Comment 2 Ivana Varekova 2008-03-07 08:15:10 UTC

sadc should not use tcp_sockets. So please could you attach here the strace of
cron when in executes sadc command?
Thanks.

Comment 3 Orion Poplawski 2008-03-07 17:28:59 UTC

Sorry, likes like an open file descriptor from crond.

If I have a crontab of:

* * * * * /usr/sbin/lsof -p $$ > /tmp/cron.lsof

I get:

COMMAND   PID USER   FD   TYPE DEVICE    SIZE    NODE NAME
sh      24512 root  cwd    DIR  202,1    4096  457857 /root
sh      24512 root  rtd    DIR  202,1    4096       2 /
sh      24512 root  txt    REG  202,1  755624  555983 /bin/bash
sh      24512 root  mem    REG  202,1   96724 1537198 /lib/libtinfo.so.5.6
sh      24512 root  mem    REG  202,1  147604 1537208 /lib/ld-2.7.90.so
sh      24512 root  mem    REG  202,1 1808576 1539159
/lib/i686/nosegneg/libc-2.7.90.so
sh      24512 root  mem    REG  202,1   20568 1537153 /lib/libdl-2.7.90.so
sh      24512 root    0r  FIFO    0,6         1193423 pipe
sh      24512 root    1w  FIFO    0,6         1193424 pipe
sh      24512 root    2w  FIFO    0,6         1193424 pipe
sh      24512 root    8u  sock    0,5         1193425 can't identify protocol

So it looks like crond is leaving an open socket.

An selinux message in generated in the sadc case because it changes contexts.

Comment 4 Marcela Mašláňová 2008-03-12 08:59:50 UTC

Did you reproduce it without using xen? I didn't. My output of /usr/sbin/lsof -p
$$ is different.
[root@cosikdesi ~]# cat /tmp/cron.lsof
COMMAND  PID USER   FD   TYPE DEVICE    SIZE    NODE NAME
sh      2628 root  cwd    DIR  253,0    4096 1671169 /root
sh      2628 root  rtd    DIR  253,0    4096       2 /
sh      2628 root  txt    REG  253,0  755624  393231 /bin/bash
sh      2628 root  mem    REG  253,0  147604  229379 /lib/ld-2.7.90.so
sh      2628 root  mem    REG  253,0 1796316  229414 /lib/libc-2.7.90.so
sh      2628 root  mem    REG  253,0   20568  229459 /lib/libdl-2.7.90.so
sh      2628 root  mem    REG  253,0   97556  229573 /lib/libtinfo.so.5.6
sh      2628 root    0r  FIFO    0,5            9516 pipe
sh      2628 root    1w  FIFO    0,5            9517 pipe
sh      2628 root    2w  FIFO    0,5            9517 pipe

Comment 5 Orion Poplawski 2008-03-12 17:32:06 UTC

I cannot reproduce without xen either.  Now what?

Comment 6 Marcela Mašláňová 2008-03-13 12:42:02 UTC

I wasn't able to run xen on my computer.
We could possibly see this error earlier, if it's cron bug. I can go through
cron code and look for open file descriptors...

Comment 7 Daniel Walsh 2008-04-01 07:35:03 UTC

So this could be the app that start cron that is leaking tcp_socket.  Since I
don't believe that cron does any tcp connections?

Comment 8 Orion Poplawski 2008-04-01 15:36:10 UTC

Well, whatever it was, it has since gone away.  I can't reproduce anymore.

Note You need to log in before you can comment on or make changes to this bug.