Bug 445564 - selinux complains about sysstat and crond_t
selinux complains about sysstat and crond_t
Status: CLOSED DUPLICATE of bug 445584
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-07 13:03 EDT by Carl Roth
Modified: 2008-05-07 15:54 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-07 15:54:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Carl Roth 2008-05-07 13:03:45 EDT
Description of problem:

I get the following complaints in my selinux logs when I have sysstat installed:

host=huggy.ursus.net type=AVC msg=audit(1210179601.462:1765): avc: denied { read
write } for pid=2244 comm="sadc" path="socket:[180862]" dev=sockfs ino=180862
scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket
host=huggy.ursus.net type=SYSCALL msg=audit(1210179601.462:1765): arch=c000003e
syscall=59 success=yes exit=0 a0=28018d0 a1=2800d90 a2=2802bb0 a3=8 items=0
ppid=2240 pid=2244 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=285 comm="sadc" exe="/usr/lib64/sa/sadc"
subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null) 

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.3.1-42.fc9.noarch
sysstat-8.0.4-3.fc9.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

I don't know if it's important for sysstat to have access to cron, but if it is
this appears to be a workaround:

  gen_require(`
    type sysstat_t;
    type crond_t;
  ')

  cron_rw_tcp_sockets(sysstat_t)
Comment 1 Daniel Walsh 2008-05-07 14:56:12 EDT
This is probably a pam module leaking an open file descriptor.  How do you
authorize users on your machine?
Comment 2 Carl Roth 2008-05-07 15:33:21 EDT
My system uses ldap/nss_ndap to authorize.
Comment 3 Daniel Walsh 2008-05-07 15:54:45 EDT
That is what I figured...



*** This bug has been marked as a duplicate of 445584 ***

Note You need to log in before you can comment on or make changes to this bug.