This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 447078 - tmpwatch avc's
tmpwatch avc's
Status: CLOSED DUPLICATE of bug 445584
Product: Fedora
Classification: Fedora
Component: nss_ldap (Show other bugs)
9
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Nalin Dahyabhai
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-17 13:55 EDT by shane
Modified: 2008-05-20 09:07 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-20 09:07:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description shane 2008-05-17 13:55:00 EDT
Description of problem: tmpwatch is generating avc's


Version-Release number of selected component (if applicable):
tmpwatch-2.9.13-2.x86_64


How reproducible: Install/Upgrade wait for tmpwatch to run


Steps to Reproduce:
1. Install and wait for tmpwatch to run
2. logrotate is doing the same
3. 
  
Actual results: avc's


Expected results:  No avc's


Additional info:  selinunx logs:

tmpwatch avc:

Summary

SELinux is preventing tmpwatch (tmpreaper_t) "read write" to socket (crond_t). 

Additional Information:

Source Context       system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
Target Context       system_u:system_r:crond_t:s0-s0:c0.c1023
Target Objects       socket [ tcp_socket ]
Source               tmpwatch
Source Path          /usr/sbin/tmpwatch
Port                 <Unknown>
Host                 <hostname>
Source RPM Packages  tmpwatch-2.9.13-2
Target RPM Packages           
Policy RPM           selinux-policy-3.3.1-42.fc9
Selinux Enabled      True
Policy Type          targeted
MLS Enabled          True
Enforcing Mode       Enforcing
Plugin Name          catchall
Host Name            <hostname>
Platform             Linux <hostname> 2.6.25.3-18.fc9.x86_64 #1 SMP
                     Tue May 13 04:54:47 EDT 2008 x86_64 x86_64
		     Alert Count                   34
	             First Seen                    Sat 17 May 2008 04:22:52 AM CDT
			      Last Seen                     Sat 17 May 2008 04:22:54 AM CDT
			      Local ID                      bf49de59-1c3f-4665-b0b0-0e2df664ea5b
			      Line Numbers                  

			      Raw Audit Messages            

			      host=<hostname> type=AVC msg=audit(1211016174.78:83): avc:  denied  {
read write } for  pid=6346 comm="tmpwatch" path="socket:[28588]" dev=sockfs
ino=28588 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket

			      host=<hostname> type=SYSCALL msg=audit(1211016174.78:83): arch=c000003e
syscall=59 success=yes exit=0 a0=ef7160 a1=ef4340 a2=ef6980 a3=8 items=0
ppid=6313 pid=6346 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=7 comm="tmpwatch" exe="/usr/sbin/tmpwatch"
subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)




logwatch avc:

Summary:

SELinux is preventing logrotate (logrotate_t) "read write" to socket (crond_t).

Additional Information:

Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                system_u:system_r:crond_t:s0-s0:c0.c1023
Target Objects                socket [ tcp_socket ]
Source                        logrotate
Source Path                   /usr/sbin/logrotate
Port                          <Unknown>
Host                          <hostname>
Source RPM Packages           logrotate-3.7.6-3.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     <hostname>
Platform                      Linux <hostname> 2.6.25.3-18.fc9.x86_64 #1 SMP 
                              Tue May 13 04:54:47 EDT 2008 x86_64 x86_64
                              Alert Count                   1
                              First Seen                    Sat 17 May 2008
04:22:52 AM CDT
                              Last Seen                     Sat 17 May 2008
04:22:52 AM CDT
                              Local ID                     
b5760bbf-e16f-4a40-8b1a-c90b2e89b5a5
                              Line Numbers                  

                              Raw Audit Messages            

                              host=<hostname> type=AVC
msg=audit(1211016172.248:49): avc:  denied  { read write } for  pid=6181       
     comm="logrotate" path="socket:[28588]" dev=sockfs ino=28588
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:       
system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket

                              host=<hostname> type=SYSCALL
msg=audit(1211016172.248:49): arch=c000003e syscall=59 success=yes exit=0      
 a0=1d516b0 a1=1d51610 a2=1d50120 a3=3673367a70 items=0 ppid=6179 pid=6181
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0    tty=(none)
ses=7 comm="logrotate" exe="/usr/sbin/logrotate"
subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-05-19 14:50:13 EDT
This is a leaked file descriptor,  Are you using nss_ldap?
Comment 2 shane 2008-05-20 01:22:05 EDT
yes i am using nss_ldap.  what is a leaked file descriptor?
Comment 3 shane 2008-05-20 01:23:36 EDT
forgot to put in the version.  but these have been showing up since install.

nss_ldap-259-3.fc9.x86_64
Comment 4 Daniel Walsh 2008-05-20 09:06:26 EDT
When an application opens a file/socket, it gets an open file descriptor.  This
file descriptor is inherited by default by all of its children forked processes.

So if an program opens a file and then forks/execs a program the new program
also has the open file descriptor.  SELinux checks the access of the child
process on the open file descriptor and closes it if the child process does not
have access.  This causes the AVC.  Most programs do not want/need the file
descriptors to be inherited by their children so they should call

fcntl(fd, F_SETFD, F_CLOSEXEC)

You can ignore this for now since SELinux is closing the leak.
Comment 5 Daniel Walsh 2008-05-20 09:07:14 EDT

*** This bug has been marked as a duplicate of 445584 ***

Note You need to log in before you can comment on or make changes to this bug.