Bug 477998 - rawhide at Cannot open lockfile /var/spool/at/.SEQ: Permission denied
rawhide at Cannot open lockfile /var/spool/at/.SEQ: Permission denied
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: at (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Marcela Mašláňová
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-26 23:50 EST by Jerry Amundson
Modified: 2012-03-04 10:45 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-21 15:21:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jerry Amundson 2008-12-26 23:50:09 EST
Description of problem:
rawhide at Cannot open lockfile /var/spool/at/.SEQ: Permission denied

Version-Release number of selected component (if applicable):
at-3.1.10-27.fc11.i386

How reproducible:
always

Steps to Reproduce:
1. at <valid-future-time>
2.
3.
  
Actual results:
Error

Expected results:
Submitted at job

Additional info:
First noted with selinux permissive, but currently disabled.
[root@walnut ~]# rpmverify at
[root@walnut ~]# ll -d /var/spool/at
drwx------ 3 daemon daemon 4096 2008-12-26 22:35 /var/spool/at
[root@walnut ~]# ll  /var/spool/at -a
total 12
drwx------  3 daemon daemon 4096 2008-12-26 22:35 .
drwxr-xr-x 13 root   root   4096 2008-11-14 16:35 ..
drwx------  2 daemon daemon 4096 2008-12-03 07:56 spool
[root@walnut ~]# service atd status
atd (pid  2171) is running...
[root@walnut ~]# ps -fwwp 2171
UID        PID  PPID  C STIME TTY      STAT   TIME CMD
root      2171     1  0 20:47 ?        Ss     0:00 /usr/sbin/atd
Comment 1 Marcela Mašláňová 2009-01-05 04:51:20 EST
Could you tell me whether /etc/at.allow exists? Could you please attach /var/log/audit/audit.log, which is denying at?
Comment 2 Jerry Amundson 2009-01-05 11:51:40 EST
(In reply to comment #1)
> Could you tell me whether /etc/at.allow exists? 

There is no /etc/at.allow file.
Comment 3 Jerry Amundson 2009-01-05 12:06:07 EST
Entries from audit.log:

type=USER_ACCT msg=audit(1231175062.620:949): user pid=18563 uid=0 auid=500 ses=21 subj=unconfined_u:unconfined_r:crontab_t:s0 msg='op=PAM:accounting acct="jerry" exe="/usr/bin/at" (hostname=?, addr=?, terminal=atd res=success)'
type=LOGIN msg=audit(1231175062.621:950): login pid=18563 uid=0 old auid=500 new auid=500 old ses=21 new ses=22
type=USER_START msg=audit(1231175062.624:951): user pid=18563 uid=0 auid=500 ses=22 subj=unconfined_u:unconfined_r:crontab_t:s0 msg='op=PAM:session_open acct="jerry" exe="/usr/bin/at" (hostname=?, addr=?, terminal=atd res=success)'
type=CRED_ACQ msg=audit(1231175062.624:952): user pid=18563 uid=0 auid=500 ses=22 subj=unconfined_u:unconfined_r:crontab_t:s0 msg='op=PAM:setcred acct="jerry" exe="/usr/bin/at" (hostname=?, addr=?, terminal=atd res=success)'
type=CRED_DISP msg=audit(1231175062.625:953): user pid=18563 uid=0 auid=500 ses=22 subj=unconfined_u:unconfined_r:crontab_t:s0 msg='op=PAM:setcred acct="jerry" exe="/usr/bin/at" (hostname=?, addr=?, terminal=atd res=success)'
type=USER_END msg=audit(1231175062.626:954): user pid=18563 uid=0 auid=500 ses=22 subj=unconfined_u:unconfined_r:crontab_t:s0 msg='op=PAM:session_close acct="jerry" exe="/usr/bin/at" (hostname=?, addr=?, terminal=atd res=success)'
Comment 4 Jerry Amundson 2009-01-21 00:30:26 EST
Still a problem, not to the point of being annoying.., not yet anyway.
Comment 5 Marcela Mašláňová 2009-01-21 04:57:18 EST
Ok, I finally updated to rawhide. I see it too. The only one difference between F-10 and F-11 is the selinux context.
F-10
-rw-------  daemon daemon unconfined_u:object_r:user_cron_spool_t:s0 /var/spool/at/.SEQ
F-11
ls -Z /var/spool/at/.SEQ
-rw-------  daemon daemon system_u:object_r:user_cron_spool_t:s0 /var/spool/at/.SEQ

The audit log mentions at only in permissive mode:

type=AVC msg=audit(1232531683.981:56): avc:  denied  { write } for  pid=25692 comm="at" name="at" dev=dm-0 ino=163886 scontext=unconfined_u:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
type=AVC msg=audit(1232531683.981:56): avc:  denied  { add_name } for  pid=25692 comm="at" name="a00004013972f2" scontext=unconfined_u:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1232531683.981:56): arch=c000003e syscall=2 success=yes exit=4 a0=60bb80 a1=2c1 a2=100 a3=7fff060c6940 items=0 ppid=1986 pid=25692 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="at" exe="/usr/bin/at" subj=unconfined_u:unconfined_r:crontab_t:s0-s0:c0.c1023 key=(null)
type=USER_ACCT msg=audit(1232531686.895:57): user pid=25709 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/atd" (hostname=?, addr=?, terminal=atd res=success)'
type=LOGIN msg=audit(1232531686.928:58): login pid=25709 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=8
type=USER_START msg=audit(1232531687.052:59): user pid=25709 uid=0 auid=0 ses=8 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/atd" (hostname=?, addr=?, terminal=atd res=success)'
type=CRED_ACQ msg=audit(1232531687.128:60): user pid=25709 uid=0 auid=0 ses=8 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root"exe="/usr/sbin/atd" (hostname=?, addr=?, terminal=atd res=success)'
Comment 6 Daniel Walsh 2009-01-21 15:21:46 EST
Fixed in selinux-policy-3.6.4-5.f11

Note You need to log in before you can comment on or make changes to this bug.