Summary: SELinux is preventing /bin/bash "read" access on /var/db/nscd/passwd. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by sa1. It is not expected that this access is required by sa1 and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:sysstat_t:s0 Target Context unconfined_u:object_r:nscd_var_run_t:s0 Target Objects /var/db/nscd/passwd [ file ] Source sa1 Source Path /bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.1.7-1.fc13 Target RPM Packages nscd-2.12-2 Policy RPM selinux-policy-3.7.19-23.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.5-112.fc13.x86_64 #1 SMP Thu May 27 02:28:31 UTC 2010 x86_64 x86_64 Alert Count 9 First Seen Fri 28 May 2010 09:12:54 AM EDT Last Seen Tue 15 Jun 2010 01:57:09 PM EDT Local ID 7584c27b-dd19-4870-acd6-8c685bdbfcbf Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1276624629.342:3166640): avc: denied { read } for pid=32512 comm="sa1" path="/var/db/nscd/passwd" dev=dm-1 ino=37716 scontext=system_u:system_r:sysstat_t:s0 tcontext=unconfined_u:object_r:nscd_var_run_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1276624629.342:3166640): arch=c000003e syscall=47 success=yes exit=15 a0=3 a1=7ffff412e7d0 a2=40000000 a3=4000 items=0 ppid=32510 pid=32512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sa1" exe="/bin/bash" subj=system_u:system_r:sysstat_t:s0 key=(null) Hash String generated from catchall,sa1,sysstat_t,nscd_var_run_t,file,read audit2allow suggests: #============= sysstat_t ============== allow sysstat_t nscd_var_run_t:file read;
Why is sa1 trying to read passwd data? Does it call getpw?
Hello, I don't see any reason why sa1 should try to read passwd, please could you attach here your /usr/lib/sa/sa1 script and rpm -qV sysstat? Do you have some special settings?
djscott@pc35:~$ file /usr/lib/sa/sa1 /usr/lib/sa/sa1: cannot open `/usr/lib/sa/sa1' (No such file or directory) djscott@pc35:~$ rpm -qV sysstat djscott@pc35:~$ The file does not appear to exist, and the RPM command shows nothing. Lowercase 'V' gives: djscott@pc35:~$ rpm -qv sysstat sysstat-9.0.6-3.fc13.x86_64 djscott@pc35:~$
sorry, the address is /usr/lib64/sa/sa1
Created attachment 425129 [details] /usr/lib64/sa/sa1 file I haven't changed this file from the one provided....
Hello, sorry for the delay. Does this problem still affect your machine? If yes I will need some debug data and paste here debug version of sa1 script.
I don't think this is a problem any more. I don't see this message in the logs.
Thanks, i will close this bug as insufficient data, if the bug appears again please reopen it.