This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 623908 - (cronnie_leaks) cronie is leaking a file descriptor?
cronie is leaking a file descriptor?
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: cronie (Show other bugs)
14
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Marcela Mašláňová
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:e2e41d87188...
:
: 624088 624213 624284 (view as bug list)
Depends On:
Blocks: F14Target
  Show dependency treegraph
 
Reported: 2010-08-13 02:21 EDT by Nicolas Mailhot
Modified: 2011-06-28 10:27 EDT (History)
272 users (show)

See Also:
Fixed In Version: cronie-1.4.7-1.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 621842
: 624043 (view as bug list)
Environment:
Last Closed: 2010-08-17 01:40:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Nicolas Mailhot 2010-08-13 02:21:10 EDT
+++ This bug was initially created as a clone of Bug #621842 +++


Summary:

SELinux is preventing /bin/bash access to a leaked /root file descriptor.

Detailed Description:

[prelink has a permissive type (prelink_cron_system_t). This access was not
denied.]

SELinux denied access requested by the prelink command. It looks like this is
either a leaked descriptor or prelink output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /root. You should generate a bugzilla on selinux-policy, and it will get
routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                system_u:system_r:prelink_cron_system_t:s0-s0:c0.c
                              1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root [ dir ]
Source                        prelink
Source Path                   /bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.1.7-1.fc13
Target RPM Packages           filesystem-2.4.31-1.fc13
Policy RPM                    selinux-policy-3.7.19-41.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.6-147.2.4.fc13.x86_64 #1 SMP
                              Fri Jul 23 17:14:44 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 06 Aug 2010 11:18:47 AM EEST
Last Seen                     Fri 06 Aug 2010 11:18:47 AM EEST
Local ID                      52b0853a-ed87-468f-ba5a-07c08345fa93
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1281082727.83:20483): avc:  denied  { read } for  pid=13086 comm="prelink" path="/root" dev=sda3 ino=742 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1281082727.83:20483): arch=c000003e syscall=59 success=yes exit=0 a0=f42860 a1=f42ff0 a2=f42530 a3=7fffab028930 items=0 ppid=3166 pid=13086 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="prelink" exe="/bin/bash" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)


This happened after I hard reset my frozen system.
Hash String generated from  leaks,prelink,prelink_cron_system_t,admin_home_t,dir,read
audit2allow suggests:

#============= prelink_cron_system_t ==============
allow prelink_cron_system_t admin_home_t:dir read;

--- Additional comment from john.mccalpin@att.net on 2010-08-07 12:39:52 EDT ---

On my system (exactly the same package revisions as above), the error was generated during my normal nightly run of "recollindex" from package 
recoll-1.13.04-1.fc13.x86_64
This error has not occurred previously.

--- Additional comment from nicolas.mailhot@laposte.net on 2010-08-08 03:56:59 EDT ---

This also happens on F14

--- Additional comment from john.mccalpin@att.net on 2010-08-09 10:00:21 EDT ---

No change in behavior after the upgrade to selinux-policy-3-7.19-44.fc13 on kernel 2.6.34.2-34.fc13.x86_64.

--- Additional comment from mads@kiilerich.com on 2010-08-10 04:17:17 EDT ---

I started seing this after installation of selinux-policy-3.7.19-44.fc13 - it didn't occur while I was using selinux-policy-3.7.19-41.fc13. Strange.

--- Additional comment from magnus.tuominen@gmail.com on 2010-08-10 04:54:04 EDT ---

Created an attachment (id=437813)
Still happens with selinux-policy-3.7.19-44.fc13

error ouput attached from selinux-policy-3.7.19-44.fc13

--- Additional comment from nomnex@gmail.com on 2010-08-11 20:03:03 EDT ---

Created an attachment (id=438313)
print-screen

Same here (JST) happened today, see attachment (jpg). I have an error msg at the bottom of the window, on the left: "Error while checking policy version". How do I fix that?

PS: I am not familiar with the bugzilla redhat, in the event my attachment is not proper, please instruct how to include a print screen in a comment, thanks.

--- Additional comment from req1348@gmail.com on 2010-08-12 03:29:31 EDT ---

This happens every time prelink kicks in on my F13 box.

--- Additional comment from donaldedwardwinslow@gmail.com on 2010-08-12 08:12:18 EDT ---

This morning was the first I've seen this AVC denial. I've been running selinux-policy-3.7.19.44.fc13 since it came out on updates-testing. I was choosing packages to install with Yum Extender, and using bash in a terminal to get information on installed packages (rpm -q, yum info). I did not notice the AVC denial when it occurred; I saw the setroubleshoot applet about half an hour later.

I also had the "Error while checking policy version" message in the browser, maybe because both yumex and yum info were running?

--- Additional comment from shpnft@gmail.com on 2010-08-12 08:57:22 EDT ---

The message "Error while checking policy version" have a bug report https://bugzilla.redhat.com/show_bug.cgi?id=621709.

--- Additional comment from smconvey@gmail.com on 2010-08-12 13:00:29 EDT ---

Summary:

SELinux is preventing /bin/bash access to a leaked /root file descriptor.

Detailed Description:

[prelink has a permissive type (prelink_cron_system_t). This access was not
denied.]

SELinux denied access requested by the prelink command. It looks like this is
either a leaked descriptor or prelink output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /root. You should generate a bugzilla on selinux-policy, and it will get
routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                system_u:system_r:prelink_cron_system_t:s0-s0:c0.c
                              1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root [ dir ]
Source                        prelink
Source Path                   /bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.1.7-1.fc13
Target RPM Packages           filesystem-2.4.31-1.fc13
Policy RPM                    selinux-policy-3.7.19-44.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.6-147.2.4.fc13.i686.PAE
                              #1 SMP Fri Jul 23 17:21:06 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Wed 11 Aug 2010 03:14:21 PM PDT
Last Seen                     Wed 11 Aug 2010 03:14:21 PM PDT
Local ID                      d2a65adc-da30-4b8d-b137-903018f36c3a
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1281564861.153:23098): avc:  denied  { read } for  pid=3217 comm="prelink" path="/root" dev=dm-0 ino=130820 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1281564861.153:23098): arch=40000003 syscall=11 success=yes exit=0 a0=a03cc98 a1=a03cb20 a2=a039b78 a3=a03cb20 items=0 ppid=2499 pid=3217 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm="prelink" exe="/bin/bash" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)

--- Additional comment from shpnft@gmail.com on 2010-08-12 14:56:15 EDT ---

The message "Error while checking policy version" is due to corrupted yum metadata. A "yum clean metadata" fix the error message (more detais in https://bugzilla.redhat.com/show_bug.cgi?id=621709). 

I can reproduce the bash/prelink error. I run
# /etc/cron.daily/prelink
and
# run-parts /etc/cron.daily

and nothing happens... Someone have a idea to reproduce that bug?

--- Additional comment from dwalsh@redhat.com on 2010-08-12 16:35:51 EDT ---

*** Bug 623755 has been marked as a duplicate of this bug. ***

--- Additional comment from dwalsh@redhat.com on 2010-08-12 16:36:54 EDT ---

Miroslav, I added

 userdom_dontaudit_list_admin_dir(prelink_cron_system_t)

I am thinking this is a bug in cron, but I am not sure.  If other confined domains start trying to list /root I will pass it to them.

--- Additional comment from talltaurus2002@yahoo.com on 2010-08-12 17:26:25 EDT ---

I think you might be on to something Mr. Walsh. It went off on me yesterday and I thought it was flash or something with firefox but I just checked my logs and it was cron starting up.

--- Additional comment from mgrepl@redhat.com on 2010-08-13 02:11:44 EDT ---

I added it to selinux-policy-3.7.19-47.fc13. But it really looks like cronnie is leaking a file descriptor.
Comment 1 Brian Foulkrod 2010-08-13 06:16:55 EDT
I just started getting this on both my laptop and tower today. In my case, a look at my mail (/var/spool/root) showed every instance was clamware and Klamav being suddenly unable to get any more updates (which is why it seems to happen on the hour, every hour).

a sample...note the repeating times

Date: Tue, 29 Jun 2010 09:00:01 -0400
Message-Id: <201006291300.o5TD012I014160@hub.cnc>
From: root@hub.cnc (Cron Daemon)
To: root@hub.cnc
Subject: Cron <root@hub> /usr/share/clamav/freshclam-sleep
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

WARNING: update of clamav database is disabled; please see
  '/etc/sysconfig/freshclam'
  for information how to enable the periodic update resp. how to turn
  off this message.

From root@hub.cnc  Tue Jun 29 12:00:08 2010
Return-Path: <root@hub.cnc>
Received: from hub.cnc (hub.cnc [127.0.0.1])
	by hub.cnc (8.14.4/8.14.4) with ESMTP id o5TG02jV017739
	for <root@hub.cnc>; Tue, 29 Jun 2010 12:00:08 -0400
Received: (from root@localhost)
	by hub.cnc (8.14.4/8.14.4/Submit) id o5TG01HG017737;
	Tue, 29 Jun 2010 12:00:01 -0400
Date: Tue, 29 Jun 2010 12:00:01 -0400
Message-Id: <201006291600.o5TG01HG017737@hub.cnc>
From: root@hub.cnc (Cron Daemon)
To: root@hub.cnc
Subject: Cron <root@hub> /usr/share/clamav/freshclam-sleep
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

WARNING: update of clamav database is disabled; please see
  '/etc/sysconfig/freshclam'
  for information how to enable the periodic update resp. how to turn
  off this message.

and on and on it went...

Is this the same for everybody else, and if so, why is this needed update to protect windoze from itself not functioning? I use linux to remotely scan laptops of other veterans in the facility I reside in, and being able to scan for their guffaws that disable antiviruses on their stuff from the outside is a handy thing when dealing with the clueXfour crowd.
Comment 2 Brian Foulkrod 2010-08-13 06:59:30 EDT
Smacking head...there was no 0.96 update for clamav available through yum, and I chose not to rip it out and put in the .tar.gz package. Instead, I installed Klamav, which has no problem updating, and also generated no issues on a manual update. clamav won't even generate the conf files needed to update:

manually.clamd.conf not found

freshclam.conf not found

clamav-milter.conf not found

...also.../usr/bin/clamconf shows it built on

I created an /etc/freshclam file, the edited it thus:

DatabaseMirror db.gb.clamav.net

Problem solved. Freshclam now works, so at least in my case, the cron leak has been solved.
Comment 3 Jesse Pollard 2010-08-13 07:46:00 EDT
No clamav here. Just the default Linux cron jobs:
cron.hourly, sa-update.cron, smoltSendProfile


These seem to be the default Fedora 13 setup (I haven't needed to change
anything).
Comment 4 Jesse Pollard 2010-08-13 07:49:07 EDT
Something I just remembered -

This hasn't happened since installation...

Until yesterdays update (my first since August 5). None of the other
update periods had issues.
Comment 5 Jesse Pollard 2010-08-13 07:52:03 EDT
Apologies for the multiple comments (not thinking clearly)

Here is the list of updates I did on August 12:

Updated:
  ModemManager.x86_64 0:0.4-4.git20100720.fc13                                  
  acl.x86_64 0:2.2.49-6.fc13                                                    
  cifs-utils.x86_64 0:4.6-1.fc13                                                
  cronie.x86_64 0:1.4.5-1.fc13                                                  
  cronie-anacron.x86_64 0:1.4.5-1.fc13                                          
  doxygen.x86_64 1:1.7.1-1.fc13                                                 
  gdb.x86_64 0:7.1-32.fc13                                                      
  git.x86_64 0:1.7.2.1-2.fc13                                                   
  glx-utils.x86_64 0:7.8.1-8.fc13                                               
  ibus-chewing.x86_64 0:1.3.6.20100730-1.fc13                                   
  imsettings.x86_64 0:0.108.1-1.fc13                                            
  imsettings-libs.x86_64 0:0.108.1-1.fc13                                       
  imsettings-xfce.x86_64 0:0.108.1-1.fc13                                       
  indent.x86_64 0:2.2.11-1.fc13                                                 
  iputils.x86_64 0:20071127-12.fc13                                             
  jpackage-utils.noarch 0:1.7.5-3.11.fc13                                       
  kdevelop.x86_64 9:4.0.0-2.fc13                                                
  kdevelop-libs.x86_64 9:4.0.0-2.fc13                                           
  libacl.x86_64 0:2.2.49-6.fc13                                                 
  libacl-devel.x86_64 0:2.2.49-6.fc13                                           
  libblkid.x86_64 0:2.17.2-7.fc13                                               
  libcap-ng.x86_64 0:0.6.4-2.fc13                                               
  libcgroup.x86_64 0:0.35.1-3.fc13                                              
  libcollection.x86_64 0:0.4.0-19.fc13                                          
  libdhash.x86_64 0:0.4.0-19.fc13                                               
  libini_config.x86_64 0:0.5.0-19.fc13                                          
  libuuid.i686 0:2.17.2-7.fc13                                                  
  libuuid.x86_64 0:2.17.2-7.fc13                                                
  libuuid-devel.x86_64 0:2.17.2-7.fc13                                          
  linux-firmware.noarch 0:20100806-2.fc13                                       
  mesa-dri-drivers.x86_64 0:7.8.1-8.fc13                                        
  mesa-libGL.x86_64 0:7.8.1-8.fc13                                              
  mesa-libGL-devel.x86_64 0:7.8.1-8.fc13                                        
  mesa-libGLU.x86_64 0:7.8.1-8.fc13                                             
  mesa-libGLU-devel.x86_64 0:7.8.1-8.fc13                                       
  net-snmp.x86_64 1:5.5-15.fc13                                                 
  net-snmp-libs.x86_64 1:5.5-15.fc13                                            
  openconnect.x86_64 0:2.25-1.fc13                                              
  orc.x86_64 0:0.4.6-1.fc13                                                     
  perl-Compress-Raw-Bzip2.x86_64 0:2.030-1.fc13                                 
  perl-Compress-Raw-Zlib.x86_64 0:2.030-1.fc13                                  
  perl-Git.noarch 0:1.7.2.1-2.fc13                                              
  perl-IO-Compress.noarch 0:2.030-1.fc13                                        
  phpMyAdmin.noarch 0:3.3.5-1.fc13                                              
  python-setuptools.noarch 0:0.6.14-1.fc13                                      
  selinux-policy.noarch 0:3.7.19-44.fc13                                        
  selinux-policy-targeted.noarch 0:3.7.19-44.fc13                               
  sssd.x86_64 0:1.2.2-19.fc13                                                   
  sssd-client.x86_64 0:1.2.2-19.fc13                                            
  tk.x86_64 1:8.5.8-2.fc13                                                      
  tzdata.noarch 0:2010k-1.fc13                                                  
  tzdata-java.noarch 0:2010k-1.fc13                                             
  util-linux-ng.x86_64 0:2.17.2-7.fc13                                          
  vinagre.x86_64 0:2.30.2-1.fc13                                                
  virtuoso-opensource.x86_64 0:6.1.2-1.fc13                                     
  xorg-x11-server-Xorg.x86_64 0:1.8.2-3.fc13                                    
  xorg-x11-server-common.x86_64 0:1.8.2-3.fc13                                  
  xscreensaver-base.x86_64 1:5.11-8.1.fc13.respin1                              
  xscreensaver-extras.x86_64 1:5.11-8.1.fc13.respin1                            
  xscreensaver-gl-base.x86_64 1:5.11-8.1.fc13.respin1                           
  xscreensaver-gl-extras.x86_64 1:5.11-8.1.fc13.respin1                         
  yum.noarch 0:3.2.28-1.fc13                                                    
  yum-utils.noarch 0:1.1.28-1.fc13                                              

(I try to keep a separate log for each update).
Comment 6 Marcela Mašláňová 2010-08-13 10:00:27 EDT
You can test for F-13 build: 
http://koji.fedoraproject.org/koji/taskinfo?taskID=2399590

Updates will be created soon.
Comment 7 Scott Castaline 2010-08-13 10:04:08 EDT
Just started getting this yesterday. My software updates for last Wednesday
8/11/2010 is as follows:
Aug 11 10:47:29 Updated: openconnect-2.25-1.fc13.x86_64
Aug 11 10:47:31 Updated: iputils-20071127-12.fc13.x86_64
Aug 11 11:20:51 Updated: cronie-anacron-1.4.5-1.fc13.x86_64
Aug 11 11:20:52 Updated: cronie-1.4.5-1.fc13.x86_64
Aug 11 11:20:55 Updated: imsettings-libs-0.108.1-1.fc13.x86_64
Aug 11 11:21:22 Updated: selinux-policy-3.7.19-44.fc13.noarch
Aug 11 11:21:24 Updated: imsettings-0.108.1-1.fc13.x86_64
Aug 11 11:21:27 Updated: goffice-0.8.8-1.fc13.x86_64
Aug 11 11:22:23 Updated: selinux-policy-targeted-3.7.19-44.fc13.noarch
Aug 11 11:22:25 Updated: linux-firmware-20100806-2.fc13.noarch
Aug 11 11:22:33 Updated: pessulus-2.30.2-1.fc13.noarch

The following entry in my cron log seems to be the culprit or at least when the
violation occurrs:
Aug 13 09:35:34 ncc1701 run-parts(/etc/cron.daily)[5865]: starting prelink
Aug 13 09:37:47 ncc1701 run-parts(/etc/cron.daily)[9171]: finished prelink
Comment 8 Fedora Update System 2010-08-13 10:22:56 EDT
cronie-1.4.5-2.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/cronie-1.4.5-2.fc14
Comment 9 Fedora Update System 2010-08-13 10:27:38 EDT
cronie-1.4.5-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/cronie-1.4.5-2.fc13
Comment 10 Nicolas Mailhot 2010-08-13 15:15:39 EDT
*** Bug 621842 has been marked as a duplicate of this bug. ***
Comment 11 Fedora Update System 2010-08-13 17:20:13 EDT
cronie-1.4.5-2.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cronie'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/cronie-1.4.5-2.fc13
Comment 12 Tomas Mraz 2010-08-16 08:39:24 EDT
*** Bug 624284 has been marked as a duplicate of this bug. ***
Comment 13 Fedora Update System 2010-08-17 01:40:26 EDT
cronie-1.4.5-2.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Tomas Mraz 2010-08-19 07:55:18 EDT
*** Bug 624088 has been marked as a duplicate of this bug. ***
Comment 15 Daniel Walsh 2010-08-23 10:36:45 EDT
*** Bug 624213 has been marked as a duplicate of this bug. ***
Comment 16 Fedora Update System 2010-08-26 23:04:29 EDT
cronie-1.4.5-2.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2011-03-16 11:16:51 EDT
cronie-1.4.7-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/cronie-1.4.7-1.fc14
Comment 18 Fedora Update System 2011-03-30 15:58:10 EDT
cronie-1.4.7-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.