+++ This bug was initially created as a clone of Bug #621842 +++ Summary: SELinux is preventing /bin/bash access to a leaked /root file descriptor. Detailed Description: [prelink has a permissive type (prelink_cron_system_t). This access was not denied.] SELinux denied access requested by the prelink command. It looks like this is either a leaked descriptor or prelink output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /root. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:prelink_cron_system_t:s0-s0:c0.c 1023 Target Context system_u:object_r:admin_home_t:s0 Target Objects /root [ dir ] Source prelink Source Path /bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.1.7-1.fc13 Target RPM Packages filesystem-2.4.31-1.fc13 Policy RPM selinux-policy-3.7.19-41.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.33.6-147.2.4.fc13.x86_64 #1 SMP Fri Jul 23 17:14:44 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Fri 06 Aug 2010 11:18:47 AM EEST Last Seen Fri 06 Aug 2010 11:18:47 AM EEST Local ID 52b0853a-ed87-468f-ba5a-07c08345fa93 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1281082727.83:20483): avc: denied { read } for pid=13086 comm="prelink" path="/root" dev=sda3 ino=742 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1281082727.83:20483): arch=c000003e syscall=59 success=yes exit=0 a0=f42860 a1=f42ff0 a2=f42530 a3=7fffab028930 items=0 ppid=3166 pid=13086 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="prelink" exe="/bin/bash" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null) This happened after I hard reset my frozen system. Hash String generated from leaks,prelink,prelink_cron_system_t,admin_home_t,dir,read audit2allow suggests: #============= prelink_cron_system_t ============== allow prelink_cron_system_t admin_home_t:dir read; --- Additional comment from john.mccalpin on 2010-08-07 12:39:52 EDT --- On my system (exactly the same package revisions as above), the error was generated during my normal nightly run of "recollindex" from package recoll-1.13.04-1.fc13.x86_64 This error has not occurred previously. --- Additional comment from nicolas.mailhot on 2010-08-08 03:56:59 EDT --- This also happens on F14 --- Additional comment from john.mccalpin on 2010-08-09 10:00:21 EDT --- No change in behavior after the upgrade to selinux-policy-3-7.19-44.fc13 on kernel 2.6.34.2-34.fc13.x86_64. --- Additional comment from mads on 2010-08-10 04:17:17 EDT --- I started seing this after installation of selinux-policy-3.7.19-44.fc13 - it didn't occur while I was using selinux-policy-3.7.19-41.fc13. Strange. --- Additional comment from magnus.tuominen on 2010-08-10 04:54:04 EDT --- Created an attachment (id=437813) Still happens with selinux-policy-3.7.19-44.fc13 error ouput attached from selinux-policy-3.7.19-44.fc13 --- Additional comment from nomnex on 2010-08-11 20:03:03 EDT --- Created an attachment (id=438313) print-screen Same here (JST) happened today, see attachment (jpg). I have an error msg at the bottom of the window, on the left: "Error while checking policy version". How do I fix that? PS: I am not familiar with the bugzilla redhat, in the event my attachment is not proper, please instruct how to include a print screen in a comment, thanks. --- Additional comment from req1348 on 2010-08-12 03:29:31 EDT --- This happens every time prelink kicks in on my F13 box. --- Additional comment from donaldedwardwinslow on 2010-08-12 08:12:18 EDT --- This morning was the first I've seen this AVC denial. I've been running selinux-policy-3.7.19.44.fc13 since it came out on updates-testing. I was choosing packages to install with Yum Extender, and using bash in a terminal to get information on installed packages (rpm -q, yum info). I did not notice the AVC denial when it occurred; I saw the setroubleshoot applet about half an hour later. I also had the "Error while checking policy version" message in the browser, maybe because both yumex and yum info were running? --- Additional comment from shpnft on 2010-08-12 08:57:22 EDT --- The message "Error while checking policy version" have a bug report https://bugzilla.redhat.com/show_bug.cgi?id=621709. --- Additional comment from smconvey on 2010-08-12 13:00:29 EDT --- Summary: SELinux is preventing /bin/bash access to a leaked /root file descriptor. Detailed Description: [prelink has a permissive type (prelink_cron_system_t). This access was not denied.] SELinux denied access requested by the prelink command. It looks like this is either a leaked descriptor or prelink output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /root. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:prelink_cron_system_t:s0-s0:c0.c 1023 Target Context system_u:object_r:admin_home_t:s0 Target Objects /root [ dir ] Source prelink Source Path /bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.1.7-1.fc13 Target RPM Packages filesystem-2.4.31-1.fc13 Policy RPM selinux-policy-3.7.19-44.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.33.6-147.2.4.fc13.i686.PAE #1 SMP Fri Jul 23 17:21:06 UTC 2010 i686 i686 Alert Count 1 First Seen Wed 11 Aug 2010 03:14:21 PM PDT Last Seen Wed 11 Aug 2010 03:14:21 PM PDT Local ID d2a65adc-da30-4b8d-b137-903018f36c3a Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1281564861.153:23098): avc: denied { read } for pid=3217 comm="prelink" path="/root" dev=dm-0 ino=130820 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1281564861.153:23098): arch=40000003 syscall=11 success=yes exit=0 a0=a03cc98 a1=a03cb20 a2=a039b78 a3=a03cb20 items=0 ppid=2499 pid=3217 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm="prelink" exe="/bin/bash" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null) --- Additional comment from shpnft on 2010-08-12 14:56:15 EDT --- The message "Error while checking policy version" is due to corrupted yum metadata. A "yum clean metadata" fix the error message (more detais in https://bugzilla.redhat.com/show_bug.cgi?id=621709). I can reproduce the bash/prelink error. I run # /etc/cron.daily/prelink and # run-parts /etc/cron.daily and nothing happens... Someone have a idea to reproduce that bug? --- Additional comment from dwalsh on 2010-08-12 16:35:51 EDT --- *** Bug 623755 has been marked as a duplicate of this bug. *** --- Additional comment from dwalsh on 2010-08-12 16:36:54 EDT --- Miroslav, I added userdom_dontaudit_list_admin_dir(prelink_cron_system_t) I am thinking this is a bug in cron, but I am not sure. If other confined domains start trying to list /root I will pass it to them. --- Additional comment from talltaurus2002 on 2010-08-12 17:26:25 EDT --- I think you might be on to something Mr. Walsh. It went off on me yesterday and I thought it was flash or something with firefox but I just checked my logs and it was cron starting up. --- Additional comment from mgrepl on 2010-08-13 02:11:44 EDT --- I added it to selinux-policy-3.7.19-47.fc13. But it really looks like cronnie is leaking a file descriptor.
I just started getting this on both my laptop and tower today. In my case, a look at my mail (/var/spool/root) showed every instance was clamware and Klamav being suddenly unable to get any more updates (which is why it seems to happen on the hour, every hour). a sample...note the repeating times Date: Tue, 29 Jun 2010 09:00:01 -0400 Message-Id: <201006291300.o5TD012I014160> From: root (Cron Daemon) To: root Subject: Cron <root@hub> /usr/share/clamav/freshclam-sleep Content-Type: text/plain; charset=UTF-8 Auto-Submitted: auto-generated X-Cron-Env: <MAILTO=root> X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> WARNING: update of clamav database is disabled; please see '/etc/sysconfig/freshclam' for information how to enable the periodic update resp. how to turn off this message. From root Tue Jun 29 12:00:08 2010 Return-Path: <root> Received: from hub.cnc (hub.cnc [127.0.0.1]) by hub.cnc (8.14.4/8.14.4) with ESMTP id o5TG02jV017739 for <root>; Tue, 29 Jun 2010 12:00:08 -0400 Received: (from root@localhost) by hub.cnc (8.14.4/8.14.4/Submit) id o5TG01HG017737; Tue, 29 Jun 2010 12:00:01 -0400 Date: Tue, 29 Jun 2010 12:00:01 -0400 Message-Id: <201006291600.o5TG01HG017737> From: root (Cron Daemon) To: root Subject: Cron <root@hub> /usr/share/clamav/freshclam-sleep Content-Type: text/plain; charset=UTF-8 Auto-Submitted: auto-generated X-Cron-Env: <MAILTO=root> X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> WARNING: update of clamav database is disabled; please see '/etc/sysconfig/freshclam' for information how to enable the periodic update resp. how to turn off this message. and on and on it went... Is this the same for everybody else, and if so, why is this needed update to protect windoze from itself not functioning? I use linux to remotely scan laptops of other veterans in the facility I reside in, and being able to scan for their guffaws that disable antiviruses on their stuff from the outside is a handy thing when dealing with the clueXfour crowd.
Smacking head...there was no 0.96 update for clamav available through yum, and I chose not to rip it out and put in the .tar.gz package. Instead, I installed Klamav, which has no problem updating, and also generated no issues on a manual update. clamav won't even generate the conf files needed to update: manually.clamd.conf not found freshclam.conf not found clamav-milter.conf not found ...also.../usr/bin/clamconf shows it built on I created an /etc/freshclam file, the edited it thus: DatabaseMirror db.gb.clamav.net Problem solved. Freshclam now works, so at least in my case, the cron leak has been solved.
No clamav here. Just the default Linux cron jobs: cron.hourly, sa-update.cron, smoltSendProfile These seem to be the default Fedora 13 setup (I haven't needed to change anything).
Something I just remembered - This hasn't happened since installation... Until yesterdays update (my first since August 5). None of the other update periods had issues.
Apologies for the multiple comments (not thinking clearly) Here is the list of updates I did on August 12: Updated: ModemManager.x86_64 0:0.4-4.git20100720.fc13 acl.x86_64 0:2.2.49-6.fc13 cifs-utils.x86_64 0:4.6-1.fc13 cronie.x86_64 0:1.4.5-1.fc13 cronie-anacron.x86_64 0:1.4.5-1.fc13 doxygen.x86_64 1:1.7.1-1.fc13 gdb.x86_64 0:7.1-32.fc13 git.x86_64 0:1.7.2.1-2.fc13 glx-utils.x86_64 0:7.8.1-8.fc13 ibus-chewing.x86_64 0:1.3.6.20100730-1.fc13 imsettings.x86_64 0:0.108.1-1.fc13 imsettings-libs.x86_64 0:0.108.1-1.fc13 imsettings-xfce.x86_64 0:0.108.1-1.fc13 indent.x86_64 0:2.2.11-1.fc13 iputils.x86_64 0:20071127-12.fc13 jpackage-utils.noarch 0:1.7.5-3.11.fc13 kdevelop.x86_64 9:4.0.0-2.fc13 kdevelop-libs.x86_64 9:4.0.0-2.fc13 libacl.x86_64 0:2.2.49-6.fc13 libacl-devel.x86_64 0:2.2.49-6.fc13 libblkid.x86_64 0:2.17.2-7.fc13 libcap-ng.x86_64 0:0.6.4-2.fc13 libcgroup.x86_64 0:0.35.1-3.fc13 libcollection.x86_64 0:0.4.0-19.fc13 libdhash.x86_64 0:0.4.0-19.fc13 libini_config.x86_64 0:0.5.0-19.fc13 libuuid.i686 0:2.17.2-7.fc13 libuuid.x86_64 0:2.17.2-7.fc13 libuuid-devel.x86_64 0:2.17.2-7.fc13 linux-firmware.noarch 0:20100806-2.fc13 mesa-dri-drivers.x86_64 0:7.8.1-8.fc13 mesa-libGL.x86_64 0:7.8.1-8.fc13 mesa-libGL-devel.x86_64 0:7.8.1-8.fc13 mesa-libGLU.x86_64 0:7.8.1-8.fc13 mesa-libGLU-devel.x86_64 0:7.8.1-8.fc13 net-snmp.x86_64 1:5.5-15.fc13 net-snmp-libs.x86_64 1:5.5-15.fc13 openconnect.x86_64 0:2.25-1.fc13 orc.x86_64 0:0.4.6-1.fc13 perl-Compress-Raw-Bzip2.x86_64 0:2.030-1.fc13 perl-Compress-Raw-Zlib.x86_64 0:2.030-1.fc13 perl-Git.noarch 0:1.7.2.1-2.fc13 perl-IO-Compress.noarch 0:2.030-1.fc13 phpMyAdmin.noarch 0:3.3.5-1.fc13 python-setuptools.noarch 0:0.6.14-1.fc13 selinux-policy.noarch 0:3.7.19-44.fc13 selinux-policy-targeted.noarch 0:3.7.19-44.fc13 sssd.x86_64 0:1.2.2-19.fc13 sssd-client.x86_64 0:1.2.2-19.fc13 tk.x86_64 1:8.5.8-2.fc13 tzdata.noarch 0:2010k-1.fc13 tzdata-java.noarch 0:2010k-1.fc13 util-linux-ng.x86_64 0:2.17.2-7.fc13 vinagre.x86_64 0:2.30.2-1.fc13 virtuoso-opensource.x86_64 0:6.1.2-1.fc13 xorg-x11-server-Xorg.x86_64 0:1.8.2-3.fc13 xorg-x11-server-common.x86_64 0:1.8.2-3.fc13 xscreensaver-base.x86_64 1:5.11-8.1.fc13.respin1 xscreensaver-extras.x86_64 1:5.11-8.1.fc13.respin1 xscreensaver-gl-base.x86_64 1:5.11-8.1.fc13.respin1 xscreensaver-gl-extras.x86_64 1:5.11-8.1.fc13.respin1 yum.noarch 0:3.2.28-1.fc13 yum-utils.noarch 0:1.1.28-1.fc13 (I try to keep a separate log for each update).
You can test for F-13 build: http://koji.fedoraproject.org/koji/taskinfo?taskID=2399590 Updates will be created soon.
Just started getting this yesterday. My software updates for last Wednesday 8/11/2010 is as follows: Aug 11 10:47:29 Updated: openconnect-2.25-1.fc13.x86_64 Aug 11 10:47:31 Updated: iputils-20071127-12.fc13.x86_64 Aug 11 11:20:51 Updated: cronie-anacron-1.4.5-1.fc13.x86_64 Aug 11 11:20:52 Updated: cronie-1.4.5-1.fc13.x86_64 Aug 11 11:20:55 Updated: imsettings-libs-0.108.1-1.fc13.x86_64 Aug 11 11:21:22 Updated: selinux-policy-3.7.19-44.fc13.noarch Aug 11 11:21:24 Updated: imsettings-0.108.1-1.fc13.x86_64 Aug 11 11:21:27 Updated: goffice-0.8.8-1.fc13.x86_64 Aug 11 11:22:23 Updated: selinux-policy-targeted-3.7.19-44.fc13.noarch Aug 11 11:22:25 Updated: linux-firmware-20100806-2.fc13.noarch Aug 11 11:22:33 Updated: pessulus-2.30.2-1.fc13.noarch The following entry in my cron log seems to be the culprit or at least when the violation occurrs: Aug 13 09:35:34 ncc1701 run-parts(/etc/cron.daily)[5865]: starting prelink Aug 13 09:37:47 ncc1701 run-parts(/etc/cron.daily)[9171]: finished prelink
cronie-1.4.5-2.fc14 has been submitted as an update for Fedora 14. http://admin.fedoraproject.org/updates/cronie-1.4.5-2.fc14
cronie-1.4.5-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/cronie-1.4.5-2.fc13
*** Bug 621842 has been marked as a duplicate of this bug. ***
cronie-1.4.5-2.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update cronie'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/cronie-1.4.5-2.fc13
*** Bug 624284 has been marked as a duplicate of this bug. ***
cronie-1.4.5-2.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 624088 has been marked as a duplicate of this bug. ***
*** Bug 624213 has been marked as a duplicate of this bug. ***
cronie-1.4.5-2.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
cronie-1.4.7-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/cronie-1.4.7-1.fc14
cronie-1.4.7-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.