That's the updater for the clamav virus scanner, from the clamav-update package. Similarly to https://bugzilla.redhat.com/show_bug.cgi?id=728405 , I get the output: /etc/init.d/functions: line 58: /dev/stderr: Permission denied When I run it in permissive, I get AVCs like this (this is from more than one run): type=AVC msg=audit(1315372489.776:700815): avc: denied { open } for pid=3530 comm="clamd.exim" dev=pipefs ino=1946620 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1315372622.277:700921): avc: denied { fowner } for pid=3597 comm="crond" capability=3 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1315372670.052:700932): avc: denied { open } for pid=3619 comm="clamd.exim" dev=pipefs ino=1947159 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1315372861.924:701069): avc: denied { fowner } for pid=3707 comm="crond" capability=3 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1315372910.276:701080): avc: denied { open } for pid=3730 comm="clamd.exim" dev=pipefs ino=1947932 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1315373042.514:701179): avc: denied { fowner } for pid=3789 comm="crond" capability=3 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1315373089.487:701190): avc: denied { open } for pid=3815 comm="clamd.exim" dev=pipefs ino=1948537 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file -Robin
Could you try to test it with the latest F15 policy available from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=262145
Given this: Installed Packages libselinux.x86_64 2.0.99-4.fc15 @Fedora 15 - x86_64 libselinux-python.x86_64 2.0.99-4.fc15 @fedora libselinux-ruby.x86_64 2.0.99-4.fc15 @fedora libselinux-utils.x86_64 2.0.99-4.fc15 @Fedora 15 - x86_64 selinux-policy.noarch 3.9.16-39.fc15 installed selinux-policy-targeted.noarch 3.9.16-39.fc15 installed Same issue. -Robin
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
You mean you are getting all these same AVC msgs?
Yes. I'm getting a bunch of these: type=AVC msg=audit(1315488782.661:745159): avc: denied { fowner } for pid=31656 comm="crond" capability=3 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability on this server only; I have no idea what that's about since all my servers are basically identical. In addition, I'm still getting: type=AVC msg=audit(1315488830.388:745170): avc: denied { open } for pid=31674 comm="clamd.exim" dev=pipefs ino=2157502 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1315488830.388:745171): avc: denied { open } for pid=31674 comm="clamd.exim" dev=pipefs ino=2157502 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file and the /dev/stderr error. -Robin
Package selinux-policy-3.9.16-39.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15 then log in and leave karma (feedback).
(In reply to comment #5) > Yes. I'm getting a bunch of these: > > > type=AVC msg=audit(1315488782.661:745159): avc: denied { fowner } for > pid=31656 comm="crond" capability=3 > scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability > > on this server only; I have no idea what that's about since all my servers are > basically identical. In addition, I'm still getting: I am fixing this one. > type=AVC msg=audit(1315488830.388:745170): avc: denied { open } for > pid=31674 comm="clamd.exim" dev=pipefs ino=2157502 > scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file > type=AVC msg=audit(1315488830.388:745171): avc: denied { open } for > pid=31674 comm="clamd.exim" dev=pipefs ino=2157502 > scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file > Strange, we have in the policy cron_read_pipes(initrc_t) Could you make sure # yum reinstall selinux-policy-targeted --enablerepo=updates-testing does not blow up. > > and the /dev/stderr error. > > -Robin
Yeah, the same problem with auditd is still occuring, too. That command gets me selinux-policy-targeted-3.9.16-38.fc15.noarch , which I'm not sure was what you intended? ... *Huh*. Bizarrely, that *did* fix it. I wonder what was broken. Thanks! -Robin
It came back this morning. I investigated more. I have puppet remove the "unconfined" module on every run. As soon as that happens, this problem comes back, apparently? Specifically, I did sudo yum reinstall --enablerepo=updates-testing selinux-policy-targeted selinux-policy (this particular machine is running versions 3.9.16-39.fc15 , for what it's worth). Everything goes fine until I: sudo semodule -r unconfined and then it all breaks (i.e. the /dev/stderr error comes back). Running this: sudo semodule -d unconfined makes the /dev/stderr error come back too. So, not fixed yet. Let me know if I can give any kind of more detail. Having the same issue with rotating auditd logs per https://bugzilla.redhat.com/show_bug.cgi?id=728405 -Robin
Could you try to test it with the latest policy available from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=263146
rlpowell@morji> sudo yum list '*selinux-pol*' Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages selinux-policy.noarch 3.9.16-40.fc15 installed selinux-policy-targeted.noarch 3.9.16-40.fc15 installed Available Packages selinux-policy-doc.noarch 3.9.16-38.fc15 updates selinux-policy-minimum.noarch 3.9.16-38.fc15 updates selinux-policy-mls.noarch 3.9.16-38.fc15 updates rlpowell@morji> sudo sh -c "semanage module -l | grep -P '^unconfined\s'" unconfined 3.3.0 Disabled Yep, still has the /dev/stderr error.
What AVC are you seeing in permissive mode now?
Looks like just: type=AVC msg=audit(1315892163.466:85643): avc: denied { open } for pid=11230 comm="clamd.exim" dev=pipefs ino=367153 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file Which certainly does seem like it'd be covered by cron_read_pipes(initrc_t) I could arrange for an account if y'all want to explore this directly. Come find me on IRC as rlpowell if you like. -Robin
ok, i see # sesearch -AC -s initrc_t -t crond_t -c fifo_file Found 2 semantic av rules: allow domain crond_t : fifo_file { ioctl read write getattr lock append } ; allow initrc_t crond_t : fifo_file { ioctl read write getattr lock append open } ; What does sesearch show you?
rlpowell@stodi> sudo sesearch -AC -s initrc_t -t crond_t -c fifo_file Found 2 semantic av rules: allow initrc_t crond_t : fifo_file { ioctl read write getattr lock append } ; allow domain crond_t : fifo_file { ioctl read write getattr lock append } ; No "open" in either case for mine. -Robin
We removed the open as we thought this was an inherited fifo_file. I have no problem allowing it.
Well the problem is we have in the policy optional_policy(` cron_read_pipes(initrc_t) cron_manage_system_spool(initrc_t) ') and interface(`cron_read_pipes',` gen_require(` type crond_t; ') allow $1 crond_t:fifo_file read_fifo_file_perms; ') so it should work but it doesn't. But finally I have found a bug. Fixed in selinux-policy-3.9.16-41.fc15
Let me know when that's in koji, please! -Robin
Still really looking forward to trying this out. -Robin
http://koji.fedoraproject.org/koji/buildinfo?buildID=265538
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
This problem is fixed in 41, but not 39. -Robin