Hide Forgot
Description of problem: audit logs show a denial for crond_t every 10 minutes Version-Release number of selected component (if applicable): 3.7.19-93.el6_1.7.noarch How reproducible: always Steps to Reproduce: 1. enable tty auditing in system-auth for the root user 2. let cron run 3. Actual results: audit messages Expected results: no audit messages Additional info: cron pam.d file: auth sufficient pam_rootok.so auth required pam_env.so auth include system-auth account required pam_access.so account include system-auth session required pam_loginuid.so session include system-auth system-auth pam.d file: auth required pam_env.so auth required pam_faillock.so preauth silent audit deny=5 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth [default=die] pam_faillock.so authfail audit deny=5 auth required pam_deny.so account required pam_faillock.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 maxrepeats=3 minlen=12 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2 difok=5 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session required pam_tty_audit.so disable=* enable=root session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
Could you please copy&paste the AVCs you are seeing ?
Also did you disable unconfined module?
unconfined module is disable ---- time->Mon Nov 7 03:10:01 2011 type=SOCKADDR msg=audit(1320653401.203:53934): saddr=100000000000000000000000 type=SYSCALL msg=audit(1320653401.203:53934): arch=c000003e syscall=46 success=yes exit=20 a0=3 a1=7fff1e386a70 a2=0 a3=8 items=0 ppid=2075 pid=8602 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=818 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1320653401.203:53934): avc: denied { nlmsg_tty_audit } for pid=8602 comm="crond" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
Steve does it make sense that crond would be turning this audit flag on, or is this a problem in the pam setup?
Crond should not be needing keystroke logging because its not interactive. I suppose its pulled in by the general config. I don't think it harms anything either way. Crond won't be doing any typing, so it would log nothing if it were allowed. But if you denied and don't audit, then you get the same thing.
Added dontaudit in Rawhide.
Fixed in selinux-policy-3.7.19-136.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html