chkpwd_exec_t / crond issue in policy-2.4.6-69

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I recently upgraded policy from selinux-policy-strict-2.4.6-57.fc6 to
selinux-policy-strict-2.4.6-69.fc6.

As a consequence of which I started to see the following errors
in /var/log/cron every 10minutes:

...
May 30 07:40:01 topaz crond[3717]: Authentication service cannot
retrieve authentication info
May 30 07:40:01 topaz crond[3717]: CRON (root) ERROR: failed to open PAM
security session: Success
May 30 07:40:01 topaz crond[3717]: CRON (root) ERROR: cannot set
security context
May 30 07:50:01 topaz crond[3727]: Authentication service cannot
retrieve authentication info
May 30 07:50:01 topaz crond[3727]: CRON (root) ERROR: failed to open PAM
security session: Success
May 30 07:50:01 topaz crond[3727]: CRON (root) ERROR: cannot set
security context
...

Meanwhile, SELinux/syslog errors shows:

May 30 02:40:01 topaz kernel: audit(1180489201.806:13): avc:  denied
{ execute } for  pid=3860 comm="crond" name="unix_chkpwd" dev=hda2
ino=453913 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
May 30 02:40:01 topaz crond[3860]: pam_unix(crond:account): helper
binary execve failed: Permission denied
May 30 02:40:01 topaz crond[3859]: Authentication service cannot
retrieve authentication info


The cron Job which appeared to error was for sysstat, as in:

[root@topaz ~]# cat /etc/cron.d/sysstat 
# run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib/sa/sa1 1 1
# generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib/sa/sa2 -A

[root@topaz ~]# 


Looking at the policy changes for cron in policy 69, I see that the
auth_domtrans_chk_passwd(crond_t) transition has been removed, ( see
diff below ).


By adding this entry back into the selinux policy for crond_t, I was
apparently able to restore correct operation of cron: 

     auth_domtrans_chk_passwd(crond_t)


Is that the correct fix, or does the problem really lie in recoding
crond itself to use unix_update instead of unix_chkpwd ??



===================================================================

...
[root@topaz BUILD]# diff -uNr
serefpolicy-2.4.6-57/policy/modules/services/cron.te
serefpolicy-2.4.6-69/policy/modules/services/cron.te
--- serefpolicy-2.4.6-57/policy/modules/services/cron.te
2007-04-27 08:47:01.000000000 +0100
+++ serefpolicy-2.4.6-69/policy/modules/services/cron.te
2007-05-30 08:57:20.000000000 +0100
@@ -73,7 +73,9 @@
 # Cron Local policy
 #
 
-allow crond_t self:capability { dac_override setgid setuid sys_nice
dac_read_search audit_control };
+allow crond_t self:capability { dac_override setgid setuid sys_nice
dac_read_search };
+logging_set_loginuid(crond_t)
+logging_send_audit_msg(crond_t)
 dontaudit crond_t self:capability { sys_resource sys_tty_config };
 allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
 allow crond_t self:process { setexec setfscreate };
@@ -117,7 +119,7 @@
 term_dontaudit_use_console(crond_t)
 
 # need auth_chkpwd to check for locked accounts.
-auth_domtrans_chk_passwd(crond_t)
+auth_domtrans_upd_passwd(crond_t)
 
 corecmd_exec_shell(crond_t)
 corecmd_list_sbin(crond_t)
[root@topaz BUILD]# 
...

...
[root@topaz BUILD]# diff -uNr
serefpolicy-2.4.6-57/policy/modules/system/authlogin.fc
serefpolicy-2.4.6-69/policy/modules/system/authlogin.fc
--- serefpolicy-2.4.6-57/policy/modules/system/authlogin.fc
2006-11-29 17:04:51.000000000 +0000
+++ serefpolicy-2.4.6-69/policy/modules/system/authlogin.fc
2007-05-30 08:57:20.000000000 +0100
@@ -14,6 +14,7 @@
 /sbin/pam_timestamp_check --
gen_context(system_u:object_r:pam_exec_t,s0)
 /sbin/unix_chkpwd      --
gen_context(system_u:object_r:chkpwd_exec_t,s0)
 /sbin/unix_verify      --
gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/sbin/unix_update      --
gen_context(system_u:object_r:updpwd_exec_t,s0)
 ifdef(`distro_suse', `
 /sbin/unix2_chkpwd     --
gen_context(system_u:object_r:chkpwd_exec_t,s0)
 ')
[root@topaz BUILD]# 
...


-- 
Ted Rule

Director, Layer3 Systems Ltd

W: http://www.layer3.co.uk/

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux