I have a cron job as follows:
# crontab -l -u softlib
45 4 * * * /softlib/scripts/updates-sync | Mail -s "Fedora updates
subset mirror report" phowarth
The script runs reposync to pull in a subset of the updates repo, and I
have the output piped into Mail.
This has been trouble free up until I upgraded to F8, with
selinux-policy-3.0.8-44.fc8.
With SELinux in enforcing mode, the email I receive simply says
"/usr/sbin/sendmail: Permission denied".
I tried creating a local policy module as usual and ended up with this:
policy_module(localmisc, 0.0.7)
require {
type system_mail_t;
class netlink_route_socket { bind create getattr nlmsg_read
read write };
}
#============= system_mail_t ==============
allow system_mail_t self:netlink_route_socket { bind create getattr
nlmsg_read read write };
unconfined_read_tmp_files(system_mail_t)
In permissive mode, this works, but in enforcing mode I just get the
usual "Permission denied" message. There are no more avcs in the audit
logs, but there is this:
type=SELINUX_ERR msg=audit(1194605105.159:168): security_compute_sid:
invalid context unconfined_u:unconfined_r:system_mail_t:s0 for
scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1194605105.159:168): arch=40000003 syscall=11
success=no exit=-13 a0=805848b a1=9cf82b8 a2=bfcbf338 a3=9cf82b8 items=0
ppid=1537 pid=1550 auid=4294967295 uid=1502 gid=1502 euid=1502 suid=1502
fsuid=1502 egid=1502 sgid=1502 fsgid=1502 tty=(none) comm="Mail"
exe="/bin/mail" subj=unconfined_u:unconfined_r:unconfined_crond_t:s0
key=(null)
I thought there might be something dontaudited so I tried using
enableaudit.pp but the F8 policy doesn't include this. What's the method
for finding troublesome dontaudits that need to be allows in F8?
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
