On Fri, 09 Nov 2007 08:37:13 -0500
Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On Fri, 2007-11-09 at 10:55 +0000, Paul Howarth wrote:
> > I have a cron job as follows:
> >
> > # crontab -l -u softlib
> > 45 4 * * * /softlib/scripts/updates-sync | Mail -s "Fedora updates
> > subset mirror report" phowarth
> >
> > The script runs reposync to pull in a subset of the updates repo,
> > and I have the output piped into Mail.
> >
> > This has been trouble free up until I upgraded to F8, with
> > selinux-policy-3.0.8-44.fc8.
> >
> > With SELinux in enforcing mode, the email I receive simply says
> > "/usr/sbin/sendmail: Permission denied".
> >
> > I tried creating a local policy module as usual and ended up with
> > this:
> >
> > policy_module(localmisc, 0.0.7)
> >
> > require {
> > type system_mail_t;
> > class netlink_route_socket { bind create getattr
> > nlmsg_read read write };
> > }
> >
> > #============= system_mail_t ==============
> > allow system_mail_t self:netlink_route_socket { bind create getattr
> > nlmsg_read read write };
> > unconfined_read_tmp_files(system_mail_t)
> >
> >
> > In permissive mode, this works, but in enforcing mode I just get
> > the usual "Permission denied" message. There are no more avcs in
> > the audit logs, but there is this:
> >
> > type=SELINUX_ERR msg=audit(1194605105.159:168):
> > security_compute_sid: invalid context
> > unconfined_u:unconfined_r:system_mail_t:s0 for
> > scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0
> > tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process
> > type=SYSCALL msg=audit(1194605105.159:168): arch=40000003
> > syscall=11 success=no exit=-13 a0=805848b a1=9cf82b8 a2=bfcbf338
> > a3=9cf82b8 items=0 ppid=1537 pid=1550 auid=4294967295 uid=1502
> > gid=1502 euid=1502 suid=1502 fsuid=1502 egid=1502 sgid=1502
> > fsgid=1502 tty=(none) comm="Mail" exe="/bin/mail"
> > subj=unconfined_u:unconfined_r:unconfined_crond_t:s0 key=(null)
>
> That indicates a missing role types rule, e.g.
> role unconfined_r types system_mail_t;
>
> Karl, old audit2allow dealt with those errors - new one needs to do
> likewise.
Thanks very much; the resulting policy module fixes the problem:
policy_module(localmisc, 0.0.8)
require {
type system_mail_t;
class netlink_route_socket { bind create getattr nlmsg_read
read write }; }
#============= system_mail_t ==============
role unconfined_r types system_mail_t;
allow system_mail_t self:netlink_route_socket { bind create getattr
nlmsg_read read write };
unconfined_read_tmp_files(system_mail_t)
Is there any food reason why this shouldn't be in the default policy?
I'd have thought sending mail from cron jobs was a fairly common thing
to do?
> > I thought there might be something dontaudited so I tried using
> > enableaudit.pp but the F8 policy doesn't include this. What's the
> > method for finding troublesome dontaudits that need to be allows in
> > F8?
>
> semodule -DB will rebuild and reload policy w/o any dontaudit rules.
> semodule -B will then rebuild and reload policy with them.
>
> This is an improvement over enableaudit.pp because it covers all
> modules, not just base.
Thanks; noted for future reference.
Cheers, Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
