-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Paul Howarth wrote:
> On Fri, 09 Nov 2007 08:37:13 -0500
> Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>
>> On Fri, 2007-11-09 at 10:55 +0000, Paul Howarth wrote:
>>> I have a cron job as follows:
>>>
>>> # crontab -l -u softlib
>>> 45 4 * * * /softlib/scripts/updates-sync | Mail -s "Fedora updates
>>> subset mirror report" phowarth
>>>
>>> The script runs reposync to pull in a subset of the updates repo,
>>> and I have the output piped into Mail.
>>>
>>> This has been trouble free up until I upgraded to F8, with
>>> selinux-policy-3.0.8-44.fc8.
>>>
>>> With SELinux in enforcing mode, the email I receive simply says
>>> "/usr/sbin/sendmail: Permission denied".
>>>
>>> I tried creating a local policy module as usual and ended up with
>>> this:
>>>
>>> policy_module(localmisc, 0.0.7)
>>>
>>> require {
>>> type system_mail_t;
>>> class netlink_route_socket { bind create getattr
>>> nlmsg_read read write };
>>> }
>>>
>>> #============= system_mail_t ==============
>>> allow system_mail_t self:netlink_route_socket { bind create getattr
>>> nlmsg_read read write };
>>> unconfined_read_tmp_files(system_mail_t)
>>>
>>>
>>> In permissive mode, this works, but in enforcing mode I just get
>>> the usual "Permission denied" message. There are no more avcs in
>>> the audit logs, but there is this:
>>>
>>> type=SELINUX_ERR msg=audit(1194605105.159:168):
>>> security_compute_sid: invalid context
>>> unconfined_u:unconfined_r:system_mail_t:s0 for
>>> scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0
>>> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process
>>> type=SYSCALL msg=audit(1194605105.159:168): arch=40000003
>>> syscall=11 success=no exit=-13 a0=805848b a1=9cf82b8 a2=bfcbf338
>>> a3=9cf82b8 items=0 ppid=1537 pid=1550 auid=4294967295 uid=1502
>>> gid=1502 euid=1502 suid=1502 fsuid=1502 egid=1502 sgid=1502
>>> fsgid=1502 tty=(none) comm="Mail" exe="/bin/mail"
>>> subj=unconfined_u:unconfined_r:unconfined_crond_t:s0 key=(null)
>> That indicates a missing role types rule, e.g.
>> role unconfined_r types system_mail_t;
>>
>> Karl, old audit2allow dealt with those errors - new one needs to do
>> likewise.
>
> Thanks very much; the resulting policy module fixes the problem:
>
> policy_module(localmisc, 0.0.8)
>
> require {
> type system_mail_t;
> class netlink_route_socket { bind create getattr nlmsg_read
> read write }; }
>
> #============= system_mail_t ==============
> role unconfined_r types system_mail_t;
> allow system_mail_t self:netlink_route_socket { bind create getattr
> nlmsg_read read write };
> unconfined_read_tmp_files(system_mail_t)
>
>
> Is there any food reason why this shouldn't be in the default policy?
> I'd have thought sending mail from cron jobs was a fairly common thing
> to do?
>
>
>>> I thought there might be something dontaudited so I tried using
>>> enableaudit.pp but the F8 policy doesn't include this. What's the
>>> method for finding troublesome dontaudits that need to be allows in
>>> F8?
>> semodule -DB will rebuild and reload policy w/o any dontaudit rules.
>> semodule -B will then rebuild and reload policy with them.
>>
>> This is an improvement over enableaudit.pp because it covers all
>> modules, not just base.
>
> Thanks; noted for future reference.
>
> Cheers, Paul.
I think selinux-policy-3.0.8-54 should have all of these rules in it.
If not 53.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHOyv1rlYvE4MpobMRAjMCAJ9kziMiAikgwkarRkjXbTzarup/NgCgqHql
Jf/HDsaOABUdNbZhlhFoVdc=
=FnpJ
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
