Re: Strange denials

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

On 07/04/2009 11:19 AM, Vadym Chepkov wrote:
> I barely redirect output of a cron job to /dev/null :(
>
> Is the a way to run cron unconfined? I don't see any boolean anymore.
>
> Sincerely yours,
>    Vadym Chepkov
The problem is not the confinement of cron, but the confinement of 
winbind.  winbind is handed an open file descritor from cron that it is 
not allowed to use.  SELinux closes the descriptor and reports the avc. 
 winbind and cron will continue to work without a problem.  You can add 
a dontaudit rule to tell SELinux to stop reporting the leaked file 
descriptor.
> --- On Sat, 7/4/09, Kévin GUERIN<leguerinos@xxxxxxxxx>  wrote:
>
> > From: Kévin GUERIN<leguerinos@xxxxxxxxx>
> > Subject: Re: Strange denials
> > To: "Vadym Chepkov"<chepkov@xxxxxxxxx>
> > Cc: "Fedora SELinux"<fedora-selinux-list@xxxxxxxxxx>
> > Date: Saturday, July 4, 2009, 10:55 AM
> > winbindd is running with no MCS
> > categories and tries to access a file with c0.c0123.
> >
> > Access will be granted only if winbindd runs with all the
> > categories that has the file it wants to interact with.
> >
> > Kévin
> >
> >
> > 2009/7/4 Vadym Chepkov<chepkov@xxxxxxxxx>
> >
> >
> >
> > Ok, I am lost
> >
> >
> >
> > I clearly allowed this.
> >
> >
> >
> > allow winbind_t crond_t:fifo_file write;
> >
> >
> >
> > I can see it in the policy:
> >
> > sesearch --all --source winbind_t --target crond_t
> >
> > Found 3 semantic av rules:
> >
> >     allow winbind_t crond_t : process sigchld ;
> >
> >     allow winbind_t crond_t : fd use ;
> >
> >     allow winbind_t crond_t : fifo_file { ioctl read write
> > getattr lock append open } ;
> >
> >
> >
> > Why do I get denial anyway?
> >
> >
> >
> > time->Sat Jul  4 10:28:01 2009
> >
> > type=SYSCALL msg=audit(1246717681.676:10436): arch=40000003
> > syscall=11 success=yes exit=0 a0=9073c10 a1=9073358
> > a2=90732a8 a3=9073358 items=0 ppid=20323 pid=20324 auid=0
> > uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > tty=(none) ses=777 comm="winbindd"
> > exe="/usr/sbin/winbindd"
> > subj=system_u:system_r:winbind_t:s0 key=(null)
> >
> >
> > type=AVC msg=audit(1246717681.676:10436): avc:  denied  {
> > write } for  pid=20324 comm="winbindd"
> > path="pipe:[611496]" dev=pipefs ino=611496
> > scontext=system_u:system_r:winbind_t:s0
> > tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023
> > tclass=fifo_file
> >
> >
> >
> >
> >
> >
> > Sincerely yours,
> >
> >    Vadym Chepkov
> >
> >
> >
> > --
> >
> > fedora-selinux-list mailing list
> >
> > fedora-selinux-list@xxxxxxxxxx
> >
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list