On 07/04/2009 10:09 AM, Vadym Chepkov wrote:
It would be nice if the interface would be smart enough and allow output from the cron job to be sent, but no one is perfect :)
----
type=AVC msg=audit(1246715821.417:10142): avc: denied { write } for pid=11916 comm="winbind" path="pipe:[591689]" dev=pipefs ino=591689 scontext=system_u:system_r:system_cronjob_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
----
type=AVC msg=audit(1246715821.780:10143): avc: denied { write } for pid=11925 comm="winbindd" path="pipe:[591689]" dev=pipefs ino=591689 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
Sincerely yours,
Vadym Chepkov
--- On Sat, 7/4/09, Vadym Chepkov<chepkov@xxxxxxxxx> wrote:
From: Vadym Chepkov<chepkov@xxxxxxxxx>
Subject: Re: Domain transition missing
To: "Dominick Grift"<domg472@xxxxxxxxx>
Cc: "Fedora SELinux"<fedora-selinux-list@xxxxxxxxxx>
Date: Saturday, July 4, 2009, 10:00 AM
This worked well too, thank you
system_u:system_r:winbind_t:SystemLow root
11926 1 0 09:57 ?
00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11928
11926 0 09:57 ? 00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11954
11926 0 09:57 ? 00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11956
11926 0 09:57 ? 00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11957
11926 0 09:57 ? 00:00:00 winbindd
Sincerely yours,
Vadym Chepkov
--- On Sat, 7/4/09, Dominick Grift<domg472@xxxxxxxxx>
wrote:
From: Dominick Grift<domg472@xxxxxxxxx>
Subject: Re: Domain transition missing
To: "Vadym Chepkov"<chepkov@xxxxxxxxx>
Cc: "Fedora SELinux"<fedora-selinux-list@xxxxxxxxxx>
Date: Saturday, July 4, 2009, 9:28 AM
On Sat, 2009-07-04 at 06:18 -0700,
Vadym Chepkov wrote:
That would be unfortunate. Mine approach is not
uncommon. If you look closely you will see the same
technique in wast scripts. spamassassin restarts
itself when
it updates anti-spam rules, clamav does that
(antivirus) and
on and on. I use Fedora 11, by the way.
For now, instead of creating a new policy I just
added
'runcon -t unconfind_t ' in the cron, and it seemed to
did
the trick.
Sincerely yours,
Vadym Chepkov
Looking here:
http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/services/cron.if
line 235 to line 269.
That seems like a interface one might use in your
situation:
cron_system_entry(winbind_t, winbind_exec_t)
I admit that using cron with SELinux is not very easy
currently
--- On Sat, 7/4/09, Dominick Grift<domg472@xxxxxxxxx>
wrote:
From: Dominick Grift<domg472@xxxxxxxxx>
Subject: Re: Domain transition missing
To: "Vadym Chepkov"<chepkov@xxxxxxxxx>
Cc: "Fedora SELinux"<fedora-selinux-list@xxxxxxxxxx>
Date: Saturday, July 4, 2009, 8:57 AM
On Sat, 2009-07-04 at 05:48 -0700,
Vadym Chepkov wrote:
I really get used to running my
scripts
unconfined,
how I can accomplish it in this scenario?
Sincerely yours,
Vadym Chepkov
if you want the system to run jobs you will
need
to write
some policy or
extend the system_cronjob_t domain i think
Were those the only avc denial you got? I
would
expect more
denials.
--- On Sat, 7/4/09, Dominick Grift
<domg472@xxxxxxxxx>
wrote:
From: Dominick Grift<domg472@xxxxxxxxx>
Subject: Re: Domain transition
missing
To: "Vadym Chepkov"<chepkov@xxxxxxxxx>
Cc: "Fedora SELinux"<fedora-selinux-list@xxxxxxxxxx>
Date: Saturday, July 4, 2009, 8:41
AM
On Sat, 2009-07-04 at 14:38
+0200,
Dominick Grift wrote:
On Sat, 2009-07-04 at 05:11
-0700,
Vadym
Chepkov
wrote:
Hi,
Last night I got a
nasty
surprise from
selinux. I
am using winbind for external
authentication and
since it
has history of failures I have a
simple
watchdog
implemented
to check the status and restart it
if
necessary.
That
is what happened last night and
as a law
abiding
selinux citizen I used 'service
winbind
restart',
but it
seems the proper domain
transitions is
missing
and winbind
was started in system_cronjob_t
domain
instead of
winbind_t
and none of other domains could
connect
to it.
I think jobs running
from
cron should
be granted
the same transition rules as
from
unconfined_t.
I will file bugzilla
report
about it,
but could
somebody help me with modifying
my
local policy
until/if it
gets implemented, please? Thank
you.
Sincerely yours,
Vadym
Chepkov
A domain transition would
be:
policy_module(mywinbind,
0.0.1)
require { type
system_cronjob_t,
winbind_exec_t,
winbind_t; }
domain_auto_trans(system_cronjob_t,
winbind_exec_t,
winbind_t)
Can you show us the full raw
avc
denial?
But personally would deal with
this in
a
different way. I
would write
policy for the script that
restarts
winbind and
then i
would create a
domain transition for the domain
in
which the
script runs
to winbind_t.
Mainly because i wouldnt want to
extend/modify
system_cronjob_t
So: system_cronjob_t ->
myscript_exec_t ->
myscript_t
-> winbind_exec_t
-> winbind_t
--
fedora-selinux-list
mailing
list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Miroslav,
I think you should add
dontaudit $1 crond_t:fifo_file rw_fifo_file_perms;
To cron_system_entry to eliminate this leaked file descriptor problem.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
