Re: Domain transition missing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/06/2009 02:38 PM, Daniel J Walsh wrote:
On 07/04/2009 10:09 AM, Vadym Chepkov wrote:
It would be nice if the interface would be smart enough and allow output from the cron job to be sent, but no one is perfect :)

----
type=AVC msg=audit(1246715821.417:10142): avc: denied { write } for pid=11916 comm="winbind" path="pipe:[591689]" dev=pipefs ino=591689 scontext=system_u:system_r:system_cronjob_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
----
type=AVC msg=audit(1246715821.780:10143): avc: denied { write } for pid=11925 comm="winbindd" path="pipe:[591689]" dev=pipefs ino=591689 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file

Sincerely yours,
   Vadym Chepkov


--- On Sat, 7/4/09, Vadym Chepkov<chepkov@xxxxxxxxx>  wrote:

From: Vadym Chepkov<chepkov@xxxxxxxxx>
Subject: Re: Domain transition missing
To: "Dominick Grift"<domg472@xxxxxxxxx>
Cc: "Fedora SELinux"<fedora-selinux-list@xxxxxxxxxx>
Date: Saturday, July 4, 2009, 10:00 AM
This worked well too, thank you

system_u:system_r:winbind_t:SystemLow root
11926   1  0 09:57 ?
   00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11928
11926  0 09:57 ?      00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11954
11926  0 09:57 ?      00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11956
11926  0 09:57 ?      00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11957
11926  0 09:57 ?      00:00:00 winbindd


Sincerely yours,
   Vadym Chepkov


--- On Sat, 7/4/09, Dominick Grift<domg472@xxxxxxxxx>
wrote:

From: Dominick Grift<domg472@xxxxxxxxx>
Subject: Re: Domain transition missing
To: "Vadym Chepkov"<chepkov@xxxxxxxxx>
Cc: "Fedora SELinux"<fedora-selinux-list@xxxxxxxxxx>
Date: Saturday, July 4, 2009, 9:28 AM
On Sat, 2009-07-04 at 06:18 -0700,
Vadym Chepkov wrote:
That would be unfortunate. Mine approach is not
uncommon. If you look closely you will see the same
technique in wast scripts. spamassassin restarts
itself when
it updates anti-spam rules, clamav does that
(antivirus) and
on and on. I use Fedora 11, by the way.
For now, instead of creating a new policy I just
added
'runcon -t unconfind_t ' in the cron, and it seemed to
did
the trick.
Sincerely yours,
    Vadym Chepkov

Looking here:
http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/services/cron.if
line 235 to line 269.

That seems like a interface one might use in your
situation:

cron_system_entry(winbind_t, winbind_exec_t)

I admit that using cron with SELinux is not very easy
currently

--- On Sat, 7/4/09, Dominick Grift<domg472@xxxxxxxxx>
wrote:
From: Dominick Grift<domg472@xxxxxxxxx>
Subject: Re: Domain transition missing
To: "Vadym Chepkov"<chepkov@xxxxxxxxx>
Cc: "Fedora SELinux"<fedora-selinux-list@xxxxxxxxxx>
Date: Saturday, July 4, 2009, 8:57 AM
On Sat, 2009-07-04 at 05:48 -0700,
Vadym Chepkov wrote:
I really get used to running my
scripts
unconfined,
how I can accomplish it in this scenario?
Sincerely yours,
    Vadym Chepkov

if you want the system to run jobs you will
need
to write
some policy or
extend the system_cronjob_t domain i think


Were those the only avc denial you got? I
would
expect more
denials.

--- On Sat, 7/4/09, Dominick Grift
<domg472@xxxxxxxxx>
wrote:
From: Dominick Grift<domg472@xxxxxxxxx>
Subject: Re: Domain transition
missing
To: "Vadym Chepkov"<chepkov@xxxxxxxxx>
Cc: "Fedora SELinux"<fedora-selinux-list@xxxxxxxxxx>
Date: Saturday, July 4, 2009, 8:41
AM
On Sat, 2009-07-04 at 14:38
+0200,
Dominick Grift wrote:
On Sat, 2009-07-04 at 05:11
-0700,
Vadym
Chepkov
wrote:
Hi,

Last night I got a
nasty
surprise from
selinux. I
am using winbind for external
authentication and
since it
has history of failures I have a
simple
watchdog
implemented
to check the status and restart it
if
necessary.
That
is  what happened last night and
as a law
abiding
selinux citizen I used 'service
winbind
restart',
but it
seems the proper domain
transitions is
missing
and winbind
was started in system_cronjob_t
domain
instead of
winbind_t
and none of other domains could
connect
to it.
I think jobs running
from
cron should
be granted
the same transition rules as
from
unconfined_t.
I will file bugzilla
report
about it,
but could
somebody help me with modifying
my
local policy
until/if it
gets implemented, please? Thank
you.
Sincerely yours,
    Vadym
Chepkov
A domain transition would
be:
policy_module(mywinbind,
0.0.1)
require { type
system_cronjob_t,
winbind_exec_t,
winbind_t; }
domain_auto_trans(system_cronjob_t,
winbind_exec_t,
winbind_t)
Can you show us the full raw
avc
denial?

But personally would deal with
this in
a
different way. I
would write
policy for the script that
restarts
winbind and
then i
would create a
domain transition for the domain
in
which the
script runs
to winbind_t.

Mainly because i wouldnt want to
extend/modify
system_cronjob_t

So: system_cronjob_t ->
myscript_exec_t ->
myscript_t
->  winbind_exec_t
->  winbind_t

--
fedora-selinux-list
mailing
list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list




--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


Miroslav,

I think you should add

dontaudit $1 crond_t:fifo_file rw_fifo_file_perms;

To cron_system_entry to eliminate this leaked file descriptor problem.


I will add this to selinux-policy-3.6.12-66.fc11

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux