cron vs. anacron

Moray Henderson <Moray.Henderson@xxxxxxxxxxxxxxxx> · Mon, 13 Feb 2012 13:05:12 +0000

I'm still investigating a problem I reported to the list a while ago on
CentOS 5.6: certain jobs run through cron work perfectly, but when run
through anacron (for example, cron.daily on a freshly installed system)
generate errors.

Both anacron and crond are running in the same context:

# ps -ZC anacron -C crond
LABEL                             PID TTY          TIME CMD
system_u:system_r:crond_t:SystemLow-SystemHigh 2779 ? 00:00:00 crond
system_u:system_r:crond_t:SystemLow-SystemHigh 2792 ? 00:00:00 anacron

I added a "ps -eZ" command to a logwatch report to test this, and found
something interesting:  under anacron, the only process which had its
SELinux context listed was the ps command itself.

Can someone explain why the logwatch process run by crond transitions to
unconfined_t, while the same process run by anacron remains in
logwatch_t:s0-s0:c0.c1023?

Run by cron:
LABEL                             PID TTY          TIME CMD
system_u:system_r:init_t            1 ?        00:00:02 init
system_u:system_r:kernel_t          2 ?        00:00:00 migration/0
system_u:system_r:kernel_t          3 ?        00:00:00 ksoftirqd/0
system_u:system_r:kernel_t          4 ?        00:00:00 events/0
system_u:system_r:kernel_t          5 ?        00:00:00 khelper
system_u:system_r:kernel_t          6 ?        00:00:00 kthread
system_u:system_r:kernel_t          9 ?        00:00:00 kblockd/0
...
user_u:system_r:unconfined_t     3559 ?        00:00:00 run-parts
user_u:system_r:unconfined_t     3564 ?        00:00:00 0logwatch
user_u:system_r:unconfined_t     3565 ?        00:00:00 awk
user_u:system_r:unconfined_t     3605 ?        00:00:00 perl
user_u:system_r:sendmail_t       3611 ?        00:00:00 sendmail
user_u:system_r:unconfined_t     3616 ?        00:00:00 sh
user_u:system_r:unconfined_t     3617 ?        00:00:00 ps

Run by anacron:
LABEL                             PID TTY          TIME CMD
-                                   1 ?        00:00:02 init
-                                   2 ?        00:00:00 migration/0
-                                   3 ?        00:00:00 ksoftirqd/0
-                                   4 ?        00:00:00 events/0
-                                   5 ?        00:00:00 khelper
-                                   6 ?        00:00:00 kthread
-                                   9 ?        00:00:00 kblockd/0
...
-                                4069 ?        00:00:00 run-parts
-                                4072 ?        00:00:00 0logwatch
-                                4073 ?        00:00:00 awk
-                                4105 ?        00:00:00 perl
-                                4107 ?        00:00:00 sendmail
-                                4116 ?        00:00:00 sh
system_u:system_r:logwatch_t:s0-s0:c0.c1023 4117 ? 00:00:00 ps

AVC entries at the time of the anacron jobs are

time->Mon Feb 13 12:27:37 2012
type=SYSCALL msg=audit(1329136057.506:52): arch=40000003 syscall=3
success=yes exit=177 a0=6 a1=2be900 a2=3ff a3=2be8a0 items=0 ppid=4108
pid=4109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1329136057.506:52): avc:  denied  { sys_ptrace } for
pid=4109 comm="ps" capability=19
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=capability
time->Mon Feb 13 12:27:37 2012
type=SYSCALL msg=audit(1329136057.512:53): arch=40000003 syscall=3
success=no exit=-13 a0=6 a1=8d7ee20 a2=fff a3=fff items=0 ppid=4108 pid=4109
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="ps" exe="/bin/ps"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1329136057.512:53): avc:  denied  { getattr } for
pid=4109 comm="ps" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=process
time->Mon Feb 13 12:27:37 2012
type=SYSCALL msg=audit(1329136057.524:104): arch=40000003 syscall=3
success=yes exit=168 a0=6 a1=2be900 a2=3ff a3=2be8a0 items=0 ppid=4108
pid=4109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1329136057.524:104): avc:  denied  { ptrace } for
pid=4109 comm="ps" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process
time->Mon Feb 13 12:27:37 2012
type=SYSCALL msg=audit(1329136057.524:105): arch=40000003 syscall=3
success=no exit=-13 a0=6 a1=8d7ee20 a2=fff a3=fff items=0 ppid=4108 pid=4109
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="ps" exe="/bin/ps"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1329136057.524:105): avc:  denied  { getattr } for
pid=4109 comm="ps" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process
time->Mon Feb 13 12:27:37 2012
type=SYSCALL msg=audit(1329136057.688:254): arch=40000003 syscall=5
success=no exit=-13 a0=99ead34 a1=18800 a2=8058b0c a3=110 items=0 ppid=4108
pid=4114 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="du" exe="/usr/bin/du"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1329136057.688:254): avc:  denied  { read } for  pid=4114
comm="du" name="pm" dev=dm-0 ino=491689
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hald_log_t:s0 tclass=dir

Moray.
"To err is human; to purr, feline."

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux