Re: New to this list, and new to SELinux.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/18/2013 10:30 AM, Jean-David Beyer wrote:
> On 01/18/2013 09:24 AM, Miroslav Grepl wrote:

[snip]
>> Hi,
>> I believe we should collect all AVC msgs. Could you execute
>>
>> # semanage permissive -a system_mail_t

Should I turn this off again? I.e., set it to 'enforcing'?
> 
> Done.
>>
>> which will make the domain as permissive. So nothing will be denied and
>> we will see AVC msgs in /var/log/audit/audit.log. Also I believe the
>> local policy is better than a rebuild of the policy package.
>>
> 
[snip]
> What I have already done is this:
> 
> 
> Jan 13 03:52:17 DellT7600 kernel: type=1400 audit(1358067137.751:38575):
> avc:  denied  { read } for  pid=19533 comm="mailx"
> name="report.2013Jan130344" dev=sdb8 ino=525338
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:cron_log_t:s0 tclass=file
> 
> I tried to fix it with this:
> 
> sealert -l b6766d24-f5e8-4db5-94eb-a153b7e0f35a
> SELinux is preventing /bin/mailx from read access on the file
> report.2013Jan180316.
> 
> *****  Plugin catchall (100. confidence) suggests
> ***************************
> 
> If you believe that mailx should be allowed read access on the
> report.2013Jan180316 file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep mailx /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
> 
> 
> DellT7600:root[/var/log]# grep mailx /var/log/audit/audit.log |
> audit2allow -M mymail1
> ******************** IMPORTANT ***********************
> To make this policy package active, execute:
> 
> semodule -i mymail1.pp
> 
> DellT7600:root[/var/log]# semodule -i mymail1.pp
> 
> But my guess it will fail tomorrow anyway because the file in question
> tomorrow will be a different one, named something like
> report.2013Jan190316. We will see.

My guess was wrong. I am glad to be wrong in this case.
But will all those audit2allow things I ran persist over a reboot? I
hesitate to reboot the machine to test this but perhaps I had better. I
saved (most of) those outputs of those

grep mailx /var/log/audit/audit.log | audit2allow -M mymail1
semodule -i mymail1.pp

things, but I do not imagine they will be automatically re-run; will
they? Does SELinux save them somewhere so they can be used again?

There are a bunch of these; in particular, this one:

[/var/log]$ cat mymail1.te

module mymail1 1.0;

require {
	type cron_log_t;
	type system_mail_t;
	class file read;
}

#============= system_mail_t ==============
allow system_mail_t cron_log_t:file read;

I guess I would like to know if the immediately above thing fixed it,or
if the

semanage permissive -a system_mail_t

did it.

> 
> dominick.grift has another idea, but I am too new at this to fully
> understand what he says to do. I have been writing computer program
> since about 1956, but SELinux is a bit beyond me. I do not want to take
> a month off to learn all about SELinux if I can possibly help it.
> 

Well it ran right last night.

/var/log/syslog had this to say.

Running my script.

Jan 19 03:07:14 DellT7600 run-parts(/etc/cron.daily)[13004]: starting
zBackup.daily
Jan 19 03:14:02 DellT7600 sendmail[13259]: r0J8E2QF013259: from=root,
size=1312, class=0, nrcpts=1,
msgid=<201301190814.r0J8E2QF013259@DellT7600.localdomain>
, relay=root@localhost
Jan 19 03:14:02 DellT7600 sendmail[13262]: r0J8E2l5013262:
from=<root@DellT7600.localdomain>, size=1586, class=0, nrcpts=1,
msgid=<201301190814.r0J8E2QF01325
9@DellT7600.localdomain>, proto=ESMTP, daemon=MTA,
relay=localhost.localdomain [127.0.0.1]
Jan 19 03:14:02 DellT7600 sendmail[13259]: r0J8E2QF013259:
to=jeandavid8, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00,
mailer=relay, pri=31312, relay
=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (r0J8E2l5013262 Message
accepted for delivery)
Jan 19 03:14:02 DellT7600 run-parts(/etc/cron.daily)[13266]: finished
zBackup.daily

Then the entire /etc/cron.daily directory finishing up running under
run_parts. There is output to be mailed to me because there is set -x in
my script for debugging.

Jan 19 03:14:02 DellT7600 anacron[12982]: Job `cron.daily' terminated
(mailing output)
Jan 19 03:14:02 DellT7600 sendmail[13263]: r0J8E2l5013262:
to=<jeandavid8@DellT7600.localdomain>,
ctladdr=<root@DellT7600.localdomain> (0/0), delay=00:00:00,
 xdelay=00:00:00, mailer=local, pri=31826, dsn=2.0.0, stat=Sent
Jan 19 03:14:02 DellT7600 sendmail[13267]: r0J8E2rG013267: from=root,
size=2045, class=0, nrcpts=1,
msgid=<201301190814.r0J8E2rG013267@DellT7600.localdomain>
, relay=root@localhost
Jan 19 03:14:02 DellT7600 sendmail[13268]: r0J8E2pb013268:
from=<root@DellT7600.localdomain>, size=2333, class=0, nrcpts=1,
msgid=<201301190814.r0J8E2rG01326
7@DellT7600.localdomain>, proto=ESMTP, daemon=MTA,
relay=localhost.localdomain [127.0.0.1]
Jan 19 03:14:02 DellT7600 sendmail[13267]: r0J8E2rG013267: to=root,
ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay,
pri=32045, relay=[127.
0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (r0J8E2pb013268 Message
accepted for delivery)
Jan 19 03:14:02 DellT7600 anacron[12982]: Normal exit (1 job run)
Jan 19 03:14:02 DellT7600 sendmail[13269]: r0J8E2pb013268:
to=jeandavid8, ctladdr=<root@DellT7600.localdomain> (0/0),
delay=00:00:00, xdelay=00:00:00, mailer
=local, pri=32569, dsn=2.0.0, stat=Sent


Now I will try to find the related stuff in /var/log/audit...

This is the last entry related that I can find. It is the failure from
yesterday. Nothing I can find about the success today.

type=AVC msg=audit(1358497393.637:38545): avc:  denied  { read } for
pid=6812 comm="mailx" name="report.2013Jan180316" dev=sdb8 ino=525382
scontext=system_u
:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cron_log_t:s0 tclass=file
type=SYSCALL msg=audit(1358497393.637:38545): arch=c000003e syscall=21
success=no exit=-13 a0=7fff48054f22 a1=4 a2=7fff48054f22 a3=f items=0
ppid=6773 pid=6812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=589 comm="mailx" exe="/bin/mailx"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)


The set -x output from my script said (in part):
/etc/cron.daily/zBackup.daily:

+ id -a
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023

+ /bin/env

+ /bin/mailx -s 'DellT7600 find|cpio Report' -a
/var/log/Backups/report.2013Jan190307 jeandavid8
+ /bin/chmod 0664 /var/log/Backups/report.2013Jan190307
+ /bin/chgrp jeandavid8 /var/log/Backups/report.2013Jan190307
+ exit 0

And the /bin/env output is:

SHELL=/bin/sh
MAILTO=root
USER=root
PATH=/sbin:/bin:/usr/sbin:/usr/bin
PWD=/
HOME=/
SHLVL=6
START_HOURS_RANGE=3
LOGNAME=root
RANDOM_DELAY=45
_=/bin/env

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux