-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/19/2013 07:34 AM, Jean-David Beyer wrote:
> On 01/18/2013 10:30 AM, Jean-David Beyer wrote:
>> On 01/18/2013 09:24 AM, Miroslav Grepl wrote:
>
> [snip]
>>> Hi, I believe we should collect all AVC msgs. Could you execute
>>>
>>> # semanage permissive -a system_mail_t
>
> Should I turn this off again? I.e., set it to 'enforcing'?
Yes once you are done collecting the AVC's and are happy that it is working
properly.
semanage permissive -d system_mail_t
>>
>> Done.
>>>
>>> which will make the domain as permissive. So nothing will be denied
>>> and we will see AVC msgs in /var/log/audit/audit.log. Also I believe
>>> the local policy is better than a rebuild of the policy package.
>>>
>>
> [snip]
>> What I have already done is this:
>>
>>
>> Jan 13 03:52:17 DellT7600 kernel: type=1400 audit(1358067137.751:38575):
>> avc: denied { read } for pid=19533 comm="mailx"
>> name="report.2013Jan130344" dev=sdb8 ino=525338
>> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:cron_log_t:s0 tclass=file
>>
>> I tried to fix it with this:
>>
>> sealert -l b6766d24-f5e8-4db5-94eb-a153b7e0f35a SELinux is preventing
>> /bin/mailx from read access on the file report.2013Jan180316.
>>
>> ***** Plugin catchall (100. confidence) suggests
>> ***************************
>>
>> If you believe that mailx should be allowed read access on the
>> report.2013Jan180316 file by default. Then you should report this as a
>> bug. You can generate a local policy module to allow this access. Do
>> allow this access for now by executing: # grep mailx
>> /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
>>
>>
>> DellT7600:root[/var/log]# grep mailx /var/log/audit/audit.log |
>> audit2allow -M mymail1 ******************** IMPORTANT
>> *********************** To make this policy package active, execute:
>>
>> semodule -i mymail1.pp
>>
>> DellT7600:root[/var/log]# semodule -i mymail1.pp
>>
>> But my guess it will fail tomorrow anyway because the file in question
>> tomorrow will be a different one, named something like
>> report.2013Jan190316. We will see.
>
> My guess was wrong. I am glad to be wrong in this case. But will all those
> audit2allow things I ran persist over a reboot? I hesitate to reboot the
> machine to test this but perhaps I had better. I saved (most of) those
> outputs of those
>
> grep mailx /var/log/audit/audit.log | audit2allow -M mymail1 semodule -i
> mymail1.pp
>
> things, but I do not imagine they will be automatically re-run; will they?
> Does SELinux save them somewhere so they can be used again?
>
> There are a bunch of these; in particular, this one:
>
> [/var/log]$ cat mymail1.te
>
> module mymail1 1.0;
>
> require { type cron_log_t; type system_mail_t; class file read; }
>
> #============= system_mail_t ============== allow system_mail_t
> cron_log_t:file read;
>
> I guess I would like to know if the immediately above thing fixed it,or if
> the
>
> semanage permissive -a system_mail_t
>
> did it.
>
>>
>> dominick.grift has another idea, but I am too new at this to fully
>> understand what he says to do. I have been writing computer program since
>> about 1956, but SELinux is a bit beyond me. I do not want to take a month
>> off to learn all about SELinux if I can possibly help it.
>>
>
> Well it ran right last night.
>
> /var/log/syslog had this to say.
>
> Running my script.
>
> Jan 19 03:07:14 DellT7600 run-parts(/etc/cron.daily)[13004]: starting
> zBackup.daily Jan 19 03:14:02 DellT7600 sendmail[13259]: r0J8E2QF013259:
> from=root, size=1312, class=0, nrcpts=1,
> msgid=<201301190814.r0J8E2QF013259@DellT7600.localdomain> ,
> relay=root@localhost Jan 19 03:14:02 DellT7600 sendmail[13262]:
> r0J8E2l5013262: from=<root@DellT7600.localdomain>, size=1586, class=0,
> nrcpts=1, msgid=<201301190814.r0J8E2QF01325 9@DellT7600.localdomain>,
> proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Jan 19
> 03:14:02 DellT7600 sendmail[13259]: r0J8E2QF013259: to=jeandavid8,
> ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay,
> pri=31312, relay =[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent
> (r0J8E2l5013262 Message accepted for delivery) Jan 19 03:14:02 DellT7600
> run-parts(/etc/cron.daily)[13266]: finished zBackup.daily
>
> Then the entire /etc/cron.daily directory finishing up running under
> run_parts. There is output to be mailed to me because there is set -x in my
> script for debugging.
>
> Jan 19 03:14:02 DellT7600 anacron[12982]: Job `cron.daily' terminated
> (mailing output) Jan 19 03:14:02 DellT7600 sendmail[13263]:
> r0J8E2l5013262: to=<jeandavid8@DellT7600.localdomain>,
> ctladdr=<root@DellT7600.localdomain> (0/0), delay=00:00:00,
> xdelay=00:00:00, mailer=local, pri=31826, dsn=2.0.0, stat=Sent Jan 19
> 03:14:02 DellT7600 sendmail[13267]: r0J8E2rG013267: from=root, size=2045,
> class=0, nrcpts=1,
> msgid=<201301190814.r0J8E2rG013267@DellT7600.localdomain> ,
> relay=root@localhost Jan 19 03:14:02 DellT7600 sendmail[13268]:
> r0J8E2pb013268: from=<root@DellT7600.localdomain>, size=2333, class=0,
> nrcpts=1, msgid=<201301190814.r0J8E2rG01326 7@DellT7600.localdomain>,
> proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Jan 19
> 03:14:02 DellT7600 sendmail[13267]: r0J8E2rG013267: to=root, ctladdr=root
> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=32045,
> relay=[127. 0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (r0J8E2pb013268
> Message accepted for delivery) Jan 19 03:14:02 DellT7600 anacron[12982]:
> Normal exit (1 job run) Jan 19 03:14:02 DellT7600 sendmail[13269]:
> r0J8E2pb013268: to=jeandavid8, ctladdr=<root@DellT7600.localdomain> (0/0),
> delay=00:00:00, xdelay=00:00:00, mailer =local, pri=32569, dsn=2.0.0,
> stat=Sent
>
>
> Now I will try to find the related stuff in /var/log/audit...
>
> This is the last entry related that I can find. It is the failure from
> yesterday. Nothing I can find about the success today.
>
> type=AVC msg=audit(1358497393.637:38545): avc: denied { read } for
> pid=6812 comm="mailx" name="report.2013Jan180316" dev=sdb8 ino=525382
> scontext=system_u :system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:cron_log_t:s0 tclass=file type=SYSCALL
> msg=audit(1358497393.637:38545): arch=c000003e syscall=21 success=no
> exit=-13 a0=7fff48054f22 a1=4 a2=7fff48054f22 a3=f items=0 ppid=6773
> pid=6812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=589 comm="mailx" exe="/bin/mailx"
> subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
>
>
> The set -x output from my script said (in part):
> /etc/cron.daily/zBackup.daily:
>
> + id -a uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
>
> + /bin/env
>
> + /bin/mailx -s 'DellT7600 find|cpio Report' -a
> /var/log/Backups/report.2013Jan190307 jeandavid8 + /bin/chmod 0664
> /var/log/Backups/report.2013Jan190307 + /bin/chgrp jeandavid8
> /var/log/Backups/report.2013Jan190307 + exit 0
>
> And the /bin/env output is:
>
> SHELL=/bin/sh MAILTO=root USER=root PATH=/sbin:/bin:/usr/sbin:/usr/bin
> PWD=/ HOME=/ SHLVL=6 START_HOURS_RANGE=3 LOGNAME=root RANDOM_DELAY=45
> _=/bin/env
>
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
We do not currently allow log files mailed off the system by the system
mailer. I guess we could add a boolean for this. but I do not believe we
should allow this by default.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD9bX4ACgkQrlYvE4MpobNHTgCffTvAc6Qs3nJIYJoToJ4CXxyM
XBYAoNHJr+eBNvYNUdnJREGLtpQjZ/9G
=2wD+
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
