On 5/11/20 2:23 PM, Robert Moskowitz wrote: > A little background first. > > This is for Fedora 32 workstation which does not come with a default MTA > and thus there is a slight challenge (ahem) getting CRON's output into > the local mailstore. I don't want to install an MTA (leave why for > Fedora users list discuss) and "procmail -f cron" leaves out a DATE > header. So I wrote my own little script that I put in /usr/local/mycron > that takes the output from cron and appends the proper content to > /var/spool/mail/$USER. > > Works fine for my personal crontab, but has selinux problems for > logwatch running as root (and probably any other cron task running as > root). > > So I first got told by selinux troubleshooting that I needed: > > ausearch -c 'mycron' --raw | audit2allow -M my-mycron > semodule -X 300 -i my-mycron.pp > > Which I did. Then after this night's run of logwatch, I see that I have > the selinux troubleshoot icon, but when I look, it is empty? So I grep > messages for logwatch, then grep the time it was running and found the > following: > > May 11 03:43:19 lx140e setroubleshoot[121345]: SELinux is preventing > mycron from add_name > access on the directory root. For complete SELinux messages run: sealert > -l 8eb93a73-c7ff- > 42ec-bee1-594d77540808 > May 11 03:43:19 lx140e python3[121345]: SELinux is preventing mycron > from add_name access > on the directory root.#012#012***** Plugin catchall (100. confidence) > suggests ******** > ******************#012#012If you believe that mycron should be allowed > add_name access on > the root directory by default.#012Then you should report this as a > bug.#012You can generat > e a local policy module to allow this access.#012Do#012allow this access > for now by execut > ing:#012# ausearch -c 'mycron' --raw | audit2allow -M my-mycron#012# > semodule -X 300 -i my > -mycron.pp#012 > May 11 03:43:23 lx140e systemd[1]: > dbus-:1.1-org.fedoraproject.Setroubleshootd@15.service: > Succeeded. > > So it looks like now I am told to run: > > ausearch -c 'mycron' --raw | audit2allow -M my-mycron > semodule -X 300 -i my-mycron.pp > > Wait, that is the same I ran earlier? And why did I have to grep > messages to find these? > Hi, Could you please share output of this command: # sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808 Then we can help you, Thanks, Lukas. > Now I did update mycron in between. Will I have to run this every time > I update mycron? How do I make it permanent? Also right now there is > no /var/spool/mail/root mbox file. > > thanks > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx > -- Lukas Vrabec SELinux Evangelist, Senior Software Engineer, Security Technologies Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
