On 5/11/20 3:19 PM, Robert Moskowitz wrote: > > > On 5/11/20 9:04 AM, Lukas Vrabec wrote: >> On 5/11/20 2:23 PM, Robert Moskowitz wrote: >>> A little background first. >>> >>> This is for Fedora 32 workstation which does not come with a default MTA >>> and thus there is a slight challenge (ahem) getting CRON's output into >>> the local mailstore. I don't want to install an MTA (leave why for >>> Fedora users list discuss) and "procmail -f cron" leaves out a DATE >>> header. So I wrote my own little script that I put in /usr/local/mycron >>> that takes the output from cron and appends the proper content to >>> /var/spool/mail/$USER. >>> >>> Works fine for my personal crontab, but has selinux problems for >>> logwatch running as root (and probably any other cron task running as >>> root). >>> >>> So I first got told by selinux troubleshooting that I needed: >>> >>> ausearch -c 'mycron' --raw | audit2allow -M my-mycron >>> semodule -X 300 -i my-mycron.pp >>> >>> Which I did. Then after this night's run of logwatch, I see that I have >>> the selinux troubleshoot icon, but when I look, it is empty? So I grep >>> messages for logwatch, then grep the time it was running and found the >>> following: >>> >>> May 11 03:43:19 lx140e setroubleshoot[121345]: SELinux is preventing >>> mycron from add_name >>> access on the directory root. For complete SELinux messages run: sealert >>> -l 8eb93a73-c7ff- >>> 42ec-bee1-594d77540808 >>> May 11 03:43:19 lx140e python3[121345]: SELinux is preventing mycron >>> from add_name access >>> on the directory root.#012#012***** Plugin catchall (100. confidence) >>> suggests ******** >>> ******************#012#012If you believe that mycron should be allowed >>> add_name access on >>> the root directory by default.#012Then you should report this as a >>> bug.#012You can generat >>> e a local policy module to allow this access.#012Do#012allow this access >>> for now by execut >>> ing:#012# ausearch -c 'mycron' --raw | audit2allow -M my-mycron#012# >>> semodule -X 300 -i my >>> -mycron.pp#012 >>> May 11 03:43:23 lx140e systemd[1]: >>> dbus-:1.1-org.fedoraproject.Setroubleshootd@15.service: >>> Succeeded. >>> >>> So it looks like now I am told to run: >>> >>> ausearch -c 'mycron' --raw | audit2allow -M my-mycron >>> semodule -X 300 -i my-mycron.pp >>> >>> Wait, that is the same I ran earlier? And why did I have to grep >>> messages to find these? >>> >> Hi, >> >> Could you please share output of this command: >> >> # sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808 > > # sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808 > Error > query_alerts error (1003): id (8eb93a73-c7ff-42ec-bee1-594d77540808) not > found > > And from the first selinux alert: > > # sealert -l d05d8373-fae7-447e-b45a-74940959809e > Error > query_alerts error (1003): id (d05d8373-fae7-447e-b45a-74940959809e) not > found > > I viewed the alerts with the SELinux troubleshooter, but I did NOT tell > it to delete the alert :( > No problem, are you able to reproduce it? If yes, please do and then attach: # ausearch -m AVC,USER_AVC -ts today Thanks, Lukas. >> Then we can help you, >> Thanks, >> Lukas. >> >>> Now I did update mycron in between. Will I have to run this every time >>> I update mycron? How do I make it permanent? Also right now there is >>> no /var/spool/mail/root mbox file. >>> >>> thanks > -- Lukas Vrabec SELinux Evangelist, Senior Software Engineer, Security Technologies Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx