Re: permission problems with script run via crondargs -m

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/11/20 3:19 PM, Robert Moskowitz wrote:
> 
> 
> On 5/11/20 9:04 AM, Lukas Vrabec wrote:
>> On 5/11/20 2:23 PM, Robert Moskowitz wrote:
>>> A little background first.
>>>
>>> This is for Fedora 32 workstation which does not come with a default MTA
>>> and thus there is a slight challenge (ahem) getting CRON's output into
>>> the local mailstore.  I don't want to install an MTA (leave why for
>>> Fedora users list discuss) and "procmail -f cron" leaves out a DATE
>>> header.  So I wrote my own little script that I put in /usr/local/mycron
>>> that takes the output from cron and appends the proper content to
>>> /var/spool/mail/$USER.
>>>
>>> Works fine for my personal crontab, but has selinux problems for
>>> logwatch running as root (and probably any other cron task running as
>>> root).
>>>
>>> So I first got told by selinux troubleshooting that I needed:
>>>
>>> ausearch -c 'mycron' --raw | audit2allow -M my-mycron
>>> semodule -X 300 -i my-mycron.pp
>>>
>>> Which I did.  Then after this night's run of logwatch, I see that I have
>>> the selinux troubleshoot icon, but when I look, it is empty? So I grep
>>> messages for logwatch, then grep the time it was running and found the
>>> following:
>>>
>>> May 11 03:43:19 lx140e setroubleshoot[121345]: SELinux is preventing
>>> mycron from add_name
>>> access on the directory root. For complete SELinux messages run: sealert
>>> -l 8eb93a73-c7ff-
>>> 42ec-bee1-594d77540808
>>> May 11 03:43:19 lx140e python3[121345]: SELinux is preventing mycron
>>> from add_name access
>>> on the directory root.#012#012*****  Plugin catchall (100. confidence)
>>> suggests   ********
>>> ******************#012#012If you believe that mycron should be allowed
>>> add_name access on
>>> the root directory by default.#012Then you should report this as a
>>> bug.#012You can generat
>>> e a local policy module to allow this access.#012Do#012allow this access
>>> for now by execut
>>> ing:#012# ausearch -c 'mycron' --raw | audit2allow -M my-mycron#012#
>>> semodule -X 300 -i my
>>> -mycron.pp#012
>>> May 11 03:43:23 lx140e systemd[1]:
>>> dbus-:1.1-org.fedoraproject.Setroubleshootd@15.service:
>>>   Succeeded.
>>>
>>> So it looks like now I am told to run:
>>>
>>> ausearch -c 'mycron' --raw | audit2allow -M my-mycron
>>> semodule -X 300 -i my-mycron.pp
>>>
>>> Wait, that is the same I ran earlier?  And why did I have to grep
>>> messages to find these?
>>>
>> Hi,
>>
>> Could you please share output of this command:
>>
>> # sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808
> 
> # sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808
> Error
> query_alerts error (1003): id (8eb93a73-c7ff-42ec-bee1-594d77540808) not
> found
> 
> And from the first selinux alert:
> 
> # sealert -l d05d8373-fae7-447e-b45a-74940959809e
> Error
> query_alerts error (1003): id (d05d8373-fae7-447e-b45a-74940959809e) not
> found
> 
> I viewed the alerts with the SELinux troubleshooter, but I did NOT tell
> it to delete the alert :(
> 

No problem, are you able to reproduce it? If yes, please do and then attach:

# ausearch -m AVC,USER_AVC -ts today

Thanks,
Lukas.

>> Then we can help you,
>> Thanks,
>> Lukas.
>>
>>> Now I did update mycron in between.  Will I have to run this every time
>>> I update mycron?  How do I make it permanent?  Also right now there is
>>> no /var/spool/mail/root mbox file.
>>>
>>> thanks
> 


-- 
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux