On 5/12/20 5:50 PM, Robert Moskowitz wrote:
>
>
> On 5/12/20 11:36 AM, Lukas Vrabec wrote:
>> On 5/12/20 1:31 PM, Robert Moskowitz wrote:
>>> Lukas,
>>>
>>> Failed again last night see the end of this message.
>>>
>>> On 5/11/20 9:40 AM, Lukas Vrabec wrote:
>>>> On 5/11/20 3:19 PM, Robert Moskowitz wrote:
>>>>> On 5/11/20 9:04 AM, Lukas Vrabec wrote:
>>>>>> On 5/11/20 2:23 PM, Robert Moskowitz wrote:
>>>>>>> A little background first.
>>>>>>>
>>>>>>> This is for Fedora 32 workstation which does not come with a
>>>>>>> default MTA
>>>>>>> and thus there is a slight challenge (ahem) getting CRON's output
>>>>>>> into
>>>>>>> the local mailstore. I don't want to install an MTA (leave why for
>>>>>>> Fedora users list discuss) and "procmail -f cron" leaves out a DATE
>>>>>>> header. So I wrote my own little script that I put in
>>>>>>> /usr/local/mycron
>>>>>>> that takes the output from cron and appends the proper content to
>>>>>>> /var/spool/mail/$USER.
>>>>>>>
>>>>>>> Works fine for my personal crontab, but has selinux problems for
>>>>>>> logwatch running as root (and probably any other cron task
>>>>>>> running as
>>>>>>> root).
>>>>>>>
>>>>>>> So I first got told by selinux troubleshooting that I needed:
>>>>>>>
>>>>>>> ausearch -c 'mycron' --raw | audit2allow -M my-mycron
>>>>>>> semodule -X 300 -i my-mycron.pp
>>>>>>>
>>>>>>> Which I did. Then after this night's run of logwatch, I see that I
>>>>>>> have
>>>>>>> the selinux troubleshoot icon, but when I look, it is empty? So I
>>>>>>> grep
>>>>>>> messages for logwatch, then grep the time it was running and
>>>>>>> found the
>>>>>>> following:
>>>>>>>
>>>>>>> May 11 03:43:19 lx140e setroubleshoot[121345]: SELinux is preventing
>>>>>>> mycron from add_name
>>>>>>> access on the directory root. For complete SELinux messages run:
>>>>>>> sealert
>>>>>>> -l 8eb93a73-c7ff-
>>>>>>> 42ec-bee1-594d77540808
>>>>>>> May 11 03:43:19 lx140e python3[121345]: SELinux is preventing mycron
>>>>>>> from add_name access
>>>>>>> on the directory root.#012#012***** Plugin catchall (100.
>>>>>>> confidence)
>>>>>>> suggests ********
>>>>>>> ******************#012#012If you believe that mycron should be
>>>>>>> allowed
>>>>>>> add_name access on
>>>>>>> the root directory by default.#012Then you should report this as a
>>>>>>> bug.#012You can generat
>>>>>>> e a local policy module to allow this access.#012Do#012allow this
>>>>>>> access
>>>>>>> for now by execut
>>>>>>> ing:#012# ausearch -c 'mycron' --raw | audit2allow -M my-mycron#012#
>>>>>>> semodule -X 300 -i my
>>>>>>> -mycron.pp#012
>>>>>>> May 11 03:43:23 lx140e systemd[1]:
>>>>>>> dbus-:1.1-org.fedoraproject.Setroubleshootd@15.service:
>>>>>>> Succeeded.
>>>>>>>
>>>>>>> So it looks like now I am told to run:
>>>>>>>
>>>>>>> ausearch -c 'mycron' --raw | audit2allow -M my-mycron
>>>>>>> semodule -X 300 -i my-mycron.pp
>>>>>>>
>>>>>>> Wait, that is the same I ran earlier? And why did I have to grep
>>>>>>> messages to find these?
>>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Could you please share output of this command:
>>>>>>
>>>>>> # sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808
>>>>> # sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808
>>>>> Error
>>>>> query_alerts error (1003): id
>>>>> (8eb93a73-c7ff-42ec-bee1-594d77540808) not
>>>>> found
>>>>>
>>>>> And from the first selinux alert:
>>>>>
>>>>> # sealert -l d05d8373-fae7-447e-b45a-74940959809e
>>>>> Error
>>>>> query_alerts error (1003): id
>>>>> (d05d8373-fae7-447e-b45a-74940959809e) not
>>>>> found
>>>>>
>>>>> I viewed the alerts with the SELinux troubleshooter, but I did NOT
>>>>> tell
>>>>> it to delete the alert :(
>>>>>
>>>> No problem, are you able to reproduce it? If yes, please do and then
>>>> attach:
>>>>
>>>> # ausearch -m AVC,USER_AVC -ts today
>>> # ausearch -m AVC,USER_AVC -ts today
>>> ----
>>> time->Tue May 12 03:22:06 2020
>>> type=AVC msg=audit(1589268126.630:3796): avc: denied { add_name } for
>>> pid=142359 comm="mycron" name="root"
>>> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
>>> tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permissive=0
>>>
>>> May 12 03:22:06 lx140e audit[142359]: AVC avc: denied { add_name }
>>> for pid=142359 comm="mycron" name="root"
>>> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
>>> tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permissive=0
>>> May 12 03:22:09 lx140e systemd[1]: Started
>>> dbus-:1.1-org.fedoraproject.Setroubleshootd@20.service.
>>> May 12 03:22:09 lx140e audit[1]: SERVICE_START pid=1 uid=0
>>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>>> msg='unit=dbus-:1.1-org.fedoraproject.Setroubleshootd@20 comm="systemd"
>>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>>> May 12 03:22:13 lx140e systemd[1]: Started
>>> dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10.service.
>>> May 12 03:22:13 lx140e audit[1]: SERVICE_START pid=1 uid=0
>>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>>> msg='unit=dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10
>>> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
>>> terminal=? res=success'
>>> May 12 03:22:19 lx140e setroubleshoot[142374]: SELinux is preventing
>>> mycron from add_name access on the directory root. For complete SELinux
>>> messages run: sealert -l 9fd5890f-400b-4ae0-8a98-43575ac4913a
>>> May 12 03:22:19 lx140e python3[142374]: SELinux is preventing mycron
>>> from add_name access on the directory root.#012#012***** Plugin
>>> catchall (100. confidence) suggests **************************#012#012If
>>> you believe that mycron should be allowed add_name access on the root
>>> directory by default.#012Then you should report this as a bug.#012You
>>> can generate a local policy module to allow this access.#012Do#012allow
>>> this access for now by executing:#012# ausearch -c 'mycron' --raw |
>>> audit2allow -M my-mycron#012# semodule -X 300 -i my-mycron.pp#012
>>> May 12 03:22:23 lx140e systemd[1]:
>>> dbus-:1.1-org.fedoraproject.Setroubleshootd@20.service: Succeeded.
>>> May 12 03:22:23 lx140e audit[1]: SERVICE_STOP pid=1 uid=0
>>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>>> msg='unit=dbus-:1.1-org.fedoraproject.Setroubleshootd@20 comm="systemd"
>>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>>> May 12 03:22:23 lx140e systemd[1]:
>>> dbus-:1.1-org.fedoraproject.Setroubleshootd@20.service: Consumed 3.306s
>>> CPU time.
>>> May 12 03:22:25 lx140e systemd[1]:
>>> dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10.service:
>>> Succeeded.
>>> May 12 03:22:25 lx140e audit[1]: SERVICE_STOP pid=1 uid=0
>>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>>> msg='unit=dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10
>>> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
>>> terminal=? res=success'
>>> May 12 03:22:25 lx140e systemd[1]:
>>> dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10.service:
>>> Consumed 5.271s CPU time.
>>>
>>> # sealert -l 9fd5890f-400b-4ae0-8a98-43575ac4913a
>>> Error
>>> query_alerts error (1003): id (9fd5890f-400b-4ae0-8a98-43575ac4913a) not
>>> found
>>>
>>>
>> Can you attach your "mycron" script? THere is some issue with SELinux
>> domain transition.
>
> Oh, and this script runs fine for root's crontab tasks. It is failing
> on whatever kicks off logwatch.
>
Yes, that's the problem.
Can you please run:
# semanage fcontext -a -t sendmail_exec_t /usr/local/mycron
# restorecon -Rv /usr/local
and then reproduce it? This could help.
Thanks,
Lukas.
>
>
--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
