Re: permission problems with script run via crondargs -m

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 5/12/20 12:13 PM, Lukas Vrabec wrote:
On 5/12/20 5:50 PM, Robert Moskowitz wrote:

On 5/12/20 11:36 AM, Lukas Vrabec wrote:
On 5/12/20 1:31 PM, Robert Moskowitz wrote:
Lukas,

Failed again last night see the end of this message.

On 5/11/20 9:40 AM, Lukas Vrabec wrote:
On 5/11/20 3:19 PM, Robert Moskowitz wrote:
On 5/11/20 9:04 AM, Lukas Vrabec wrote:
On 5/11/20 2:23 PM, Robert Moskowitz wrote:
A little background first.

This is for Fedora 32 workstation which does not come with a
default MTA
and thus there is a slight challenge (ahem) getting CRON's output
into
the local mailstore.  I don't want to install an MTA (leave why for
Fedora users list discuss) and "procmail -f cron" leaves out a DATE
header.  So I wrote my own little script that I put in
/usr/local/mycron
that takes the output from cron and appends the proper content to
/var/spool/mail/$USER.

Works fine for my personal crontab, but has selinux problems for
logwatch running as root (and probably any other cron task
running as
root).

So I first got told by selinux troubleshooting that I needed:

ausearch -c 'mycron' --raw | audit2allow -M my-mycron
semodule -X 300 -i my-mycron.pp

Which I did.  Then after this night's run of logwatch, I see that I
have
the selinux troubleshoot icon, but when I look, it is empty? So I
grep
messages for logwatch, then grep the time it was running and
found the
following:

May 11 03:43:19 lx140e setroubleshoot[121345]: SELinux is preventing
mycron from add_name
access on the directory root. For complete SELinux messages run:
sealert
-l 8eb93a73-c7ff-
42ec-bee1-594d77540808
May 11 03:43:19 lx140e python3[121345]: SELinux is preventing mycron
from add_name access
on the directory root.#012#012*****  Plugin catchall (100.
confidence)
suggests   ********
******************#012#012If you believe that mycron should be
allowed
add_name access on
the root directory by default.#012Then you should report this as a
bug.#012You can generat
e a local policy module to allow this access.#012Do#012allow this
access
for now by execut
ing:#012# ausearch -c 'mycron' --raw | audit2allow -M my-mycron#012#
semodule -X 300 -i my
-mycron.pp#012
May 11 03:43:23 lx140e systemd[1]:
dbus-:1.1-org.fedoraproject.Setroubleshootd@15.service:
     Succeeded.

So it looks like now I am told to run:

ausearch -c 'mycron' --raw | audit2allow -M my-mycron
semodule -X 300 -i my-mycron.pp

Wait, that is the same I ran earlier?  And why did I have to grep
messages to find these?

Hi,

Could you please share output of this command:

# sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808
# sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808
Error
query_alerts error (1003): id
(8eb93a73-c7ff-42ec-bee1-594d77540808) not
found

And from the first selinux alert:

# sealert -l d05d8373-fae7-447e-b45a-74940959809e
Error
query_alerts error (1003): id
(d05d8373-fae7-447e-b45a-74940959809e) not
found

I viewed the alerts with the SELinux troubleshooter, but I did NOT
tell
it to delete the alert :(

No problem, are you able to reproduce it? If yes, please do and then
attach:

# ausearch -m AVC,USER_AVC -ts today
# ausearch -m AVC,USER_AVC -ts today
----
time->Tue May 12 03:22:06 2020
type=AVC msg=audit(1589268126.630:3796): avc:  denied  { add_name } for
pid=142359 comm="mycron" name="root"
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permissive=0

May 12 03:22:06 lx140e audit[142359]: AVC avc:  denied  { add_name }
for  pid=142359 comm="mycron" name="root"
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permissive=0
May 12 03:22:09 lx140e systemd[1]: Started
dbus-:1.1-org.fedoraproject.Setroubleshootd@20.service.
May 12 03:22:09 lx140e audit[1]: SERVICE_START pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=dbus-:1.1-org.fedoraproject.Setroubleshootd@20 comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 12 03:22:13 lx140e systemd[1]: Started
dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10.service.
May 12 03:22:13 lx140e audit[1]: SERVICE_START pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
terminal=? res=success'
May 12 03:22:19 lx140e setroubleshoot[142374]: SELinux is preventing
mycron from add_name access on the directory root. For complete SELinux
messages run: sealert -l 9fd5890f-400b-4ae0-8a98-43575ac4913a
May 12 03:22:19 lx140e python3[142374]: SELinux is preventing mycron
from add_name access on the directory root.#012#012*****  Plugin
catchall (100. confidence) suggests **************************#012#012If
you believe that mycron should be allowed add_name access on the root
directory by default.#012Then you should report this as a bug.#012You
can generate a local policy module to allow this access.#012Do#012allow
this access for now by executing:#012# ausearch -c 'mycron' --raw |
audit2allow -M my-mycron#012# semodule -X 300 -i my-mycron.pp#012
May 12 03:22:23 lx140e systemd[1]:
dbus-:1.1-org.fedoraproject.Setroubleshootd@20.service: Succeeded.
May 12 03:22:23 lx140e audit[1]: SERVICE_STOP pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=dbus-:1.1-org.fedoraproject.Setroubleshootd@20 comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 12 03:22:23 lx140e systemd[1]:
dbus-:1.1-org.fedoraproject.Setroubleshootd@20.service: Consumed 3.306s
CPU time.
May 12 03:22:25 lx140e systemd[1]:
dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10.service:
Succeeded.
May 12 03:22:25 lx140e audit[1]: SERVICE_STOP pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
terminal=? res=success'
May 12 03:22:25 lx140e systemd[1]:
dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10.service:
Consumed 5.271s CPU time.

# sealert -l 9fd5890f-400b-4ae0-8a98-43575ac4913a
Error
query_alerts error (1003): id (9fd5890f-400b-4ae0-8a98-43575ac4913a) not
found


Can you attach your "mycron" script? THere is some issue with SELinux
domain transition.
Oh, and this script runs fine for root's crontab tasks.  It is failing
on whatever kicks off logwatch.

Yes, that's the problem.


Can you please run:

# semanage fcontext -a -t sendmail_exec_t /usr/local/mycron
# restorecon -Rv /usr/local

and then reproduce it? This could help.


restorecon -Rv /usr/local
Relabeled /usr/local/mycron from unconfined_u:object_r:usr_t:s0 to unconfined_u:object_r:sendmail_exec_t:s0


Interesting...

Now we will see what happens tonight.

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux