Hi,
I'm working on a SELinux policy for AIDE on REHL 5.3 running in Strict mode. I am able to transition to aide_t fine when executed manually. I am having trouble transitioning to aide_t when executing from a cron job.
The cron job is trying to do the following transition:
FROM: root:sysadm_r:sysadm_crond_t:s0-s0:c0.c1023 TO: root:system_r:aide_t:s0-s0:c0.c1023
Here's a snipplet of the important rules I have in place for the transition in my aide.te:
# When an administrator executes a process with the type of
# $1_exec_t, the process transitions from sysadm_r to system_r.
role sysadm_r;
allow sysadm_r system_r;
role_transition sysadm_r aide_exec_t system_r;
role system_r types aide_t;
allow sysadm_crond_t aide_t:process transition;
# $1_exec_t, the process transitions from sysadm_r to system_r.
role sysadm_r;
allow sysadm_r system_r;
role_transition sysadm_r aide_exec_t system_r;
role system_r types aide_t;
allow sysadm_crond_t aide_t:process transition;
# Allow crontab to transition to aide_t
domain_auto_trans(system_crond_t, aide_exec_t, aide_t)
domain_auto_trans(system_crond_t, aide_exec_t, aide_t)
When the cronjob runs, it does not transition to aide_t in enforcing mode. Audit2Allow keeps suggesting "allow sysadm_crond_t aide_t:process transition;" even though I already have the rule in the policy. It looks like its having trouble transitioning from sysadm_r to system_r (I have the rules for that in the policy also).
Heres a few output that might be usefull:
5 8 * * * /opt/security/aide_scan/bin/aide_scan.sh /opt/security/aide_scan/cfg/aide_scan.conf > /dev/null 2>&1
# ls -lZ /opt/security/aide_scan/bin/
-rwxr-x--- root root root:object_r:aide_exec_t aide_scan.sh
-rwxr-x--- root root root:object_r:aide_exec_t aide_scan.sh
# ls -lZ /var/spool/cron/root
-rw------- root root system_u:object_r:sysadm_cron_spool_t /var/spool/cron/root
-rw------- root root system_u:object_r:sysadm_cron_spool_t /var/spool/cron/root
# ls -lZ /etc/crontab
-rw-r--r-- root root system_u:object_r:system_cron_spool_t /etc/crontab
-rw-r--r-- root root system_u:object_r:system_cron_spool_t /etc/crontab
# cat /var/log/audit/audit.log
type=AVC msg=audit(1250165101.793:1843): avc: denied { transition } for pid=16995 comm="sh" path="/opt/security/aide_scan/bin/aide_scan.sh" dev=dm-0 ino=589841 scontext=root:sysadm_r:sysadm_crond_t:s0-s0:c0.c1023 tcontext=root:system_r:aide_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1250165101.793:1843): arch=c000003e syscall=59 success=yes exit=0 a0=c07d0b0 a1=c07cff0 a2=c07c0d0 a3=3 items=0 ppid=16993 pid=16995 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=239 comm="aide_scan.sh" exe="/bin/bash" subj=root:system_r:aide_t:s0-s0:c0.c1023 key=(null)
type=CRED_DISP msg=audit(1250165101.800:1844): user pid=16990 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_END msg=audit(1250165101.800:1845): user pid=16990 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=SYSCALL msg=audit(1250165101.793:1843): arch=c000003e syscall=59 success=yes exit=0 a0=c07d0b0 a1=c07cff0 a2=c07c0d0 a3=3 items=0 ppid=16993 pid=16995 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=239 comm="aide_scan.sh" exe="/bin/bash" subj=root:system_r:aide_t:s0-s0:c0.c1023 key=(null)
type=CRED_DISP msg=audit(1250165101.800:1844): user pid=16990 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_END msg=audit(1250165101.800:1845): user pid=16990 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
# ps -eafZ | grep aide
system_u:system_r:crond_t:SystemLow-SystemHigh root 17128 11042 0 08:16 ? 00:00:00 crond
root:sysadm_r:sysadm_crond_t:SystemLow-SystemHigh root 17129 17128 0 08:16 ? 00:00:00 /bin/sh -c /opt/security/aide_scan/bin/aide_scan.sh /opt/security/aide_scan/cfg/aide_scan.conf > /dev/null 2>&1
root:system_r:aide_t:SystemLow-SystemHigh root 17130 17129 0 08:16 ?
00:00:00 /bin/sh /opt/security/aide_scan/bin/aide_scan.sh /opt/security/aide_scan/cfg/aide_scan.conf
root:system_r:aide_t:SystemLow-SystemHigh root 17155 17130 99 08:16 ? 00:01:07 /usr/sbin/aide --config=/opt/security/aide_scan/cfg/aide.conf --check
(As you can see, the process did transition to aide_t correctly in permissive mode. However in enforcing mode, aide does not start at all from the cron job.)
Anybody out there can shed some light on this problem?
Thanks,
Dan
