On 07/06/2009 02:38 PM, Daniel J Walsh wrote:
On 07/04/2009 10:09 AM, Vadym Chepkov wrote:
It would be nice if the interface would be smart enough and allow output from the cron job to be sent, but no one is perfect :)
type=AVC msg=audit(1246715821.417:10142): avc: denied { write } for pid=11916 comm="winbind" path="pipe:[591689]" dev=pipefs ino=591689 scontext=system_u:system_r:system_cronjob_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1246715821.780:10143): avc: denied { write } for pid=11925 comm="winbindd" path="pipe:[591689]" dev=pipefs ino=591689 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
Sincerely yours, Vadym Chepkov
--- On Sat, 7/4/09, Vadym Chepkovchepkov@yahoo.com wrote:
From: Vadym Chepkovchepkov@yahoo.com Subject: Re: Domain transition missing To: "Dominick Grift"domg472@gmail.com Cc: "Fedora SELinux"fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 10:00 AM This worked well too, thank you
system_u:system_r:winbind_t:SystemLow root 11926 1 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11928 11926 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11954 11926 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11956 11926 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11957 11926 0 09:57 ? 00:00:00 winbindd
Sincerely yours, Vadym Chepkov
--- On Sat, 7/4/09, Dominick Griftdomg472@gmail.com wrote:
From: Dominick Griftdomg472@gmail.com Subject: Re: Domain transition missing To: "Vadym Chepkov"chepkov@yahoo.com Cc: "Fedora SELinux"fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 9:28 AM On Sat, 2009-07-04 at 06:18 -0700, Vadym Chepkov wrote:
That would be unfortunate. Mine approach is not
uncommon. If you look closely you will see the same technique in wast scripts. spamassassin restarts
itself when
it updates anti-spam rules, clamav does that
(antivirus) and
on and on. I use Fedora 11, by the way.
For now, instead of creating a new policy I just
added
'runcon -t unconfind_t ' in the cron, and it seemed to
did
the trick.
Sincerely yours, Vadym Chepkov
Looking here: http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/servic...
line 235 to line 269.
That seems like a interface one might use in your situation:
cron_system_entry(winbind_t, winbind_exec_t)
I admit that using cron with SELinux is not very easy currently
--- On Sat, 7/4/09, Dominick Griftdomg472@gmail.com
wrote:
From: Dominick Griftdomg472@gmail.com Subject: Re: Domain transition missing To: "Vadym Chepkov"chepkov@yahoo.com Cc: "Fedora SELinux"fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 8:57 AM On Sat, 2009-07-04 at 05:48 -0700, Vadym Chepkov wrote: > I really get used to running my
scripts
unconfined,
how I can accomplish it in this scenario? > Sincerely yours, > Vadym Chepkov > if you want the system to run jobs you will
need
to write
some policy or extend the system_cronjob_t domain i think
Were those the only avc denial you got? I
would
expect more
denials.
> --- On Sat, 7/4/09, Dominick Grift
wrote: >> From: Dominick Griftdomg472@gmail.com >> Subject: Re: Domain transition
missing
>> To: "Vadym Chepkov"chepkov@yahoo.com >> Cc: "Fedora SELinux"fedora-selinux-list@redhat.com >> Date: Saturday, July 4, 2009, 8:41
AM
>> On Sat, 2009-07-04 at 14:38
+0200,
>> Dominick Grift wrote: >>> On Sat, 2009-07-04 at 05:11
-0700,
Vadym
Chepkov >> wrote: >>>> Hi, >>>> >>>> Last night I got a
nasty
surprise from
selinux. I >> am using winbind for external
authentication and
since it >> has history of failures I have a
simple
watchdog
implemented >> to check the status and restart it
if
necessary.
That >> is what happened last night and
as a law
abiding >> selinux citizen I used 'service
winbind
restart',
but it >> seems the proper domain
transitions is
missing
and winbind >> was started in system_cronjob_t
domain
instead of
winbind_t >> and none of other domains could
connect
to it.
>>>> I think jobs running
from
cron should
be granted >> the same transition rules as
from
unconfined_t. >>>> I will file bugzilla
report
about it,
but could >> somebody help me with modifying
my
local policy
until/if it >> gets implemented, please? Thank
you.
>>>> Sincerely yours, >>>> Vadym
Chepkov
>>> A domain transition would
be:
>>> policy_module(mywinbind,
0.0.1)
>>> require { type
system_cronjob_t,
winbind_exec_t, >> winbind_t; }
domain_auto_trans(system_cronjob_t,
winbind_exec_t, >> winbind_t) >>> Can you show us the full raw
avc
denial?
>> >> But personally would deal with
this in
a
different way. I >> would write >> policy for the script that
restarts
winbind and
then i >> would create a >> domain transition for the domain
in
which the
script runs >> to winbind_t. >> >> Mainly because i wouldnt want to
extend/modify
>> system_cronjob_t >> >> So: system_cronjob_t ->
myscript_exec_t ->
myscript_t >> -> winbind_exec_t >> -> winbind_t >> >>>> -- >>>> fedora-selinux-list
mailing
list
>>>> fedora-selinux-list@redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Miroslav,
I think you should add
dontaudit $1 crond_t:fifo_file rw_fifo_file_perms;
To cron_system_entry to eliminate this leaked file descriptor problem.
I will add this to selinux-policy-3.6.12-66.fc11