On 07/04/2009 10:09 AM, Vadym Chepkov wrote:
It would be nice if the interface would be smart enough and allow output from the cron job to be sent, but no one is perfect :)
type=AVC msg=audit(1246715821.417:10142): avc: denied { write } for pid=11916 comm="winbind" path="pipe:[591689]" dev=pipefs ino=591689 scontext=system_u:system_r:system_cronjob_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1246715821.780:10143): avc: denied { write } for pid=11925 comm="winbindd" path="pipe:[591689]" dev=pipefs ino=591689 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
Sincerely yours, Vadym Chepkov
--- On Sat, 7/4/09, Vadym Chepkovchepkov@yahoo.com wrote:
From: Vadym Chepkovchepkov@yahoo.com Subject: Re: Domain transition missing To: "Dominick Grift"domg472@gmail.com Cc: "Fedora SELinux"fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 10:00 AM This worked well too, thank you
system_u:system_r:winbind_t:SystemLow root 11926 1 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11928 11926 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11954 11926 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11956 11926 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11957 11926 0 09:57 ? 00:00:00 winbindd
Sincerely yours, Vadym Chepkov
--- On Sat, 7/4/09, Dominick Griftdomg472@gmail.com wrote:
From: Dominick Griftdomg472@gmail.com Subject: Re: Domain transition missing To: "Vadym Chepkov"chepkov@yahoo.com Cc: "Fedora SELinux"fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 9:28 AM On Sat, 2009-07-04 at 06:18 -0700, Vadym Chepkov wrote:
That would be unfortunate. Mine approach is not
uncommon. If you look closely you will see the same technique in wast scripts. spamassassin restarts
itself when
it updates anti-spam rules, clamav does that
(antivirus) and
on and on. I use Fedora 11, by the way.
For now, instead of creating a new policy I just
added
'runcon -t unconfind_t ' in the cron, and it seemed to
did
the trick.
Sincerely yours, Vadym Chepkov
Looking here: http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/servic... line 235 to line 269.
That seems like a interface one might use in your situation:
cron_system_entry(winbind_t, winbind_exec_t)
I admit that using cron with SELinux is not very easy currently
--- On Sat, 7/4/09, Dominick Griftdomg472@gmail.com
wrote:
From: Dominick Griftdomg472@gmail.com Subject: Re: Domain transition missing To: "Vadym Chepkov"chepkov@yahoo.com Cc: "Fedora SELinux"fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 8:57 AM On Sat, 2009-07-04 at 05:48 -0700, Vadym Chepkov wrote:
I really get used to running my
scripts
unconfined,
how I can accomplish it in this scenario?
Sincerely yours, Vadym Chepkov
if you want the system to run jobs you will
need
to write
some policy or extend the system_cronjob_t domain i think
Were those the only avc denial you got? I
would
expect more
denials.
--- On Sat, 7/4/09, Dominick Grift
wrote:
> From: Dominick Griftdomg472@gmail.com > Subject: Re: Domain transition
missing
> To: "Vadym Chepkov"chepkov@yahoo.com > Cc: "Fedora SELinux"fedora-selinux-list@redhat.com > Date: Saturday, July 4, 2009, 8:41
AM
> On Sat, 2009-07-04 at 14:38
+0200,
> Dominick Grift wrote: >> On Sat, 2009-07-04 at 05:11
-0700,
Vadym
Chepkov
> wrote: >>> Hi, >>> >>> Last night I got a
nasty
surprise from
selinux. I
> am using winbind for external
authentication and
since it
> has history of failures I have a
simple
watchdog
implemented
> to check the status and restart it
if
necessary.
That
> is what happened last night and
as a law
abiding
> selinux citizen I used 'service
winbind
restart',
but it
> seems the proper domain
transitions is
missing
and winbind
> was started in system_cronjob_t
domain
instead of
winbind_t
> and none of other domains could
connect
to it.
>>> I think jobs running
from
cron should
be granted
> the same transition rules as
from
unconfined_t.
>>> I will file bugzilla
report
about it,
but could
> somebody help me with modifying
my
local policy
until/if it
> gets implemented, please? Thank
you.
>>> Sincerely yours, >>> Vadym
Chepkov
>> A domain transition would
be:
>> policy_module(mywinbind,
0.0.1)
>> require { type
system_cronjob_t,
winbind_exec_t,
> winbind_t; }
domain_auto_trans(system_cronjob_t,
winbind_exec_t,
> winbind_t) >> Can you show us the full raw
avc
denial?
> > But personally would deal with
this in
a
different way. I
> would write > policy for the script that
restarts
winbind and
then i
> would create a > domain transition for the domain
in
which the
script runs
> to winbind_t. > > Mainly because i wouldnt want to
extend/modify
> system_cronjob_t > > So: system_cronjob_t ->
myscript_exec_t ->
myscript_t
> -> winbind_exec_t > -> winbind_t > >>> -- >>> fedora-selinux-list
mailing
list
>>> fedora-selinux-list@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Miroslav,
I think you should add
dontaudit $1 crond_t:fifo_file rw_fifo_file_perms;
To cron_system_entry to eliminate this leaked file descriptor problem.