I barely redirect output of a cron job to /dev/null :(
Is the a way to run cron unconfined? I don't see any boolean anymore.
Sincerely yours, Vadym Chepkov
--- On Sat, 7/4/09, Kévin GUERIN leguerinos@gmail.com wrote:
From: Kévin GUERIN leguerinos@gmail.com Subject: Re: Strange denials To: "Vadym Chepkov" chepkov@yahoo.com Cc: "Fedora SELinux" fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 10:55 AM winbindd is running with no MCS categories and tries to access a file with c0.c0123.
Access will be granted only if winbindd runs with all the categories that has the file it wants to interact with.
Kévin
2009/7/4 Vadym Chepkov chepkov@yahoo.com
Ok, I am lost
I clearly allowed this.
allow winbind_t crond_t:fifo_file write;
I can see it in the policy:
sesearch --all --source winbind_t --target crond_t
Found 3 semantic av rules:
allow winbind_t crond_t : process sigchld ;
allow winbind_t crond_t : fd use ;
allow winbind_t crond_t : fifo_file { ioctl read write getattr lock append open } ;
Why do I get denial anyway?
time->Sat Jul 4 10:28:01 2009
type=SYSCALL msg=audit(1246717681.676:10436): arch=40000003 syscall=11 success=yes exit=0 a0=9073c10 a1=9073358 a2=90732a8 a3=9073358 items=0 ppid=20323 pid=20324 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=777 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1246717681.676:10436): avc: denied { write } for pid=20324 comm="winbindd" path="pipe:[611496]" dev=pipefs ino=611496 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
Sincerely yours,
Vadym Chepkov
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
On 07/04/2009 11:19 AM, Vadym Chepkov wrote:
I barely redirect output of a cron job to /dev/null :(
Is the a way to run cron unconfined? I don't see any boolean anymore.
Sincerely yours, Vadym Chepkov
The problem is not the confinement of cron, but the confinement of winbind. winbind is handed an open file descritor from cron that it is not allowed to use. SELinux closes the descriptor and reports the avc. winbind and cron will continue to work without a problem. You can add a dontaudit rule to tell SELinux to stop reporting the leaked file descriptor.
--- On Sat, 7/4/09, Kévin GUERINleguerinos@gmail.com wrote:
From: Kévin GUERINleguerinos@gmail.com Subject: Re: Strange denials To: "Vadym Chepkov"chepkov@yahoo.com Cc: "Fedora SELinux"fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 10:55 AM winbindd is running with no MCS categories and tries to access a file with c0.c0123.
Access will be granted only if winbindd runs with all the categories that has the file it wants to interact with.
Kévin
2009/7/4 Vadym Chepkovchepkov@yahoo.com
Ok, I am lost
I clearly allowed this.
allow winbind_t crond_t:fifo_file write;
I can see it in the policy:
sesearch --all --source winbind_t --target crond_t
Found 3 semantic av rules:
allow winbind_t crond_t : process sigchld ; allow winbind_t crond_t : fd use ; allow winbind_t crond_t : fifo_file { ioctl read write
getattr lock append open } ;
Why do I get denial anyway?
time->Sat Jul 4 10:28:01 2009
type=SYSCALL msg=audit(1246717681.676:10436): arch=40000003 syscall=11 success=yes exit=0 a0=9073c10 a1=9073358 a2=90732a8 a3=9073358 items=0 ppid=20323 pid=20324 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=777 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1246717681.676:10436): avc: denied { write } for pid=20324 comm="winbindd" path="pipe:[611496]" dev=pipefs ino=611496 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
Sincerely yours,
Vadym Chepkov
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org