I recently upgraded policy from selinux-policy-strict-2.4.6-57.fc6 to selinux-policy-strict-2.4.6-69.fc6.
As a consequence of which I started to see the following errors in /var/log/cron every 10minutes:
... May 30 07:40:01 topaz crond[3717]: Authentication service cannot retrieve authentication info May 30 07:40:01 topaz crond[3717]: CRON (root) ERROR: failed to open PAM security session: Success May 30 07:40:01 topaz crond[3717]: CRON (root) ERROR: cannot set security context May 30 07:50:01 topaz crond[3727]: Authentication service cannot retrieve authentication info May 30 07:50:01 topaz crond[3727]: CRON (root) ERROR: failed to open PAM security session: Success May 30 07:50:01 topaz crond[3727]: CRON (root) ERROR: cannot set security context ...
Meanwhile, SELinux/syslog errors shows:
May 30 02:40:01 topaz kernel: audit(1180489201.806:13): avc: denied { execute } for pid=3860 comm="crond" name="unix_chkpwd" dev=hda2 ino=453913 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file May 30 02:40:01 topaz crond[3860]: pam_unix(crond:account): helper binary execve failed: Permission denied May 30 02:40:01 topaz crond[3859]: Authentication service cannot retrieve authentication info
The cron Job which appeared to error was for sysstat, as in:
[root@topaz ~]# cat /etc/cron.d/sysstat # run system activity accounting tool every 10 minutes */10 * * * * root /usr/lib/sa/sa1 1 1 # generate a daily summary of process accounting at 23:53 53 23 * * * root /usr/lib/sa/sa2 -A
[root@topaz ~]#
Looking at the policy changes for cron in policy 69, I see that the auth_domtrans_chk_passwd(crond_t) transition has been removed, ( see diff below ).
By adding this entry back into the selinux policy for crond_t, I was apparently able to restore correct operation of cron:
auth_domtrans_chk_passwd(crond_t)
Is that the correct fix, or does the problem really lie in recoding crond itself to use unix_update instead of unix_chkpwd ??
===================================================================
... [root@topaz BUILD]# diff -uNr serefpolicy-2.4.6-57/policy/modules/services/cron.te serefpolicy-2.4.6-69/policy/modules/services/cron.te --- serefpolicy-2.4.6-57/policy/modules/services/cron.te 2007-04-27 08:47:01.000000000 +0100 +++ serefpolicy-2.4.6-69/policy/modules/services/cron.te 2007-05-30 08:57:20.000000000 +0100 @@ -73,7 +73,9 @@ # Cron Local policy #
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control }; +allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; +logging_set_loginuid(crond_t) +logging_send_audit_msg(crond_t) dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; @@ -117,7 +119,7 @@ term_dontaudit_use_console(crond_t)
# need auth_chkpwd to check for locked accounts. -auth_domtrans_chk_passwd(crond_t) +auth_domtrans_upd_passwd(crond_t)
corecmd_exec_shell(crond_t) corecmd_list_sbin(crond_t) [root@topaz BUILD]# ...
... [root@topaz BUILD]# diff -uNr serefpolicy-2.4.6-57/policy/modules/system/authlogin.fc serefpolicy-2.4.6-69/policy/modules/system/authlogin.fc --- serefpolicy-2.4.6-57/policy/modules/system/authlogin.fc 2006-11-29 17:04:51.000000000 +0000 +++ serefpolicy-2.4.6-69/policy/modules/system/authlogin.fc 2007-05-30 08:57:20.000000000 +0100 @@ -14,6 +14,7 @@ /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) ifdef(`distro_suse', ` /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') [root@topaz BUILD]# ...
On Wed, 2007-05-30 at 09:48 +0100, Ted Rule wrote:
Looking at the policy changes for cron in policy 69, I see that the auth_domtrans_chk_passwd(crond_t) transition has been removed, ( see diff below ).
By adding this entry back into the selinux policy for crond_t, I was apparently able to restore correct operation of cron:
auth_domtrans_chk_passwd(crond_t)
Is that the correct fix, or does the problem really lie in recoding crond itself to use unix_update instead of unix_chkpwd ??
Actually I just need to release update of pam in FC-6.
selinux@lists.fedoraproject.org