Cron mail problem with FC6/strict
Ted Rule
ejtr at layer3.co.uk
Mon Feb 12 10:14:23 UTC 2007
Since my previous posting on this matter, I've performed a few more
tests, slightly amended policy, and found a somewhat surprising result.
Because earlier tests indicated that individual Jobs could initiate mail
themselves from system_crond_t, but NOT crond itself, I reasoned that
maybe there was perhaps something in one or all of policy / crond /
libselinux / kernel which prevented crond - which had already performed
a setexeccon - to exec another process which directly required a domain
transition.
Therefore, I made use of crond's "-m" option to provide a shell wrapper
to sendmail itself employing the same command line params as crond
invokes, as in:
[root at topaz ~]# cat /usr/sbin/sendmail.sendmail.crond
#!/bin/sh
/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t
[root at topaz ~]#
I also labelled the wrapper as sendmail_exec_t:
[root at topaz ~]# ls -lZ /usr/sbin/sendmail.sendmail*
-rwxr-sr-x root smmsp
system_u:object_r:sendmail_exec_t /usr/sbin/sendmail.sendmail
-rwxr-xr-x root root
staff_u:object_r:sendmail_exec_t /usr/sbin/sendmail.sendmail.crond
[root at topaz ~]#
Because of findings from previous tests, I added an entrypoint to
SELinux policy which appears to be required:
domain_entry_file(system_crond_t, sendmail_exec_t)
And then I invoked the wrapper via /etc/sysconfig/crond:
[root at topaz ~]# cat /etc/sysconfig/crond
# Settings for the CRON daemon.
# CRONDARGS= : any extra command-line startup arguments for crond
# CRON_VALIDATE_MAILRCPTS=1:a non-empty value of this variable will
# enable vixie-cron-4.1's validation of
# mail recipient names, which would then be
# restricted to contain only the chars
# from this tr(1) set : [@!:%-_.,:alnum:]
# otherwise mailing is not attempted.
#CRONDARGS=
CRONDARGS="-m/usr/sbin/sendmail.sendmail.crond"
[root at topaz ~]#
With all this in place, I found that Crond COULD launch the wrapper
script, which in turn launched sendmail itself, and Cron mail WAS
delivered.
If I simply comment out the CRONDARGS setting to revert crond to
"normal" operation, it succeeds in executing /usr/sbin/sendmail, but
fails to transition to system_mail_t and no mail is delivered.
As a next test, I further emulated /usr/sbin/sendmail itself by adding
group membership, setgid flags and selinux ownership:
[root at topaz ~]# ls -lZ /usr/sbin/sendmail.*
-rwxr-sr-x root smmsp
system_u:object_r:sendmail_exec_t /usr/sbin/sendmail.sendmail
-rwxr-sr-x root smmsp
system_u:object_r:sendmail_exec_t /usr/sbin/sendmail.sendmail.crond
[root at topaz ~]#
This still appears to work Ok.
All in all, I appear to have a workround for the problem. It DOES seem
to require one tweak to the existing policy - the extra
domain_entry_file setting. However, I'm still very much in the dark as
to why the wrapper script works and the binary copy of sendmail doesn't.
Ted
On Wed, 2007-01-24 at 10:19 +0000, Ted Rule wrote:
> Quoting "Christopher J. PeBenito" <cpebenito at tresys.com>:
>
> > On Sun, 2007-01-21 at 23:05 +0000, Ted Rule wrote:
> >> A little while ago, I found that anacron wasn't running correctly under
> >> FC6/strict, which led to me add a temporary fixup .te for its operation.
> >> Once I had that in place, I finally received the cron.daily and logwatch
> >> Emails every day shortly after bootup.
> >>
> >> With that in place, I recently took to leaving the machine powered
> >> overnight, which of course led to all the Cron jobs running via crond
> >> instead of anacron.
> >>
> >> Oddly, I noticed that the logwatch Email arrived, but NOT the cron.daily
> >> summary Email.
> >>
> >> Looking further, I found this odd avc:
> >>
> >> Jan 21 21:29:51 topaz kernel: audit(1169414991.423:988): avc: denied
> >> { entrypoint } for pid=4891 comm="crond" name="sendmail.sendmail"
> >> dev=hda6 ino=1313020
> >> scontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023
> >> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
> >>
> >> i.e. the crond child process running in system_crond_t was apparently
> >> unable to run sendmail.
> >
> > Is this supposed to be cron emailing the output of the cron jobs or the
> > cron job itself emailing something?
>
> The former: as mentioned above, my tests indicate that the latter seems
> to work
> Ok.
>
> As far as I can tell, what happens is that crond starts in
> crond_t, forks a crond child, setexeccon's to system_crond_t to run the
> Job, and
> then forks a sendmail process to pick up the stdout/stderr from the
> Job. Hence I
> think you end up with something like this:
>
> 101 crond_t crond
> 102 system_crond_t \ crond
> 103 system_crond_t \ cron-job-script
> 104 system_mail_t \ sendmail
>
> where stdout/stderr from the cron-job-script is routed into the
> sendmail stdin,
> with email subject line and similar parameters injected from pid 102. I also
> believe that pid 104 is not created at all until some output is generated by
> pid 103 - hence silent Cron Jobs don't create the avc denials for sendmail.
>
> sendmail directly or indirectly launched by pid 103 is Ok according to
> my tests,
> but seemingly sendmail launched by pid 102 itself gronks.
>
>
> >
> > --
> > Chris PeBenito
> > Tresys Technology, LLC
> > (410) 290-1411 x150
> >
> >
>
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
More information about the fedora-selinux-list
mailing list