Mail from cron in Fedora 8

Paul Howarth paul at city-fan.org
Fri Nov 9 10:55:43 UTC 2007


I have a cron job as follows:

# crontab -l -u softlib
45 4 * * * /softlib/scripts/updates-sync | Mail -s "Fedora updates 
subset mirror report" phowarth

The script runs reposync to pull in a subset of the updates repo, and I 
have the output piped into Mail.

This has been trouble free up until I upgraded to F8, with 
selinux-policy-3.0.8-44.fc8.

With SELinux in enforcing mode, the email I receive simply says 
"/usr/sbin/sendmail: Permission denied".

I tried creating a local policy module as usual and ended up with this:

policy_module(localmisc, 0.0.7)

require {
         type system_mail_t;
         class netlink_route_socket { bind create getattr nlmsg_read 
read write };
}

#============= system_mail_t ==============
allow system_mail_t self:netlink_route_socket { bind create getattr 
nlmsg_read read write };
unconfined_read_tmp_files(system_mail_t)


In permissive mode, this works, but in enforcing mode I just get the 
usual "Permission denied"  message. There are no more avcs in the audit 
logs, but there is this:

type=SELINUX_ERR msg=audit(1194605105.159:168): security_compute_sid: 
invalid context unconfined_u:unconfined_r:system_mail_t:s0 for 
scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0 
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1194605105.159:168): arch=40000003 syscall=11 
success=no exit=-13 a0=805848b a1=9cf82b8 a2=bfcbf338 a3=9cf82b8 items=0 
ppid=1537 pid=1550 auid=4294967295 uid=1502 gid=1502 euid=1502 suid=1502 
fsuid=1502 egid=1502 sgid=1502 fsgid=1502 tty=(none) comm="Mail" 
exe="/bin/mail" subj=unconfined_u:unconfined_r:unconfined_crond_t:s0 
key=(null)

I thought there might be something dontaudited so I tried using 
enableaudit.pp but the F8 policy doesn't include this. What's the method 
for finding troublesome dontaudits that need to be allows in F8?

Paul.




More information about the fedora-selinux-list mailing list