Domain transition missing

Miroslav Grepl mgrepl at redhat.com
Mon Jul 13 08:09:30 UTC 2009 

On 07/06/2009 02:38 PM, Daniel J Walsh wrote:
> On 07/04/2009 10:09 AM, Vadym Chepkov wrote:
>> It would be nice if the interface would be smart enough and allow 
>> output from the cron job to be sent, but no one is perfect :)
>>
>> ----
>> type=AVC msg=audit(1246715821.417:10142): avc:  denied  { write } 
>> for  pid=11916 comm="winbind" path="pipe:[591689]" dev=pipefs 
>> ino=591689 scontext=system_u:system_r:system_cronjob_t:s0 
>> tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
>> ----
>> type=AVC msg=audit(1246715821.780:10143): avc:  denied  { write } 
>> for  pid=11925 comm="winbindd" path="pipe:[591689]" dev=pipefs 
>> ino=591689 scontext=system_u:system_r:winbind_t:s0 
>> tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
>>
>> Sincerely yours,
>>    Vadym Chepkov
>>
>>
>> --- On Sat, 7/4/09, Vadym Chepkov<chepkov at yahoo.com>  wrote:
>>
>>> From: Vadym Chepkov<chepkov at yahoo.com>
>>> Subject: Re: Domain transition missing
>>> To: "Dominick Grift"<domg472 at gmail.com>
>>> Cc: "Fedora SELinux"<fedora-selinux-list at redhat.com>
>>> Date: Saturday, July 4, 2009, 10:00 AM
>>> This worked well too, thank you
>>>
>>> system_u:system_r:winbind_t:SystemLow root
>>> 11926   1  0 09:57 ?
>>>    00:00:00 winbindd
>>> system_u:system_r:winbind_t:SystemLow root 11928
>>> 11926  0 09:57 ?      00:00:00 winbindd
>>> system_u:system_r:winbind_t:SystemLow root 11954
>>> 11926  0 09:57 ?      00:00:00 winbindd
>>> system_u:system_r:winbind_t:SystemLow root 11956
>>> 11926  0 09:57 ?      00:00:00 winbindd
>>> system_u:system_r:winbind_t:SystemLow root 11957
>>> 11926  0 09:57 ?      00:00:00 winbindd
>>>
>>>
>>> Sincerely yours,
>>>    Vadym Chepkov
>>>
>>>
>>> --- On Sat, 7/4/09, Dominick Grift<domg472 at gmail.com>
>>> wrote:
>>>
>>>> From: Dominick Grift<domg472 at gmail.com>
>>>> Subject: Re: Domain transition missing
>>>> To: "Vadym Chepkov"<chepkov at yahoo.com>
>>>> Cc: "Fedora SELinux"<fedora-selinux-list at redhat.com>
>>>> Date: Saturday, July 4, 2009, 9:28 AM
>>>> On Sat, 2009-07-04 at 06:18 -0700,
>>>> Vadym Chepkov wrote:
>>>>> That would be unfortunate. Mine approach is not
>>>> uncommon. If you look closely you will see the same
>>>> technique in wast scripts. spamassassin restarts
>>> itself when
>>>> it updates anti-spam rules, clamav does that
>>> (antivirus) and
>>>> on and on. I use Fedora 11, by the way.
>>>>> For now, instead of creating a new policy I just
>>> added
>>>> 'runcon -t unconfind_t ' in the cron, and it seemed to
>>> did
>>>> the trick.
>>>>> Sincerely yours,
>>>>>     Vadym Chepkov
>>>>>
>>>> Looking here:
>>>> http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/services/cron.if 
>>>>
>>>> line 235 to line 269.
>>>>
>>>> That seems like a interface one might use in your
>>>> situation:
>>>>
>>>> cron_system_entry(winbind_t, winbind_exec_t)
>>>>
>>>> I admit that using cron with SELinux is not very easy
>>>> currently
>>>>
>>>>> --- On Sat, 7/4/09, Dominick Grift<domg472 at gmail.com>
>>>> wrote:
>>>>>> From: Dominick Grift<domg472 at gmail.com>
>>>>>> Subject: Re: Domain transition missing
>>>>>> To: "Vadym Chepkov"<chepkov at yahoo.com>
>>>>>> Cc: "Fedora SELinux"<fedora-selinux-list at redhat.com>
>>>>>> Date: Saturday, July 4, 2009, 8:57 AM
>>>>>> On Sat, 2009-07-04 at 05:48 -0700,
>>>>>> Vadym Chepkov wrote:
>>>>>>> I really get used to running my
>>> scripts
>>>> unconfined,
>>>>>> how I can accomplish it in this scenario?
>>>>>>> Sincerely yours,
>>>>>>>     Vadym Chepkov
>>>>>>>
>>>>>> if you want the system to run jobs you will
>>> need
>>>> to write
>>>>>> some policy or
>>>>>> extend the system_cronjob_t domain i think
>>>>>>
>>>>>>
>>>>>> Were those the only avc denial you got? I
>>> would
>>>> expect more
>>>>>> denials.
>>>>>>
>>>>>>> --- On Sat, 7/4/09, Dominick Grift
>>> <domg472 at gmail.com>
>>>>>> wrote:
>>>>>>>> From: Dominick Grift<domg472 at gmail.com>
>>>>>>>> Subject: Re: Domain transition
>>> missing
>>>>>>>> To: "Vadym Chepkov"<chepkov at yahoo.com>
>>>>>>>> Cc: "Fedora SELinux"<fedora-selinux-list at redhat.com>
>>>>>>>> Date: Saturday, July 4, 2009, 8:41
>>> AM
>>>>>>>> On Sat, 2009-07-04 at 14:38
>>> +0200,
>>>>>>>> Dominick Grift wrote:
>>>>>>>>> On Sat, 2009-07-04 at 05:11
>>> -0700,
>>>> Vadym
>>>>>> Chepkov
>>>>>>>> wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> Last night I got a
>>> nasty
>>>> surprise from
>>>>>> selinux. I
>>>>>>>> am using winbind for external
>>>> authentication and
>>>>>> since it
>>>>>>>> has history of failures I have a
>>> simple
>>>> watchdog
>>>>>> implemented
>>>>>>>> to check the status and restart it
>>> if
>>>> necessary.
>>>>>> That
>>>>>>>> is  what happened last night and
>>>> as a law
>>>>>> abiding
>>>>>>>> selinux citizen I used 'service
>>> winbind
>>>> restart',
>>>>>> but it
>>>>>>>> seems the proper domain
>>> transitions is
>>>> missing
>>>>>> and winbind
>>>>>>>> was started in system_cronjob_t
>>> domain
>>>> instead of
>>>>>> winbind_t
>>>>>>>> and none of other domains could
>>> connect
>>>> to it.
>>>>>>>>>> I think jobs running
>>> from
>>>> cron should
>>>>>> be granted
>>>>>>>> the same transition rules as
>>>> from
>>>>>> unconfined_t.
>>>>>>>>>> I will file bugzilla
>>> report
>>>> about it,
>>>>>> but could
>>>>>>>> somebody help me with modifying
>>> my
>>>> local policy
>>>>>> until/if it
>>>>>>>> gets implemented, please? Thank
>>> you.
>>>>>>>>>> Sincerely yours,
>>>>>>>>>>     Vadym
>>>> Chepkov
>>>>>>>>> A domain transition would
>>> be:
>>>>>>>>> policy_module(mywinbind,
>>> 0.0.1)
>>>>>>>>> require { type
>>> system_cronjob_t,
>>>>>> winbind_exec_t,
>>>>>>>> winbind_t; }
>>>> domain_auto_trans(system_cronjob_t,
>>>>>> winbind_exec_t,
>>>>>>>> winbind_t)
>>>>>>>>> Can you show us the full raw
>>> avc
>>>> denial?
>>>>>>>>
>>>>>>>> But personally would deal with
>>> this in
>>>> a
>>>>>> different way. I
>>>>>>>> would write
>>>>>>>> policy for the script that
>>> restarts
>>>> winbind and
>>>>>> then i
>>>>>>>> would create a
>>>>>>>> domain transition for the domain
>>> in
>>>> which the
>>>>>> script runs
>>>>>>>> to winbind_t.
>>>>>>>>
>>>>>>>> Mainly because i wouldnt want to
>>>> extend/modify
>>>>>>>> system_cronjob_t
>>>>>>>>
>>>>>>>> So: system_cronjob_t ->
>>>> myscript_exec_t ->
>>>>>> myscript_t
>>>>>>>> ->  winbind_exec_t
>>>>>>>> ->  winbind_t
>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> fedora-selinux-list
>>> mailing
>>>> list
>>>>>>>>>> fedora-selinux-list at redhat.com
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>>>>
>>>>>>
>>>>
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
> Miroslav,
>
> I think you should add
>
> dontaudit $1 crond_t:fifo_file rw_fifo_file_perms;
>
> To cron_system_entry to eliminate this leaked file descriptor problem.
>
>
I will add this to selinux-policy-3.6.12-66.fc11

More information about the fedora-selinux-list mailing list