chkpwd_exec_t / crond issue in policy-2.4.6-69
Ted Rule
ejtr at layer3.co.uk
Wed May 30 08:48:37 UTC 2007
I recently upgraded policy from selinux-policy-strict-2.4.6-57.fc6 to
selinux-policy-strict-2.4.6-69.fc6.
As a consequence of which I started to see the following errors
in /var/log/cron every 10minutes:
...
May 30 07:40:01 topaz crond[3717]: Authentication service cannot
retrieve authentication info
May 30 07:40:01 topaz crond[3717]: CRON (root) ERROR: failed to open PAM
security session: Success
May 30 07:40:01 topaz crond[3717]: CRON (root) ERROR: cannot set
security context
May 30 07:50:01 topaz crond[3727]: Authentication service cannot
retrieve authentication info
May 30 07:50:01 topaz crond[3727]: CRON (root) ERROR: failed to open PAM
security session: Success
May 30 07:50:01 topaz crond[3727]: CRON (root) ERROR: cannot set
security context
...
Meanwhile, SELinux/syslog errors shows:
May 30 02:40:01 topaz kernel: audit(1180489201.806:13): avc: denied
{ execute } for pid=3860 comm="crond" name="unix_chkpwd" dev=hda2
ino=453913 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
May 30 02:40:01 topaz crond[3860]: pam_unix(crond:account): helper
binary execve failed: Permission denied
May 30 02:40:01 topaz crond[3859]: Authentication service cannot
retrieve authentication info
The cron Job which appeared to error was for sysstat, as in:
[root at topaz ~]# cat /etc/cron.d/sysstat
# run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib/sa/sa1 1 1
# generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib/sa/sa2 -A
[root at topaz ~]#
Looking at the policy changes for cron in policy 69, I see that the
auth_domtrans_chk_passwd(crond_t) transition has been removed, ( see
diff below ).
By adding this entry back into the selinux policy for crond_t, I was
apparently able to restore correct operation of cron:
auth_domtrans_chk_passwd(crond_t)
Is that the correct fix, or does the problem really lie in recoding
crond itself to use unix_update instead of unix_chkpwd ??
===================================================================
...
[root at topaz BUILD]# diff -uNr
serefpolicy-2.4.6-57/policy/modules/services/cron.te
serefpolicy-2.4.6-69/policy/modules/services/cron.te
--- serefpolicy-2.4.6-57/policy/modules/services/cron.te
2007-04-27 08:47:01.000000000 +0100
+++ serefpolicy-2.4.6-69/policy/modules/services/cron.te
2007-05-30 08:57:20.000000000 +0100
@@ -73,7 +73,9 @@
# Cron Local policy
#
-allow crond_t self:capability { dac_override setgid setuid sys_nice
dac_read_search audit_control };
+allow crond_t self:capability { dac_override setgid setuid sys_nice
dac_read_search };
+logging_set_loginuid(crond_t)
+logging_send_audit_msg(crond_t)
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
@@ -117,7 +119,7 @@
term_dontaudit_use_console(crond_t)
# need auth_chkpwd to check for locked accounts.
-auth_domtrans_chk_passwd(crond_t)
+auth_domtrans_upd_passwd(crond_t)
corecmd_exec_shell(crond_t)
corecmd_list_sbin(crond_t)
[root at topaz BUILD]#
...
...
[root at topaz BUILD]# diff -uNr
serefpolicy-2.4.6-57/policy/modules/system/authlogin.fc
serefpolicy-2.4.6-69/policy/modules/system/authlogin.fc
--- serefpolicy-2.4.6-57/policy/modules/system/authlogin.fc
2006-11-29 17:04:51.000000000 +0000
+++ serefpolicy-2.4.6-69/policy/modules/system/authlogin.fc
2007-05-30 08:57:20.000000000 +0100
@@ -14,6 +14,7 @@
/sbin/pam_timestamp_check --
gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd --
gen_context(system_u:object_r:chkpwd_exec_t,s0)
/sbin/unix_verify --
gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/sbin/unix_update --
gen_context(system_u:object_r:updpwd_exec_t,s0)
ifdef(`distro_suse', `
/sbin/unix2_chkpwd --
gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
[root at topaz BUILD]#
...
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
More information about the fedora-selinux-list
mailing list