HELP: transition denied regardless of policy?

Aleksander Adamowski aleksander.adamowski at
Fri May 27 19:39:53 UTC 2005

Stephen Smalley wrote:

>>May 26 03:26:01 machinename kernel: audit(1117070761.996:0): avc:  
>>denied  { transition } for  pid=11773 exe=/bin/bash 
>>path=/home/twiki/bin/mailnotify dev=hda1 ino=51463 
>>scontext=root:sysadm_r:sysadm_crond_t tcontext=root:system_r:twiki_t 
>Note that the above transition involves a role change, not just a type
Got it!

sysadm_crond_t doesn't have the privrole attribute.

Thanks for pointing it out, I didn't notice that, mainly because the 
sysadm_crond_t domain creation process is quite convoluted (it traverses 
several macros from different files).

I had to modify macros/program/crond_macros.te by adding 
priv_system_role attribute to domains generated by the crond_domain macro:

--- crond_macros.te.orig        2004-05-07 17:24:24.000000000 +0200
+++ crond_macros.te     2005-05-27 21:32:57.000000000 +0200
@@ -19,9 +20,13 @@
 # Derived domain for user cron jobs, user user_crond_domain if not system
 ifelse(`system', `$1', `
-type $1_crond_t, domain, privlog, privmail;
+type $1_crond_t, domain, privlog, privmail, nscd_client_domain;
+', `
+ifelse(`sysadm', `$1', `
+type $1_crond_t, domain, user_crond_domain, priv_system_role;
 ', `
 type $1_crond_t, domain, user_crond_domain;
 # Access user files and dirs.
 allow $1_crond_t home_root_t:dir search;
@@ -31,8 +36,8 @@

Soon, checkpolicy for FC3 will have support for typeattribute construct:

And I will be able to simply augment the generated sysadm_crond_t domain 
with privrole from my program .te file like that:

typeattribute sysadm_crond_t privrole;

Until then, I can live with the manual modification to the macro, but it 
will get overwritten with every policy sources RPM upgrade.

>- Do you truly want this to run in the same domain when it is run from
>httpd as when it is run from the cron job?  This implies that it has the
>same permissions in both cases.  For example, I might envision the cron
>job as being more trusted (as it was set up by the admin) than the
>process spawned from httpd, and I doubt you want a httpd-spawned process
>to be able to attack the cron job if it happens to be running
>simultaneously.  You can define two different domains, with a shared
>exec type, such that the cron job will transition to one domain and
>httpd will transition to another domain when they run the program.
Thanks for suggestion. Thinking about that, I could make a separate 
domain for this process. But it needs access to files  similar to httpd, 
so I might end up with duplicating lots of httpd domain AVC for it, 
which might beat the purpose... OTOH, i I label all those files it would 
make a lot more sense. I might not have enough time for that, though.

>- Is using daemon_domain truly appropriate here?  I'm a little
Possibly not, I'll look into that, thanks!

>- Why are you giving it access to unlabeled_t?  Suggests some other
>problem with your filesystem labels or use of non-labeled fs.
Well, this .te is a work in progress, and I've made a preliminary 
version of that domain, relabeled the FS, then put all the errors 
through audit2allow to get AVC rules. I've put them into the .te file 
and right now I'm going through them, looking at suspicious ones and 
deciding what to do with them. So I'll take care of this one - yes, it's 
probably a problem with labels somewhere on my filesystem.

Best Regards,
    Aleksander Adamowski
        GG#: 274614
        ICQ UIN: 19780575

More information about the fedora-selinux-list mailing list