Cron mail problem with FC6/strict
Ted Rule
ejtr at layer3.co.uk
Sun Jan 21 23:05:23 UTC 2007
A little while ago, I found that anacron wasn't running correctly under
FC6/strict, which led to me add a temporary fixup .te for its operation.
Once I had that in place, I finally received the cron.daily and logwatch
Emails every day shortly after bootup.
With that in place, I recently took to leaving the machine powered
overnight, which of course led to all the Cron jobs running via crond
instead of anacron.
Oddly, I noticed that the logwatch Email arrived, but NOT the cron.daily
summary Email.
Looking further, I found this odd avc:
Jan 21 21:29:51 topaz kernel: audit(1169414991.423:988): avc: denied
{ entrypoint } for pid=4891 comm="crond" name="sendmail.sendmail"
dev=hda6 ino=1313020
scontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
i.e. the crond child process running in system_crond_t was apparently
unable to run sendmail.
Just to be curious, I added this permission:
auditallow system_crond_t sendmail_exec_t:file execute
and saw this:
Jan 21 21:30:51 topaz kernel: audit(1169415051.521:993): avc: granted
{ execute } for pid=4909 comm="crond" name="sendmail.sendmail" dev=hda6
ino=1313020 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Jan 21 21:30:51 topaz kernel: audit(1169415051.521:994): avc: denied
{ entrypoint } for pid=4909 comm="crond" name="sendmail.sendmail"
dev=hda6 ino=1313020
i.e. crond was apparently allowed to execute sendmail but got caught
with the 'entrypoint' denial slightly later on.
As an added test, I created a per-minute Cron Job which itself
invoked /bin/mail which in turn called sendmail and a few invocations of
sleep (the sleeps just to make it slightly easier to read the process
list changes).
Jan 21 21:31:11 topaz kernel: audit(1169415071.651:996): avc: granted
{ execute } for pid=4938 comm="mail" name="sendmail.sendmail" dev=hda6
ino=1313020 scontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Jan 21 21:31:11 topaz kernel: audit(1169415071.651:997): avc: granted
{ read execute } for pid=4938 comm="sendmail" name="sendmail.sendmail"
dev=hda6 ino=1313020
scontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Jan 21 21:31:51 topaz kernel: audit(1169415111.704:999): avc: granted
{ execute } for pid=4947 comm="crond" name="sendmail.sendmail" dev=hda6
ino=1313020 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Jan 21 21:31:51 topaz kernel: audit(1169415111.704:1000): avc: denied
{ entrypoint } for pid=4947 comm="crond" name="sendmail.sendmail"
dev=hda6 ino=1313020
scontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
i.e. the call the sendmail from system_crond_t within the Cron job by
something other than the crond binary itself worked Ok, but when crond
tried to invoke, it just sulked.
If I went to permissive mode the log was filled with avc's indicating
that crond's direct invocation of sendmail failed to transition to
system_mail_t, even though these two interface calls appear to exist in
the policy:
mta_send_mail(crond_t)
mta_send_mail(system_crond_t)
For both anacron and crond launched invocations of cron.daily/0logwatch,
of course, logwatch itself invokes sendmail from logwatch_t, so the
problem doesn't arise.
I'm currently using selinux-policy-strict-2.4.6-27
I also tried adding this permission:
allow system_crond_t sendmail_exec_t:file entrypoint
but this didn't really help; crond:system_crond_t stubbornly refused to
transition to system_mail_t.
Since all the invocations from within Jobs running as system_crond_t and
also from anacron running as system_crond_t invoked sendmail Ok, my
presumption is that there's something in crond's own use of libselinux
which is confusing matters and preventing Email's being created.
Looking at the policy source a little bit more,
mta_send_mail() calls domain_auto_trans() which in turn calls
domain_trans().
Way back in FC4 policy, I can see that domain_trans()'s definition
contains an entry that suggests I actually need to add
allow system_mail_t sendmail_exec_t:file entrypoint
since the entrypoint permission appears to take the child_domain's
type as its first parameter, (which itself implies that the log entry is
slightly awry, just to be confusing...):
domain_trans(parent_domain, program_type, child_domain)
...
allow $3 $2:file entrypoint;
The FC6 policy source seems to have no automatic entrypoint permission
within the domain_trans() definition but does have the
domain_entry_file() interface.
Just for fun, therefore, I tried adding this:
domain_entry_file(system_mail_t, sendmail_exec_t)
All to no avail, I'm afraid; I continue to be unable to get crond to
directly execute sendmail.
Can anyone enlighten me, please?
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
More information about the fedora-selinux-list
mailing list