Cron mail problem with FC6/strict

Ted Rule ejtr at layer3.co.uk
Wed Jan 24 22:56:25 UTC 2007


On Mon, 2007-01-22 at 15:47 -0500, Christopher J. PeBenito wrote:
> On Sun, 2007-01-21 at 23:05 +0000, Ted Rule wrote:
> > A little while ago, I found that anacron wasn't running correctly under
> > FC6/strict, which led to me add a temporary fixup .te for its operation.
> > Once I had that in place, I finally received the cron.daily and logwatch
> > Emails every day shortly after bootup.
> > 
> > With that in place, I recently took to leaving the machine powered
> > overnight, which of course led to all the Cron jobs running via crond
> > instead of anacron.
> > 
> > Oddly, I noticed that the logwatch Email arrived, but NOT the cron.daily
> > summary Email.
> > 
> > Looking further, I found this odd avc:
> > 
> > Jan 21 21:29:51 topaz kernel: audit(1169414991.423:988): avc:  denied
> > { entrypoint } for  pid=4891 comm="crond" name="sendmail.sendmail"
> > dev=hda6 ino=1313020
> > scontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
> > 
> > i.e. the crond child process running in system_crond_t was apparently
> > unable to run sendmail. 
> 
> Is this supposed to be cron emailing the output of the cron jobs or the
> cron job itself emailing something?


The former: my tests so far indicate that the latter seems to work
Ok.

>From what I can deduce in the source, I believe that crond starts in
crond_t, forks a crond child, which it then setexeccon's into
system_crond_t to run the Job. This, in turn forks a sendmail process to
pick up the stdout/stderr from the Job, and also forks another process -
the Job itself. As a result, you end up with something like this:

101 crond_t              crond
102 system_crond_t          \ crond
103 system_crond_t             \ cron-job-script
104 system_mail_t              \ sendmail

where stdout/stderr from the cron-job-script are routed into the 
sendmail stdin, with email subject line and other parameters injected
from pid 102. I also believe that pid 104 is not created at all until
some output is generated by pid 103 - hence silent Cron Jobs don't
create the avc denials for sendmail.

sendmail directly launched by pid 103 is Ok according to my tests, but 
seemingly sendmail launched by pid 102 gronks.



-- 
Ted Rule

Director, Layer3 Systems Ltd

W: http://www.layer3.co.uk/




More information about the fedora-selinux-list mailing list