anacron under FC6/SELinux/strict

Ted Rule ejtr at layer3.co.uk
Thu Jan 25 10:07:08 UTC 2007


Since my last workround for this, I've updated to
selinux-policy-strict-2.4.6-27, and I've also found another side-effect,
which I had previously overlooked; the /etc/cron.daily/0anacron
script needs to run anacron itself so that crond can effectively update
anacron's timestamp files in /var/spool/anacron. Default policy would
allow for this, but because I'd relabelled anacron itself, I needed to
add:

      can_exec(system_crond_t, anacron_exec_t)

Similarly, the latest default policy already contains some of the .fc
fixes I needed.

Hence my revised anacron policy is now the following - together with the
manual relabelling of /usr/sbin/anacron itself to anacron_exec_t.

cat /root/selinux.local/localanacron.fc

# anacrond executable will have:
# label: system_u:object_r:anacron_exec_t
# MLS sensitivity: s0
# MCS categories: <none>

# We cant easily override the /usr/sbin/anacron setting in Fedora
policy,
# so we create a clone binary and label as anacron_exec_t
/usr/sbin/anacrond              --
gen_context(system_u:object_r:anacron_exec_t,s0)

# The latest 2.4.6-23 policy already contains this:
#/var/lock/subsys/anacron       --
gen_context(system_u:object_r:cron_lock_t,s0)

# The latest 2.4.6-23 policy already contains this:
#/var/spool/anacron(/.*)?
gen_context(system_u:object_r:cron_spool_t,s0)



cat /root/selinux.local/localanacron.fc

policy_module(localanacron,0.1.2)

require {
        type system_crond_t;
        type system_crond_lock_t;
        type cron_spool_t;
        type crond_var_run_t;
}

########################################
#
# Anacron local policy
#

type anacron_exec_t;
corecmd_executable_file(anacron_exec_t)

# anacron transitions directly to system_crond_t,
# rather than crond_t because it doesnt currently
# perform a setexeccon internally
init_daemon_domain(system_crond_t,anacron_exec_t)

# Additional permissions for system_crond_t / anacron under
# strict, when system_crond_t != crond_t
ifdef(`strict_policy',`
        # Allow anacron to update spool files in /var/spool/anacron
        allow system_crond_t cron_spool_t:file create_file_perms;

        # Allow anacron to write to /var/run/anacron.pid
        allow system_crond_t crond_var_run_t:file create_file_perms;
        files_pid_filetrans(system_crond_t,crond_var_run_t,file)

        # Allow anacron to handle creation of files in the
        # /var/lock directory. (anacron)
        allow system_crond_t system_crond_lock_t:file manage_file_perms;
        files_lock_filetrans(system_crond_t,system_crond_lock_t,file)

        # Allow crond to run anacron so as to update /var/spool/anacron
        # timestamp files
        can_exec(system_crond_t, anacron_exec_t)
')



FWIW, I've created BZ#224328 noting the problem and this patch.



On Mon, 2007-01-08 at 16:07 +0000, Ted Rule wrote:
> I've patched my local FC6 strict policy to accommodate the use of
> anacron; as the machine is generally powered off overnight, anacron gets
> far more usage than crond. The FC6 strict policy,
> selinux-policy-2.4.6-17.fc6.noarch.rpm, appeared to fail to run the
> overnight jobs in the correct domains.
> 
> Whilst investigating the issue, I noted the following:
> 
> crond starts up in crond_t, but seemingly transitions itself to
> system_crond_t via setexeccon().
> 
> anacron is also started in crond_t, but doesn't bother to call
> setexeccon(), and hence remains forever in crond_t.
> 
> Under targeted policy only, crond_t is a typealias for system_crond_t
> 
> The various auto-transitions to logrotate_t, logwatch_t and so on, are
> apparently linked to system_crond_t rather than crond_t. Hence
> anacron jobs never transition to system_crond_t, unless the policy is
> targeted, in which case anacron is already in system_crond_t by virtue
> of the typealias.
> 
> The fcron package in Extras appears to have sufficient functionality to
> replace both anacron and cron, and also knows about setexeccon(), but I
> didn't investigate this further.
> 
> The nsarefpolicy contains a separate transition from initrc_t to
> system_crond_t for anacron_exec_t, but the latest FC6 policy,
> (selinux-policy-2.4.6-17.fc6.noarch.rpm), has both the anacron_exec_t
> definition and the alternative transition patched out.
> 
> The latest rawhide policy contains some additional fixes for anacron
> covering /var/spool/anacron and /var/lock usage, but not the
> anacron_exec_t definition or the initrc_t -> system_crond_t transition.
> 
> Because the cron.fc already defines a label for /usr/sbin/anacron, I've
> manually labelled /usr/sbin/anacron to anacron_exec_t for the present.
> Obviously this label will be undone by any /.autorelabel I'm forced to
> invoke, until such time as this patch, or an equivalent fix, is
> released.
> 
> My current patch module, incorporating the cron fixes already in
> selinux-policy-2.4.6-21.fc6.noarch.rpm, is as below. The ifdef strict
> clause at the end avoids a double definition of the same policy on
> targeted where crond_t and system_crond_t are the same thing.
> 
> I guess that in an ideal world, anacron itself would be patched to
> launch all it's child jobs in system_crond_t, further emulating crond's
> behaviour, and thereby avoiding this fixup.
> 
> 
> [root at topaz ~]# cat /root/selinux.local/localanacron.fc
> # anacrond executable will have:
> # label: system_u:object_r:anacron_exec_t
> # MLS sensitivity: s0
> # MCS categories: <none>
> 
> # We cant easily override the /usr/sbin/anacron setting in Fedora
> policy, so we create
> # a clone binary and label as anacron_exec_t
> /usr/sbin/anacrond              --
> gen_context(system_u:object_r:anacron_exec_t,s0)
> 
> /var/lock/subsys/anacron        --
> gen_context(system_u:object_r:system_crond_lock_t,s0)
> /var/spool/anacron(/.*)?
> gen_context(system_u:object_r:cron_spool_t,s0)
> [root at topaz ~]#
> 
> 
> [root at topaz ~]# cat /root/selinux.local/localanacron.te
> 
> policy_module(localanacron,0.1.1)
> 
> require {
>         type system_crond_t;
>         type system_crond_lock_t;
>         type cron_spool_t;
>         type crond_var_run_t;
> }
> 
> ########################################
> #
> # Anacron local policy
> #
> 
> type anacron_exec_t;
> corecmd_executable_file(anacron_exec_t)
> 
> # anacron transitions directly to system_crond_t,
> # rather than crond_t because it doesnt currently
> # perform a setexeccon internally
> init_daemon_domain(system_crond_t,anacron_exec_t)
> 
> # Allow anacron to update spool files in /var/spool/anacron
> allow system_crond_t cron_spool_t:file create_file_perms;
> 
> # This is to handle creation of files in /var/lock directory. (anacron)
> allow system_crond_t system_crond_lock_t:file create_file_perms;
> files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
> 
> # Allow anacron to write to /var/run/anacron.pid
> ifdef(`strict_policy',`
>         allow system_crond_t crond_var_run_t:file create_file_perms;
>         files_pid_filetrans(system_crond_t,crond_var_run_t,file)
> ')
> [root at topaz ~]#
> 

-- 
Ted Rule

Director, Layer3 Systems Ltd

W: http://www.layer3.co.uk/




More information about the fedora-selinux-list mailing list