Mail from cron in Fedora 8

Fri Nov 9 13:37:13 UTC 2007

On Fri, 2007-11-09 at 10:55 +0000, Paul Howarth wrote:
> I have a cron job as follows:
> 
> # crontab -l -u softlib
> 45 4 * * * /softlib/scripts/updates-sync | Mail -s "Fedora updates 
> subset mirror report" phowarth
> 
> The script runs reposync to pull in a subset of the updates repo, and I 
> have the output piped into Mail.
> 
> This has been trouble free up until I upgraded to F8, with 
> selinux-policy-3.0.8-44.fc8.
> 
> With SELinux in enforcing mode, the email I receive simply says 
> "/usr/sbin/sendmail: Permission denied".
> 
> I tried creating a local policy module as usual and ended up with this:
> 
> policy_module(localmisc, 0.0.7)
> 
> require {
>          type system_mail_t;
>          class netlink_route_socket { bind create getattr nlmsg_read 
> read write };
> }
> 
> #============= system_mail_t ==============
> allow system_mail_t self:netlink_route_socket { bind create getattr 
> nlmsg_read read write };
> unconfined_read_tmp_files(system_mail_t)
> 
> 
> In permissive mode, this works, but in enforcing mode I just get the 
> usual "Permission denied"  message. There are no more avcs in the audit 
> logs, but there is this:
> 
> type=SELINUX_ERR msg=audit(1194605105.159:168): security_compute_sid: 
> invalid context unconfined_u:unconfined_r:system_mail_t:s0 for 
> scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0 
> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process
> type=SYSCALL msg=audit(1194605105.159:168): arch=40000003 syscall=11 
> success=no exit=-13 a0=805848b a1=9cf82b8 a2=bfcbf338 a3=9cf82b8 items=0 
> ppid=1537 pid=1550 auid=4294967295 uid=1502 gid=1502 euid=1502 suid=1502 
> fsuid=1502 egid=1502 sgid=1502 fsgid=1502 tty=(none) comm="Mail" 
> exe="/bin/mail" subj=unconfined_u:unconfined_r:unconfined_crond_t:s0 
> key=(null)

That indicates a missing role types rule, e.g.
	role unconfined_r types system_mail_t;

Karl, old audit2allow dealt with those errors - new one needs to do
likewise.

> I thought there might be something dontaudited so I tried using 
> enableaudit.pp but the F8 policy doesn't include this. What's the method 
> for finding troublesome dontaudits that need to be allows in F8?

semodule -DB will rebuild and reload policy w/o any dontaudit rules.
semodule -B will then rebuild and reload policy with them.

This is an improvement over enableaudit.pp because it covers all
modules, not just base.

Fedora SELinux FAQ is way over due for an update...

-- 
Stephen Smalley
National Security Agency