Mail from cron in Fedora 8

Fri Nov 9 21:33:45 UTC 2007

On Fri, 09 Nov 2007 08:37:13 -0500
Stephen Smalley <sds at tycho.nsa.gov> wrote:

> On Fri, 2007-11-09 at 10:55 +0000, Paul Howarth wrote:
> > I have a cron job as follows:
> > 
> > # crontab -l -u softlib
> > 45 4 * * * /softlib/scripts/updates-sync | Mail -s "Fedora updates 
> > subset mirror report" phowarth
> > 
> > The script runs reposync to pull in a subset of the updates repo,
> > and I have the output piped into Mail.
> > 
> > This has been trouble free up until I upgraded to F8, with 
> > selinux-policy-3.0.8-44.fc8.
> > 
> > With SELinux in enforcing mode, the email I receive simply says 
> > "/usr/sbin/sendmail: Permission denied".
> > 
> > I tried creating a local policy module as usual and ended up with
> > this:
> > 
> > policy_module(localmisc, 0.0.7)
> > 
> > require {
> >          type system_mail_t;
> >          class netlink_route_socket { bind create getattr
> > nlmsg_read read write };
> > }
> > 
> > #============= system_mail_t ==============
> > allow system_mail_t self:netlink_route_socket { bind create getattr 
> > nlmsg_read read write };
> > unconfined_read_tmp_files(system_mail_t)
> > 
> > 
> > In permissive mode, this works, but in enforcing mode I just get
> > the usual "Permission denied"  message. There are no more avcs in
> > the audit logs, but there is this:
> > 
> > type=SELINUX_ERR msg=audit(1194605105.159:168):
> > security_compute_sid: invalid context
> > unconfined_u:unconfined_r:system_mail_t:s0 for
> > scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0
> > tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process
> > type=SYSCALL msg=audit(1194605105.159:168): arch=40000003
> > syscall=11 success=no exit=-13 a0=805848b a1=9cf82b8 a2=bfcbf338
> > a3=9cf82b8 items=0 ppid=1537 pid=1550 auid=4294967295 uid=1502
> > gid=1502 euid=1502 suid=1502 fsuid=1502 egid=1502 sgid=1502
> > fsgid=1502 tty=(none) comm="Mail" exe="/bin/mail"
> > subj=unconfined_u:unconfined_r:unconfined_crond_t:s0 key=(null)
> 
> That indicates a missing role types rule, e.g.
> 	role unconfined_r types system_mail_t;
> 
> Karl, old audit2allow dealt with those errors - new one needs to do
> likewise.

Thanks very much; the resulting policy module fixes the problem:

policy_module(localmisc, 0.0.8) 

require {
        type system_mail_t;
        class netlink_route_socket { bind create getattr nlmsg_read
read write }; }

#============= system_mail_t ==============
role unconfined_r types system_mail_t;
allow system_mail_t self:netlink_route_socket { bind create getattr
nlmsg_read read write };
unconfined_read_tmp_files(system_mail_t)

Is there any food reason why this shouldn't be in the default policy?
I'd have thought sending mail from cron jobs was a fairly common thing
to do?

> > I thought there might be something dontaudited so I tried using 
> > enableaudit.pp but the F8 policy doesn't include this. What's the
> > method for finding troublesome dontaudits that need to be allows in
> > F8?
> 
> semodule -DB will rebuild and reload policy w/o any dontaudit rules.
> semodule -B will then rebuild and reload policy with them.
> 
> This is an improvement over enableaudit.pp because it covers all
> modules, not just base.

Thanks; noted for future reference.

Cheers, Paul.