Domain transition missing

Vadym Chepkov chepkov at yahoo.com
Sat Jul 4 14:09:41 UTC 2009 

It would be nice if the interface would be smart enough and allow output from the cron job to be sent, but no one is perfect :)

----
type=AVC msg=audit(1246715821.417:10142): avc:  denied  { write } for  pid=11916 comm="winbind" path="pipe:[591689]" dev=pipefs ino=591689 scontext=system_u:system_r:system_cronjob_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
----
type=AVC msg=audit(1246715821.780:10143): avc:  denied  { write } for  pid=11925 comm="winbindd" path="pipe:[591689]" dev=pipefs ino=591689 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file

Sincerely yours,
  Vadym Chepkov


--- On Sat, 7/4/09, Vadym Chepkov <chepkov at yahoo.com> wrote:

> From: Vadym Chepkov <chepkov at yahoo.com>
> Subject: Re: Domain transition missing
> To: "Dominick Grift" <domg472 at gmail.com>
> Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> Date: Saturday, July 4, 2009, 10:00 AM
> This worked well too, thank you
> 
> system_u:system_r:winbind_t:SystemLow root
> 11926   1  0 09:57 ?     
>   00:00:00 winbindd
> system_u:system_r:winbind_t:SystemLow root 11928
> 11926  0 09:57 ?      00:00:00 winbindd
> system_u:system_r:winbind_t:SystemLow root 11954
> 11926  0 09:57 ?      00:00:00 winbindd
> system_u:system_r:winbind_t:SystemLow root 11956
> 11926  0 09:57 ?      00:00:00 winbindd
> system_u:system_r:winbind_t:SystemLow root 11957
> 11926  0 09:57 ?      00:00:00 winbindd
> 
> 
> Sincerely yours,
>   Vadym Chepkov
> 
> 
> --- On Sat, 7/4/09, Dominick Grift <domg472 at gmail.com>
> wrote:
> 
> > From: Dominick Grift <domg472 at gmail.com>
> > Subject: Re: Domain transition missing
> > To: "Vadym Chepkov" <chepkov at yahoo.com>
> > Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> > Date: Saturday, July 4, 2009, 9:28 AM
> > On Sat, 2009-07-04 at 06:18 -0700,
> > Vadym Chepkov wrote:
> > > That would be unfortunate. Mine approach is not
> > uncommon. If you look closely you will see the same
> > technique in wast scripts. spamassassin restarts
> itself when
> > it updates anti-spam rules, clamav does that
> (antivirus) and
> > on and on. I use Fedora 11, by the way.
> > > 
> > > For now, instead of creating a new policy I just
> added
> > 'runcon -t unconfind_t ' in the cron, and it seemed to
> did
> > the trick.  
> > > 
> > > Sincerely yours,
> > >   Vadym Chepkov
> > > 
> > 
> > Looking here:
> > http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/services/cron.if
> > line 235 to line 269.
> > 
> > That seems like a interface one might use in your
> > situation:
> > 
> > cron_system_entry(winbind_t, winbind_exec_t)
> > 
> > I admit that using cron with SELinux is not very easy
> > currently
> > 
> > > --- On Sat, 7/4/09, Dominick Grift <domg472 at gmail.com>
> > wrote:
> > > 
> > > > From: Dominick Grift <domg472 at gmail.com>
> > > > Subject: Re: Domain transition missing
> > > > To: "Vadym Chepkov" <chepkov at yahoo.com>
> > > > Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> > > > Date: Saturday, July 4, 2009, 8:57 AM
> > > > On Sat, 2009-07-04 at 05:48 -0700,
> > > > Vadym Chepkov wrote:
> > > > > I really get used to running my
> scripts
> > unconfined,
> > > > how I can accomplish it in this scenario?
> > > > > 
> > > > > Sincerely yours,
> > > > >   Vadym Chepkov
> > > > > 
> > > > 
> > > > if you want the system to run jobs you will
> need
> > to write
> > > > some policy or
> > > > extend the system_cronjob_t domain i think
> > > > 
> > > > 
> > > > Were those the only avc denial you got? I
> would
> > expect more
> > > > denials.
> > > > 
> > > > > --- On Sat, 7/4/09, Dominick Grift
> <domg472 at gmail.com>
> > > > wrote:
> > > > > 
> > > > > > From: Dominick Grift <domg472 at gmail.com>
> > > > > > Subject: Re: Domain transition
> missing
> > > > > > To: "Vadym Chepkov" <chepkov at yahoo.com>
> > > > > > Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> > > > > > Date: Saturday, July 4, 2009, 8:41
> AM
> > > > > > On Sat, 2009-07-04 at 14:38
> +0200,
> > > > > > Dominick Grift wrote:
> > > > > > > On Sat, 2009-07-04 at 05:11
> -0700,
> > Vadym
> > > > Chepkov
> > > > > > wrote:
> > > > > > > > Hi,
> > > > > > > > 
> > > > > > > > Last night I got a
> nasty
> > surprise from
> > > > selinux. I
> > > > > > am using winbind for external
> > authentication and
> > > > since it
> > > > > > has history of failures I have a
> simple
> > watchdog
> > > > implemented
> > > > > > to check the status and restart it
> if
> > necessary.
> > > > That
> > > > > > is  what happened last night and
> > as a law
> > > > abiding
> > > > > > selinux citizen I used 'service
> winbind
> > restart',
> > > > but it
> > > > > > seems the proper domain
> transitions is
> > missing
> > > > and winbind
> > > > > > was started in system_cronjob_t
> domain
> > instead of
> > > > winbind_t
> > > > > > and none of other domains could
> connect
> > to it.
> > > > > > > > 
> > > > > > > > I think jobs running
> from
> > cron should
> > > > be granted
> > > > > > the same transition rules as 
> > from
> > > > unconfined_t. 
> > > > > > > > 
> > > > > > > > I will file bugzilla
> report
> > about it,
> > > > but could
> > > > > > somebody help me with modifying
> my
> > local policy
> > > > until/if it
> > > > > > gets implemented, please? Thank
> you.
> > > > > > > > 
> > > > > > > > Sincerely yours,
> > > > > > > >   Vadym
> > Chepkov
> > > > > > > 
> > > > > > > A domain transition would
> be:
> > > > > > > 
> > > > > > > policy_module(mywinbind,
> 0.0.1)
> > > > > > > 
> > > > > > > require { type
> system_cronjob_t,
> > > > winbind_exec_t,
> > > > > > winbind_t; }
> > > > > > >
> > domain_auto_trans(system_cronjob_t,
> > > > winbind_exec_t,
> > > > > > winbind_t)
> > > > > > > 
> > > > > > > Can you show us the full raw
> avc
> > denial?
> > > > > > 
> > > > > > 
> > > > > > But personally would deal with
> this in
> > a
> > > > different way. I
> > > > > > would write
> > > > > > policy for the script that
> restarts
> > winbind and
> > > > then i
> > > > > > would create a
> > > > > > domain transition for the domain
> in
> > which the
> > > > script runs
> > > > > > to winbind_t.
> > > > > > 
> > > > > > Mainly because i wouldnt want to
> > extend/modify
> > > > > > system_cronjob_t
> > > > > > 
> > > > > > So: system_cronjob_t ->
> > myscript_exec_t ->
> > > > myscript_t
> > > > > > -> winbind_exec_t
> > > > > > -> winbind_t
> > > > > > 
> > > > > > > > --
> > > > > > > > fedora-selinux-list
> mailing
> > list
> > > > > > > > fedora-selinux-list at redhat.com
> > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > > > > > 
> > > > > > 
> > > > > > 
> > > > 
> > > > 
> > 
> >
>

More information about the fedora-selinux-list mailing list