Domain transition missing

Daniel J Walsh dwalsh at redhat.com
Mon Jul 6 12:38:15 UTC 2009 

On 07/04/2009 10:09 AM, Vadym Chepkov wrote:
> It would be nice if the interface would be smart enough and allow output from the cron job to be sent, but no one is perfect :)
>
> ----
> type=AVC msg=audit(1246715821.417:10142): avc:  denied  { write } for  pid=11916 comm="winbind" path="pipe:[591689]" dev=pipefs ino=591689 scontext=system_u:system_r:system_cronjob_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
> ----
> type=AVC msg=audit(1246715821.780:10143): avc:  denied  { write } for  pid=11925 comm="winbindd" path="pipe:[591689]" dev=pipefs ino=591689 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
>
> Sincerely yours,
>    Vadym Chepkov
>
>
> --- On Sat, 7/4/09, Vadym Chepkov<chepkov at yahoo.com>  wrote:
>
>> From: Vadym Chepkov<chepkov at yahoo.com>
>> Subject: Re: Domain transition missing
>> To: "Dominick Grift"<domg472 at gmail.com>
>> Cc: "Fedora SELinux"<fedora-selinux-list at redhat.com>
>> Date: Saturday, July 4, 2009, 10:00 AM
>> This worked well too, thank you
>>
>> system_u:system_r:winbind_t:SystemLow root
>> 11926   1  0 09:57 ?
>>    00:00:00 winbindd
>> system_u:system_r:winbind_t:SystemLow root 11928
>> 11926  0 09:57 ?      00:00:00 winbindd
>> system_u:system_r:winbind_t:SystemLow root 11954
>> 11926  0 09:57 ?      00:00:00 winbindd
>> system_u:system_r:winbind_t:SystemLow root 11956
>> 11926  0 09:57 ?      00:00:00 winbindd
>> system_u:system_r:winbind_t:SystemLow root 11957
>> 11926  0 09:57 ?      00:00:00 winbindd
>>
>>
>> Sincerely yours,
>>    Vadym Chepkov
>>
>>
>> --- On Sat, 7/4/09, Dominick Grift<domg472 at gmail.com>
>> wrote:
>>
>>> From: Dominick Grift<domg472 at gmail.com>
>>> Subject: Re: Domain transition missing
>>> To: "Vadym Chepkov"<chepkov at yahoo.com>
>>> Cc: "Fedora SELinux"<fedora-selinux-list at redhat.com>
>>> Date: Saturday, July 4, 2009, 9:28 AM
>>> On Sat, 2009-07-04 at 06:18 -0700,
>>> Vadym Chepkov wrote:
>>>> That would be unfortunate. Mine approach is not
>>> uncommon. If you look closely you will see the same
>>> technique in wast scripts. spamassassin restarts
>> itself when
>>> it updates anti-spam rules, clamav does that
>> (antivirus) and
>>> on and on. I use Fedora 11, by the way.
>>>> For now, instead of creating a new policy I just
>> added
>>> 'runcon -t unconfind_t ' in the cron, and it seemed to
>> did
>>> the trick.
>>>> Sincerely yours,
>>>>     Vadym Chepkov
>>>>
>>> Looking here:
>>> http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/services/cron.if
>>> line 235 to line 269.
>>>
>>> That seems like a interface one might use in your
>>> situation:
>>>
>>> cron_system_entry(winbind_t, winbind_exec_t)
>>>
>>> I admit that using cron with SELinux is not very easy
>>> currently
>>>
>>>> --- On Sat, 7/4/09, Dominick Grift<domg472 at gmail.com>
>>> wrote:
>>>>> From: Dominick Grift<domg472 at gmail.com>
>>>>> Subject: Re: Domain transition missing
>>>>> To: "Vadym Chepkov"<chepkov at yahoo.com>
>>>>> Cc: "Fedora SELinux"<fedora-selinux-list at redhat.com>
>>>>> Date: Saturday, July 4, 2009, 8:57 AM
>>>>> On Sat, 2009-07-04 at 05:48 -0700,
>>>>> Vadym Chepkov wrote:
>>>>>> I really get used to running my
>> scripts
>>> unconfined,
>>>>> how I can accomplish it in this scenario?
>>>>>> Sincerely yours,
>>>>>>     Vadym Chepkov
>>>>>>
>>>>> if you want the system to run jobs you will
>> need
>>> to write
>>>>> some policy or
>>>>> extend the system_cronjob_t domain i think
>>>>>
>>>>>
>>>>> Were those the only avc denial you got? I
>> would
>>> expect more
>>>>> denials.
>>>>>
>>>>>> --- On Sat, 7/4/09, Dominick Grift
>> <domg472 at gmail.com>
>>>>> wrote:
>>>>>>> From: Dominick Grift<domg472 at gmail.com>
>>>>>>> Subject: Re: Domain transition
>> missing
>>>>>>> To: "Vadym Chepkov"<chepkov at yahoo.com>
>>>>>>> Cc: "Fedora SELinux"<fedora-selinux-list at redhat.com>
>>>>>>> Date: Saturday, July 4, 2009, 8:41
>> AM
>>>>>>> On Sat, 2009-07-04 at 14:38
>> +0200,
>>>>>>> Dominick Grift wrote:
>>>>>>>> On Sat, 2009-07-04 at 05:11
>> -0700,
>>> Vadym
>>>>> Chepkov
>>>>>>> wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Last night I got a
>> nasty
>>> surprise from
>>>>> selinux. I
>>>>>>> am using winbind for external
>>> authentication and
>>>>> since it
>>>>>>> has history of failures I have a
>> simple
>>> watchdog
>>>>> implemented
>>>>>>> to check the status and restart it
>> if
>>> necessary.
>>>>> That
>>>>>>> is  what happened last night and
>>> as a law
>>>>> abiding
>>>>>>> selinux citizen I used 'service
>> winbind
>>> restart',
>>>>> but it
>>>>>>> seems the proper domain
>> transitions is
>>> missing
>>>>> and winbind
>>>>>>> was started in system_cronjob_t
>> domain
>>> instead of
>>>>> winbind_t
>>>>>>> and none of other domains could
>> connect
>>> to it.
>>>>>>>>> I think jobs running
>> from
>>> cron should
>>>>> be granted
>>>>>>> the same transition rules as
>>> from
>>>>> unconfined_t.
>>>>>>>>> I will file bugzilla
>> report
>>> about it,
>>>>> but could
>>>>>>> somebody help me with modifying
>> my
>>> local policy
>>>>> until/if it
>>>>>>> gets implemented, please? Thank
>> you.
>>>>>>>>> Sincerely yours,
>>>>>>>>>     Vadym
>>> Chepkov
>>>>>>>> A domain transition would
>> be:
>>>>>>>> policy_module(mywinbind,
>> 0.0.1)
>>>>>>>> require { type
>> system_cronjob_t,
>>>>> winbind_exec_t,
>>>>>>> winbind_t; }
>>> domain_auto_trans(system_cronjob_t,
>>>>> winbind_exec_t,
>>>>>>> winbind_t)
>>>>>>>> Can you show us the full raw
>> avc
>>> denial?
>>>>>>>
>>>>>>> But personally would deal with
>> this in
>>> a
>>>>> different way. I
>>>>>>> would write
>>>>>>> policy for the script that
>> restarts
>>> winbind and
>>>>> then i
>>>>>>> would create a
>>>>>>> domain transition for the domain
>> in
>>> which the
>>>>> script runs
>>>>>>> to winbind_t.
>>>>>>>
>>>>>>> Mainly because i wouldnt want to
>>> extend/modify
>>>>>>> system_cronjob_t
>>>>>>>
>>>>>>> So: system_cronjob_t ->
>>> myscript_exec_t ->
>>>>> myscript_t
>>>>>>> ->  winbind_exec_t
>>>>>>> ->  winbind_t
>>>>>>>
>>>>>>>>> --
>>>>>>>>> fedora-selinux-list
>> mailing
>>> list
>>>>>>>>> fedora-selinux-list at redhat.com
>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>>>
>>>>>
>>>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


Miroslav,

I think you should add

dontaudit $1 crond_t:fifo_file rw_fifo_file_perms;

To cron_system_entry to eliminate this leaked file descriptor problem.

More information about the fedora-selinux-list mailing list