selinux does not like crontab :(, default_t, kde
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 26 12:39:46 UTC 2009
On 03/25/2009 07:03 PM, Antonio Olivares wrote:
> Dear all,
>
> I have resolved one problem(Not getting internet at startup by default), but have not fixed the crontab one and other(s):
>
> This one does not go away :(
>
>
> Summary:
>
> SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t.
>
> Detailed Description:
>
> SELinux denied access requested by crontab. It is not expected that this access
> is required by crontab and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0
> .c1023
> Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Objects socket [ unix_stream_socket ]
> Source crontab
> Source Path /usr/bin/crontab
> Port<Unknown>
> Host riohigh
> Source RPM Packages cronie-1.2-7.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.8-3.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name riohigh
> Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586
> #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon
> Alert Count 177
> First Seen Mon 02 Mar 2009 07:11:37 PM CST
> Last Seen Wed 25 Mar 2009 04:57:03 PM CST
> Local ID 3883b140-4d39-40f5-9262-ce2c4c4e2e16
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53528]" dev=sockfs ino=53528 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=SYSCALL msg=audit(1238021823.376:68): arch=40000003 syscall=11 success=yes exit=0 a0=9fcb5c8 a1=9fcbd10 a2=9fb5ae0 a3=9fcbd10 items=0 ppid=4295 pid=4331 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null)
>
>
> I can't modify my crontab file:
>
> [olivares at riohigh ~]$ crontab -l
>
> Authentication service cannot retrieve authentication info
> You (olivares) are not allowed to access to (crontab) because of pam configuration.
> [olivares at riohigh ~]$
>
> if I disable selinux, I can modify it and view it, but not with selinux enabled.
>
> I got greeted with the following:
>
>
> Summary:
>
> SELinux is preventing access to files with the default label, default_t.
>
> Detailed Description:
>
> SELinux permission checks on files labeled default_t are being denied. These
> files/directories have the default label on them. This can indicate a labeling
> problem, especially if the files being referred to are not top level
> directories. Any files/directories under standard system directories, /usr,
> /var. /dev, /tmp, ..., should not be labeled with the default label. The default
> label is for files/directories which do not have a label on a parent directory.
> So if you create a new directory in / you might legitimately get this label.
>
> Allowing Access:
>
> If you want a confined domain to use these files you will probably need to
> relabel the file/directory with chcon. In some cases it is just easier to
> relabel the system, to relabel execute: "touch /.autorelabel; reboot"
>
> Additional Information:
>
> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context system_u:object_r:default_t:s0
> Target Objects /.kde [ dir ]
> Source kde4-config
> Source Path /usr/bin/kde4-config
> Port<Unknown>
> Host riohigh
> Source RPM Packages kdelibs-4.2.1-4.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.8-3.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name default
> Host Name riohigh
> Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586
> #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon
> Alert Count 7
> First Seen Wed 25 Mar 2009 04:38:14 PM CST
> Last Seen Wed 25 Mar 2009 04:38:14 PM CST
> Local ID d3d42e40-6a28-48cf-8717-b85579c55bad
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1238020694.487:40): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
>
> node=riohigh type=SYSCALL msg=audit(1238020694.487:40): arch=40000003 syscall=196 success=no exit=-13 a0=bfc3730b a1=bfc37258 a2=a12ff4 a3=a036c59 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
>
> Summary:
>
> SELinux is preventing access to files with the default label, default_t.
>
> Detailed Description:
>
> SELinux permission checks on files labeled default_t are being denied. These
> files/directories have the default label on them. This can indicate a labeling
> problem, especially if the files being referred to are not top level
> directories. Any files/directories under standard system directories, /usr,
> /var. /dev, /tmp, ..., should not be labeled with the default label. The default
> label is for files/directories which do not have a label on a parent directory.
> So if you create a new directory in / you might legitimately get this label.
>
> Allowing Access:
>
> If you want a confined domain to use these files you will probably need to
> relabel the file/directory with chcon. In some cases it is just easier to
> relabel the system, to relabel execute: "touch /.autorelabel; reboot"
>
> Additional Information:
>
> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context system_u:object_r:default_t:s0
> Target Objects .kde [ dir ]
> Source kde4-config
> Source Path /usr/bin/kde4-config
> Port<Unknown>
> Host riohigh
> Source RPM Packages kdelibs-4.2.1-4.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.8-3.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name default
> Host Name riohigh
> Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586
> #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon
> Alert Count 23
> First Seen Wed 25 Mar 2009 04:38:14 PM CST
> Last Seen Wed 25 Mar 2009 04:38:14 PM CST
> Local ID 711eec22-2695-4e57-91ad-622e9c5f3b53
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1238020694.489:42): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
>
> node=riohigh type=SYSCALL msg=audit(1238020694.489:42): arch=40000003 syscall=196 success=no exit=-13 a0=a036c58 a1=bfc37230 a2=a12ff4 a3=a031250 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
>
>
> Startup did not take the 20 seconds, it took like 8 to 10 minutes with the relabeling and still see the same things. Is there an update that will fix this or do I have to disable selinux or boot in permissive in order to have a working machine.
>
> Please help this is no longer fun as it once was.
>
> Regards,
>
> Antonio
>
>
>
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The kde read/writing to /.kde is a kde bug/ kdm should have a home
directory that we could give access to, not /. I have this setup and
although it genetates AVC's I am able to login fine. Although gdm
works better.
If you want to get rid of these avc's you could execute.
# semanage fcontext -a -t xdm_var_run_t '/\.kde(/.*)?'
# restorecon -R -v /.kde
Running crontab -e as root, problem is also a kdebase/konsole problem of
leaked file descriptors. If you do an ls /proc/self/fd in the konsole
you will see a whole bunch of file descriptors that have been leaked to
the konsole. When you start a confined domain from the console SELinux
reports these leaked file descriptors and closes them.
ls -l /proc/self/fd
should show something like
# ls -l /proc/self/fd
total 0
lr-x------. 1 root root 64 2009-03-26 08:31 0 -> /dev/pts/4
lrwx------. 1 root root 64 2009-03-26 08:31 1 -> /dev/pts/4
lrwx------. 1 root root 64 2009-03-26 08:31 2 -> /dev/pts/4
lr-x------. 1 root root 64 2009-03-26 08:31 3 -> /proc/32759/fd
Which are three fd's to the terminal and one to the directory you are
listing.
I see no avc that would break crontab -e?
[olivares at riohigh ~]$ crontab -l
Authentication service cannot retrieve authentication info
You (olivares) are not allowed to access to (crontab) because of pam
configuration.
Looks like you are running this as a normal user? Or are you running as
root?
I can not get this to happen on my machine, so I think it might be
something about the way you have pam setup? Do you have anything
special setup in pam?
More information about the fedora-selinux-list
mailing list