selinux May 2020

selinux@lists.fedoraproject.org

10 participants
8 discussions

lnk_file read permission
by Gionatan Danti 31 Jul '20

31 Jul '20

Hi all, using selinux, I saw many times that when relocating service dirs (eg: mysql, mongodb, etc) putting a symlink in the original location, the affected services fail to start due to missing lnk_file read permission. As selinux works with target file label and it is path-agnostic (this is, indeed, a major selinux feature), while is the lnk_file read often not granted by default? Does granting it expose to additional attack vectors? Thanks. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it [1] email: g.danti(a)assyoma.it - info(a)assyoma.it GPG public key ID: FF5F32A8

3 8

new service blocked by selinux
by Rod Davison 24 May '20

24 May '20

I am running fedora32. I am trying to start a program as a service and run it with a non-root user id (radmin). I have created /home/radmin/bin/jungledisk.sh (which has permission ug=rwx) I have create /etc/systemd/system/jungledisk.service When I start the service with "sudo systemctl restart jungledisk.service" I get error messages -- see below. I have attempted to follow the instructions to create a local policy from the log file by executing: sudo ausearch -c '(edisk.sh)' --raw | sudo audit2allow -M my-edisksh sudo semodule -X 300 -i my-edisksh.pp however, the behaviour is the same after running this. The jungledisk.service files is attempting to run jungledisk.sh as user radmin, if that's relevant. Advise appreciated. the following in my /var/log/messages file: May 23 17:53:32 localhost systemd[613445]: jungledisk.service: Failed to execute command: Permission denied May 23 17:53:32 localhost systemd[613445]: jungledisk.service: Failed at step EXEC spawning /home/radmin/bin/jungledisk.sh: Permission denied ... May 23 17:53:34 localhost setroubleshoot[613447]: SELinux is preventing (edisk.sh) from execute_no_trans access on the file /home/radmin/bin/jungledisk.sh. For complete SELinux messages run: sealert -l 0b9955ca-66c6-4039-9999-2dd7d4ec0fc8 May 23 17:53:34 localhost python3[613447]: SELinux is preventing (edisk.sh) from execute_no_trans access on the file /home/radmin/bin/jungledisk.sh.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that (edisk.sh) should be allowed execute_no_trans access on the jungledisk.sh file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '(edisk.sh)' --raw | audit2allow -M my-edisksh#012# semodule -X 300 -i my-edisksh.pp#012 May 23 17:53:34 localhost dbus-broker-launch[281848]: avc: received policyload notice (seqno=3) May 23 17:53:34 localhost dbus-broker-launch[281848]: avc: received policyload notice (seqno=4) May 23 17:53:34 localhost systemd[11047]: selinux: avc: received policyload notice (seqno=3) May 23 17:53:34 localhost systemd[11047]: selinux: avc: received policyload notice (seqno=4) May 23 17:53:34 localhost systemd[11047]: Started dbus-:1.1-org.freedesktop.Notifications@14.service. May 23 17:53:34 localhost at-spi-bus-launcher[294822]: avc: received policyload notice (seqno=3) May 23 17:53:34 localhost at-spi-bus-launcher[294822]: avc: received policyload notice (seqno=4) May 23 17:53:37 localhost setroubleshoot[613447]: SELinux is preventing (edisk.sh) from execute_no_trans access on the file /home/radmin/bin/jungledisk.sh. For complete SELinux messages run: sealert -l 0b9955ca-66c6-4039-9999-2dd7d4ec0fc8 May 23 17:53:37 localhost python3[613447]: SELinux is preventing (edisk.sh) from execute_no_trans access on the file /home/radmin/bin/jungledisk.sh.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that (edisk.sh) should be allowed execute_no_trans access on the jungledisk.sh file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '(edisk.sh)' --raw | audit2allow -M my-edisksh#012# semodule -X 300 -i my-edisksh.pp#012

2 2

Updating security classes and access vectors in Fedora policy?
by Stephen Smalley 20 May '20

20 May '20

Hi, Fedora policy has a number of differences in its security_classes and access_vectors from current refpolicy, and neither are fully up to date with the kernel (but refpolicy is closer). One consequence of this is that parts of the selinux-testsuite do not run by default on Fedora (including rawhide) at present and still require manual patching by testers if they want to exercise all the tests. Differences that I see include: - refpolicy has added the watch* permissions exercised by the selinux-testsuite/tests/{notify,filesystem,fs_filesystem} tests. These were first defined in refpolicy by https://github.com/SELinuxProject/refpolicy/commit/c656b97a289ce6c2da287170… but there have been a series of subsequent commits (one to fix an ordering problem to better align with the kernel) and then allowing these new watch permissions as needed. - refpolicy has added the perf_event class exercised by the selinux-testsuite/tests/perf_event tests. These were first defined in refpolicy by https://github.com/SELinuxProject/refpolicy/commit/624a63704c19a653486f37d1…. - Neither refpolicy nor fedora have yet added the lockdown class exercised by selinux-testsuite/tests/lockdown. The kernel commit introducing this class is https://github.com/SELinuxProject/selinux-kernel/commit/59438b46471ae6cdfb7…. Other differences that don't directly affect the testsuite execution: - Drop unused socket security classes, https://github.com/SELinuxProject/refpolicy/commit/4637cd6f898e95ffa95b2d08… - Remove unused permissions, https://github.com/SELinuxProject/refpolicy/commit/161bda392e61056ea22fe986… - Remove entrypoint and execute_no_trans from chr_file, https://github.com/SELinuxProject/refpolicy/commit/8486b8aa83afa7abd94c9338… - remove flow_in and flow_out permissions from packet class, https://github.com/SELinuxProject/refpolicy/commit/f4459adf3242ed2dbc35e212… - Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes, https://github.com/SELinuxProject/refpolicy/commit/5fd175fa453e995d8b7357b8… - Remove unused translate permission in context userspace class, https://github.com/SELinuxProject/refpolicy/commit/65da822c1b5c70bd1ff7eca6… - Fedora policy has an "undefined" permission in its class system access vector, not present in refpolicy (some kind of compatibility hack?). - Fedora policy has an "epolwakeup" permission in its class capability2 access vector, not present in refpolicy (old name for block_suspend, never included in an official kernel release, also not even correct originally - should have been epollwakeup). - Fedora policy has "getnetgrp" and "shmemnetgrp" permissions in its class nscd access vector, not sure if those are used by glibc/ncsd code but if so should get added to refpolicy too. - Fedora policy has a "proxy" class and access vector for "gssd", not present in refpolicy. If that's something that isn't Fedora-specific, it should probably get upstreamed to refpolicy although the class name isn't very descriptive. - refpolicy has "db_exception" and "db_datatype" classes and access vectors for "Interbase/Firebird/Red Database", not present in Fedora. Don't know if that matters to Fedora. - Various whitespace/comment cleanups in refpolicy not in Fedora. - process2 is declared at a different place in security_classes in refpolicy versus Fedora. Doesn't really matter since kernel uses dynamic class/perm support and no fixed definition ever defined in libselinux/libsepol headers but might be good to align them for consistency. NB The removals and renames may have some compatibility implications, e.g. a local or third party policy module built against the existing Fedora policy headers may have picked up dependencies on these classes/permissions and therefore may need to be rebuilt against the updated headers in order to still link successfully. This could break upon an update if those local or third party modules were installed at the time of the update since we'd fail on the semodule -B during %post, leaving the system with the old policy. rpm selinux support was supposed to fix that kind of thing by handling it via plugin and not from %post and rolling the package update back but never got adopted/used ;(

4 3

Issues with the include/contrib/courier.if policy
by Sam Varshavchik 16 May '20

16 May '20

Fedora's selinux package has a contributed policy for Courier, include/contrib/courier.if, which has two issues (that I found so far) with my upstream rpm packages. My rpm packages have worked this way for a long time, probably 15+ years, or so, this is not a recent change. The only thing that changed is that I'm actually tried to run in enforcing mode late last year, and ran into this. I'm picking this issue up now, for one last college try to figure out the fix. I couldn't figure out how courier.if works; so last time after doing some random reading, I was able to come up with a band-aid for the first issue. The rpm package installs a binary in /var/www/cgi-bin that talks to the running webmail daemon over an AF_Unix socket. selinux's policy was labeling the /var/www/cgi-bin binary, and blocking its socket connection. The band- aid was this additional local policy: policy_module(courier_webmail, 1.0) require { type httpd_sys_script_t; type courier_spool_t; }; allow httpd_sys_script_t courier_spool_t:dir search_dir_perms; allow httpd_sys_script_t courier_spool_t:sock_file manage_sock_file_perms; That seemed innocent enough. But I revisited the entire package this week, and found two more issues. The first one is an additional AVC that was now blocking the same webmail binary: type=AVC msg=audit(1589086763.118:1319): avc: denied { connectto } for pid=674413 comm="webmail" path="/var/spool/courier/sqwebmail.sock" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0 This was new, I could not figure out why the target context was unconfined, because: [root@jack ~]# ls -alZ /var/spool/courier/sqwebmail.sock srwxrwxrwx. 1 root root system_u:object_r:courier_spool_t:s0 0 May 10 01:15 /var/spool/courier/sqwebmail.sock As a band-aid on top of the first band-aid, I added allow httpd_sys_script_t unconfined_service_t:unix_stream_socket connectto; to the local policy, to get it working. But this doesn't seem ideal. The second issue was that an individual uninstall of one of the rpm- subpackages was hanging. selinux was blocking a signal sent by binary that %preun runs. The signal is sent to the running process: type=AVC msg=audit(1589082060.526:1156): avc: denied { signal } for pid=672912 comm="courierlogger" scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 and type=AVC msg=audit(1589082160.527:1172): avc: denied { sigkill } for pid=672912 comm="courierlogger" scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 The main rpm package's systemd unit runs a startup script that inventories which subpackages are installed, and starts each one's service. Manually uninstalling an rpm subpackage executes a %preun that stops just its own service, and this part is getting blocked. The binary that sends the signal appears to be labeled by the contributed Fedora policy: rwxr-xr-x. 1 daemon daemon system_u:object_r:courier_exec_t:s0 25296 May 9 23:19 /usr/sbin/courierlogger The binary is trying to send a signal to one of these processes: system_u:system_r:unconfined_service_t:s0 root 780748 780747 0 01:15 ? 00:00:00 /usr/lib/courier/sbin/couriertcpd [parameters] r-xr-xr-x. 1 daemon daemon system_u:object_r:bin_t:s0 142456 May 10 01:14 /usr/lib/courier/sbin/couriertcpd I could avoid this by systemctl stop in %preun and systemctl start in %postun, I suppose. Startup and shutdown, which sends the same signal via the same binary, seems to work when the main rpm package runs systemctl stop. But doing it this way stops and restarts everything when a single subpackage gets removed, this is not ideal.

2 6

Re: permission problems with script run via crondargs -m
by Robert Moskowitz 13 May '20

13 May '20

On 5/12/20 11:36 AM, Lukas Vrabec wrote: > On 5/12/20 1:31 PM, Robert Moskowitz wrote: >> Lukas, >> >> Failed again last night see the end of this message. >> >> On 5/11/20 9:40 AM, Lukas Vrabec wrote: >>> On 5/11/20 3:19 PM, Robert Moskowitz wrote: >>>> On 5/11/20 9:04 AM, Lukas Vrabec wrote: >>>>> On 5/11/20 2:23 PM, Robert Moskowitz wrote: >>>>>> A little background first. >>>>>> >>>>>> This is for Fedora 32 workstation which does not come with a >>>>>> default MTA >>>>>> and thus there is a slight challenge (ahem) getting CRON's output into >>>>>> the local mailstore. I don't want to install an MTA (leave why for >>>>>> Fedora users list discuss) and "procmail -f cron" leaves out a DATE >>>>>> header. So I wrote my own little script that I put in >>>>>> /usr/local/mycron >>>>>> that takes the output from cron and appends the proper content to >>>>>> /var/spool/mail/$USER. >>>>>> >>>>>> Works fine for my personal crontab, but has selinux problems for >>>>>> logwatch running as root (and probably any other cron task running as >>>>>> root). >>>>>> >>>>>> So I first got told by selinux troubleshooting that I needed: >>>>>> >>>>>> ausearch -c 'mycron' --raw | audit2allow -M my-mycron >>>>>> semodule -X 300 -i my-mycron.pp >>>>>> >>>>>> Which I did. Then after this night's run of logwatch, I see that I >>>>>> have >>>>>> the selinux troubleshoot icon, but when I look, it is empty? So I grep >>>>>> messages for logwatch, then grep the time it was running and found the >>>>>> following: >>>>>> >>>>>> May 11 03:43:19 lx140e setroubleshoot[121345]: SELinux is preventing >>>>>> mycron from add_name >>>>>> access on the directory root. For complete SELinux messages run: >>>>>> sealert >>>>>> -l 8eb93a73-c7ff- >>>>>> 42ec-bee1-594d77540808 >>>>>> May 11 03:43:19 lx140e python3[121345]: SELinux is preventing mycron >>>>>> from add_name access >>>>>> on the directory root.#012#012***** Plugin catchall (100. confidence) >>>>>> suggests ******** >>>>>> ******************#012#012If you believe that mycron should be allowed >>>>>> add_name access on >>>>>> the root directory by default.#012Then you should report this as a >>>>>> bug.#012You can generat >>>>>> e a local policy module to allow this access.#012Do#012allow this >>>>>> access >>>>>> for now by execut >>>>>> ing:#012# ausearch -c 'mycron' --raw | audit2allow -M my-mycron#012# >>>>>> semodule -X 300 -i my >>>>>> -mycron.pp#012 >>>>>> May 11 03:43:23 lx140e systemd[1]: >>>>>> dbus-:1.1-org.fedoraproject.Setroubleshootd@15.service: >>>>>> Succeeded. >>>>>> >>>>>> So it looks like now I am told to run: >>>>>> >>>>>> ausearch -c 'mycron' --raw | audit2allow -M my-mycron >>>>>> semodule -X 300 -i my-mycron.pp >>>>>> >>>>>> Wait, that is the same I ran earlier? And why did I have to grep >>>>>> messages to find these? >>>>>> >>>>> Hi, >>>>> >>>>> Could you please share output of this command: >>>>> >>>>> # sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808 >>>> # sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808 >>>> Error >>>> query_alerts error (1003): id (8eb93a73-c7ff-42ec-bee1-594d77540808) not >>>> found >>>> >>>> And from the first selinux alert: >>>> >>>> # sealert -l d05d8373-fae7-447e-b45a-74940959809e >>>> Error >>>> query_alerts error (1003): id (d05d8373-fae7-447e-b45a-74940959809e) not >>>> found >>>> >>>> I viewed the alerts with the SELinux troubleshooter, but I did NOT tell >>>> it to delete the alert :( >>>> >>> No problem, are you able to reproduce it? If yes, please do and then >>> attach: >>> >>> # ausearch -m AVC,USER_AVC -ts today >> # ausearch -m AVC,USER_AVC -ts today >> ---- >> time->Tue May 12 03:22:06 2020 >> type=AVC msg=audit(1589268126.630:3796): avc: denied { add_name } for >> pid=142359 comm="mycron" name="root" >> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permissive=0 >> >> May 12 03:22:06 lx140e audit[142359]: AVC avc: denied { add_name } >> for pid=142359 comm="mycron" name="root" >> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permissive=0 >> May 12 03:22:09 lx140e systemd[1]: Started >> dbus-:1.1-org.fedoraproject.Setroubleshootd@20.service. >> May 12 03:22:09 lx140e audit[1]: SERVICE_START pid=1 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 >> msg='unit=dbus-:1.1-org.fedoraproject.Setroubleshootd@20 comm="systemd" >> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' >> May 12 03:22:13 lx140e systemd[1]: Started >> dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10.service. >> May 12 03:22:13 lx140e audit[1]: SERVICE_START pid=1 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 >> msg='unit=dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10 >> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? >> terminal=? res=success' >> May 12 03:22:19 lx140e setroubleshoot[142374]: SELinux is preventing >> mycron from add_name access on the directory root. For complete SELinux >> messages run: sealert -l 9fd5890f-400b-4ae0-8a98-43575ac4913a >> May 12 03:22:19 lx140e python3[142374]: SELinux is preventing mycron >> from add_name access on the directory root.#012#012***** Plugin >> catchall (100. confidence) suggests **************************#012#012If >> you believe that mycron should be allowed add_name access on the root >> directory by default.#012Then you should report this as a bug.#012You >> can generate a local policy module to allow this access.#012Do#012allow >> this access for now by executing:#012# ausearch -c 'mycron' --raw | >> audit2allow -M my-mycron#012# semodule -X 300 -i my-mycron.pp#012 >> May 12 03:22:23 lx140e systemd[1]: >> dbus-:1.1-org.fedoraproject.Setroubleshootd@20.service: Succeeded. >> May 12 03:22:23 lx140e audit[1]: SERVICE_STOP pid=1 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 >> msg='unit=dbus-:1.1-org.fedoraproject.Setroubleshootd@20 comm="systemd" >> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' >> May 12 03:22:23 lx140e systemd[1]: >> dbus-:1.1-org.fedoraproject.Setroubleshootd@20.service: Consumed 3.306s >> CPU time. >> May 12 03:22:25 lx140e systemd[1]: >> dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10.service: Succeeded. >> May 12 03:22:25 lx140e audit[1]: SERVICE_STOP pid=1 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 >> msg='unit=dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10 >> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? >> terminal=? res=success' >> May 12 03:22:25 lx140e systemd[1]: >> dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10.service: >> Consumed 5.271s CPU time. >> >> # sealert -l 9fd5890f-400b-4ae0-8a98-43575ac4913a >> Error >> query_alerts error (1003): id (9fd5890f-400b-4ae0-8a98-43575ac4913a) not >> found >> >> > Can you attach your "mycron" script? THere is some issue with SELinux > domain transition. Oh, and this script runs fine for root's crontab tasks. It is failing on whatever kicks off logwatch.

3 5

Re: permission problems with script run via crondargs -m
by Robert Moskowitz 12 May '20

12 May '20

On 5/12/20 11:36 AM, Lukas Vrabec wrote: > On 5/12/20 1:31 PM, Robert Moskowitz wrote: >> Lukas, >> >> Failed again last night see the end of this message. >> >> On 5/11/20 9:40 AM, Lukas Vrabec wrote: >>> On 5/11/20 3:19 PM, Robert Moskowitz wrote: >>>> On 5/11/20 9:04 AM, Lukas Vrabec wrote: >>>>> On 5/11/20 2:23 PM, Robert Moskowitz wrote: >>>>>> A little background first. >>>>>> >>>>>> This is for Fedora 32 workstation which does not come with a >>>>>> default MTA >>>>>> and thus there is a slight challenge (ahem) getting CRON's output into >>>>>> the local mailstore. I don't want to install an MTA (leave why for >>>>>> Fedora users list discuss) and "procmail -f cron" leaves out a DATE >>>>>> header. So I wrote my own little script that I put in >>>>>> /usr/local/mycron >>>>>> that takes the output from cron and appends the proper content to >>>>>> /var/spool/mail/$USER. >>>>>> >>>>>> Works fine for my personal crontab, but has selinux problems for >>>>>> logwatch running as root (and probably any other cron task running as >>>>>> root). >>>>>> >>>>>> So I first got told by selinux troubleshooting that I needed: >>>>>> >>>>>> ausearch -c 'mycron' --raw | audit2allow -M my-mycron >>>>>> semodule -X 300 -i my-mycron.pp >>>>>> >>>>>> Which I did. Then after this night's run of logwatch, I see that I >>>>>> have >>>>>> the selinux troubleshoot icon, but when I look, it is empty? So I grep >>>>>> messages for logwatch, then grep the time it was running and found the >>>>>> following: >>>>>> >>>>>> May 11 03:43:19 lx140e setroubleshoot[121345]: SELinux is preventing >>>>>> mycron from add_name >>>>>> access on the directory root. For complete SELinux messages run: >>>>>> sealert >>>>>> -l 8eb93a73-c7ff- >>>>>> 42ec-bee1-594d77540808 >>>>>> May 11 03:43:19 lx140e python3[121345]: SELinux is preventing mycron >>>>>> from add_name access >>>>>> on the directory root.#012#012***** Plugin catchall (100. confidence) >>>>>> suggests ******** >>>>>> ******************#012#012If you believe that mycron should be allowed >>>>>> add_name access on >>>>>> the root directory by default.#012Then you should report this as a >>>>>> bug.#012You can generat >>>>>> e a local policy module to allow this access.#012Do#012allow this >>>>>> access >>>>>> for now by execut >>>>>> ing:#012# ausearch -c 'mycron' --raw | audit2allow -M my-mycron#012# >>>>>> semodule -X 300 -i my >>>>>> -mycron.pp#012 >>>>>> May 11 03:43:23 lx140e systemd[1]: >>>>>> dbus-:1.1-org.fedoraproject.Setroubleshootd@15.service: >>>>>> Succeeded. >>>>>> >>>>>> So it looks like now I am told to run: >>>>>> >>>>>> ausearch -c 'mycron' --raw | audit2allow -M my-mycron >>>>>> semodule -X 300 -i my-mycron.pp >>>>>> >>>>>> Wait, that is the same I ran earlier? And why did I have to grep >>>>>> messages to find these? >>>>>> >>>>> Hi, >>>>> >>>>> Could you please share output of this command: >>>>> >>>>> # sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808 >>>> # sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808 >>>> Error >>>> query_alerts error (1003): id (8eb93a73-c7ff-42ec-bee1-594d77540808) not >>>> found >>>> >>>> And from the first selinux alert: >>>> >>>> # sealert -l d05d8373-fae7-447e-b45a-74940959809e >>>> Error >>>> query_alerts error (1003): id (d05d8373-fae7-447e-b45a-74940959809e) not >>>> found >>>> >>>> I viewed the alerts with the SELinux troubleshooter, but I did NOT tell >>>> it to delete the alert :( >>>> >>> No problem, are you able to reproduce it? If yes, please do and then >>> attach: >>> >>> # ausearch -m AVC,USER_AVC -ts today >> # ausearch -m AVC,USER_AVC -ts today >> ---- >> time->Tue May 12 03:22:06 2020 >> type=AVC msg=audit(1589268126.630:3796): avc: denied { add_name } for >> pid=142359 comm="mycron" name="root" >> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permissive=0 >> >> May 12 03:22:06 lx140e audit[142359]: AVC avc: denied { add_name } >> for pid=142359 comm="mycron" name="root" >> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permissive=0 >> May 12 03:22:09 lx140e systemd[1]: Started >> dbus-:1.1-org.fedoraproject.Setroubleshootd@20.service. >> May 12 03:22:09 lx140e audit[1]: SERVICE_START pid=1 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 >> msg='unit=dbus-:1.1-org.fedoraproject.Setroubleshootd@20 comm="systemd" >> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' >> May 12 03:22:13 lx140e systemd[1]: Started >> dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10.service. >> May 12 03:22:13 lx140e audit[1]: SERVICE_START pid=1 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 >> msg='unit=dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10 >> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? >> terminal=? res=success' >> May 12 03:22:19 lx140e setroubleshoot[142374]: SELinux is preventing >> mycron from add_name access on the directory root. For complete SELinux >> messages run: sealert -l 9fd5890f-400b-4ae0-8a98-43575ac4913a >> May 12 03:22:19 lx140e python3[142374]: SELinux is preventing mycron >> from add_name access on the directory root.#012#012***** Plugin >> catchall (100. confidence) suggests **************************#012#012If >> you believe that mycron should be allowed add_name access on the root >> directory by default.#012Then you should report this as a bug.#012You >> can generate a local policy module to allow this access.#012Do#012allow >> this access for now by executing:#012# ausearch -c 'mycron' --raw | >> audit2allow -M my-mycron#012# semodule -X 300 -i my-mycron.pp#012 >> May 12 03:22:23 lx140e systemd[1]: >> dbus-:1.1-org.fedoraproject.Setroubleshootd@20.service: Succeeded. >> May 12 03:22:23 lx140e audit[1]: SERVICE_STOP pid=1 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 >> msg='unit=dbus-:1.1-org.fedoraproject.Setroubleshootd@20 comm="systemd" >> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' >> May 12 03:22:23 lx140e systemd[1]: >> dbus-:1.1-org.fedoraproject.Setroubleshootd@20.service: Consumed 3.306s >> CPU time. >> May 12 03:22:25 lx140e systemd[1]: >> dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10.service: Succeeded. >> May 12 03:22:25 lx140e audit[1]: SERVICE_STOP pid=1 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 >> msg='unit=dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10 >> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? >> terminal=? res=success' >> May 12 03:22:25 lx140e systemd[1]: >> dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10.service: >> Consumed 5.271s CPU time. >> >> # sealert -l 9fd5890f-400b-4ae0-8a98-43575ac4913a >> Error >> query_alerts error (1003): id (9fd5890f-400b-4ae0-8a98-43575ac4913a) not >> found >> >> > Can you attach your "mycron" script? THere is some issue with SELinux > domain transition. I just made a few improvements to it, but here is what ran last night: local]# cat mycron #!/bin/sh # the sed commands only work if USER == MAILTO in crontab exec 3>> /var/spool/mail/$USER exec 100>/var/tmp/$USERlock.lock || exit 1 flock -w 120 100 || exit 1 currentDate=$(date +'%a %b %d %T %Y') echo "From cron@localhost $currentDate" >&3 currentDate2=$(date +'%a, %e %b %Y %T %z (%Z)') echo "Date: $currentDate2" >&3 echo "Message-ID: $(uuidgen)@$HOSTNAME" >&3 # (cat) >&3 (sed -e "/^From: / s/$USER/$USER@$HOSTNAME/"|sed -e "/^To: / s/$USER/$USER@$HOSTNAME/") >&3 echo "" >&3 The flock stuff was added yesterday, and was not in the previous failures.

1 0

permission problems with script run via crondargs -m
by Robert Moskowitz 12 May '20

12 May '20

A little background first. This is for Fedora 32 workstation which does not come with a default MTA and thus there is a slight challenge (ahem) getting CRON's output into the local mailstore. I don't want to install an MTA (leave why for Fedora users list discuss) and "procmail -f cron" leaves out a DATE header. So I wrote my own little script that I put in /usr/local/mycron that takes the output from cron and appends the proper content to /var/spool/mail/$USER. Works fine for my personal crontab, but has selinux problems for logwatch running as root (and probably any other cron task running as root). So I first got told by selinux troubleshooting that I needed: ausearch -c 'mycron' --raw | audit2allow -M my-mycron semodule -X 300 -i my-mycron.pp Which I did. Then after this night's run of logwatch, I see that I have the selinux troubleshoot icon, but when I look, it is empty? So I grep messages for logwatch, then grep the time it was running and found the following: May 11 03:43:19 lx140e setroubleshoot[121345]: SELinux is preventing mycron from add_name access on the directory root. For complete SELinux messages run: sealert -l 8eb93a73-c7ff- 42ec-bee1-594d77540808 May 11 03:43:19 lx140e python3[121345]: SELinux is preventing mycron from add_name access on the directory root.#012#012***** Plugin catchall (100. confidence) suggests ******** ******************#012#012If you believe that mycron should be allowed add_name access on the root directory by default.#012Then you should report this as a bug.#012You can generat e a local policy module to allow this access.#012Do#012allow this access for now by execut ing:#012# ausearch -c 'mycron' --raw | audit2allow -M my-mycron#012# semodule -X 300 -i my -mycron.pp#012 May 11 03:43:23 lx140e systemd[1]: dbus-:1.1-org.fedoraproject.Setroubleshootd@15.service: Succeeded. So it looks like now I am told to run: ausearch -c 'mycron' --raw | audit2allow -M my-mycron semodule -X 300 -i my-mycron.pp Wait, that is the same I ran earlier? And why did I have to grep messages to find these? Now I did update mycron in between. Will I have to run this every time I update mycron? How do I make it permanent? Also right now there is no /var/spool/mail/root mbox file. thanks

2 5

openarc package needs a selinux module
by Matt Domsch 02 May '20

02 May '20

The openarc package provides a milter implementing the Authenticated Receive Chain (ARC) email signing and verification method as described in RFC 8617. See also http://arc-spec.org/. This software is very similar in behavior as that of OpenDKIM, in that: - it can open and listen on a tcp or a unix socket in /run/openarc to which an MTA connects (e.g. sendmail or postfix) - it must make outgoing DNS requests to look up keys in DNS TXT records. When run without a policy, it fails with sendmail unable to connect to sockets of type var_run_t in /etc/openarc/openarc.sock. At a minimum, we need to label /etc/openarc/* in a way that postfix and sendmail can connect. We've experimented with reusing dkim_milter_data_t , which does work: /var/run/openarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) /var/spool/postfix/var/run/openarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) In addition, I note that the dkim-milter (not the opendkim package) also has a file context to protect it's private keys. /etc/mail/dkim-milter/keys(/.*)? all files system_u:object_r:dkim_milter_private_key_t:s0 and runs in a context of dkim_milter_exec_t rather than unconfined_t. This is being discussed in github PR contents upstream. https://github.com/trusteddomainproject/OpenARC/pull/103 What's the best way to proceed? Thanks, Matt

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux May 2020