On 5/12/20 11:36 AM, Lukas Vrabec wrote:
> On 5/12/20 1:31 PM, Robert Moskowitz wrote:
>> Lukas,
>>
>> Failed again last night see the end of this message.
>>
>> On 5/11/20 9:40 AM, Lukas Vrabec wrote:
>>> On 5/11/20 3:19 PM, Robert Moskowitz wrote:
>>>> On 5/11/20 9:04 AM, Lukas Vrabec wrote:
>>>>> On 5/11/20 2:23 PM, Robert Moskowitz wrote:
>>>>>> A little background first.
>>>>>>
>>>>>> This is for Fedora 32 workstation which does not come with a
>>>>>> default MTA
>>>>>> and thus there is a slight challenge (ahem) getting CRON's output into
>>>>>> the local mailstore. I don't want to install an MTA (leave why for
>>>>>> Fedora users list discuss) and "procmail -f cron" leaves out a DATE
>>>>>> header. So I wrote my own little script that I put in
>>>>>> /usr/local/mycron
>>>>>> that takes the output from cron and appends the proper content to
>>>>>> /var/spool/mail/$USER.
>>>>>>
>>>>>> Works fine for my personal crontab, but has selinux problems for
>>>>>> logwatch running as root (and probably any other cron task running as
>>>>>> root).
>>>>>>
>>>>>> So I first got told by selinux troubleshooting that I needed:
>>>>>>
>>>>>> ausearch -c 'mycron' --raw | audit2allow -M my-mycron
>>>>>> semodule -X 300 -i my-mycron.pp
>>>>>>
>>>>>> Which I did. Then after this night's run of logwatch, I see that I
>>>>>> have
>>>>>> the selinux troubleshoot icon, but when I look, it is empty? So I grep
>>>>>> messages for logwatch, then grep the time it was running and found the
>>>>>> following:
>>>>>>
>>>>>> May 11 03:43:19 lx140e setroubleshoot[121345]: SELinux is preventing
>>>>>> mycron from add_name
>>>>>> access on the directory root. For complete SELinux messages run:
>>>>>> sealert
>>>>>> -l 8eb93a73-c7ff-
>>>>>> 42ec-bee1-594d77540808
>>>>>> May 11 03:43:19 lx140e python3[121345]: SELinux is preventing mycron
>>>>>> from add_name access
>>>>>> on the directory root.#012#012***** Plugin catchall (100. confidence)
>>>>>> suggests ********
>>>>>> ******************#012#012If you believe that mycron should be allowed
>>>>>> add_name access on
>>>>>> the root directory by default.#012Then you should report this as a
>>>>>> bug.#012You can generat
>>>>>> e a local policy module to allow this access.#012Do#012allow this
>>>>>> access
>>>>>> for now by execut
>>>>>> ing:#012# ausearch -c 'mycron' --raw | audit2allow -M my-mycron#012#
>>>>>> semodule -X 300 -i my
>>>>>> -mycron.pp#012
>>>>>> May 11 03:43:23 lx140e systemd[1]:
>>>>>> dbus-:1.1-org.fedoraproject.Setroubleshootd@15.service:
>>>>>> Succeeded.
>>>>>>
>>>>>> So it looks like now I am told to run:
>>>>>>
>>>>>> ausearch -c 'mycron' --raw | audit2allow -M my-mycron
>>>>>> semodule -X 300 -i my-mycron.pp
>>>>>>
>>>>>> Wait, that is the same I ran earlier? And why did I have to grep
>>>>>> messages to find these?
>>>>>>
>>>>> Hi,
>>>>>
>>>>> Could you please share output of this command:
>>>>>
>>>>> # sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808
>>>> # sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808
>>>> Error
>>>> query_alerts error (1003): id (8eb93a73-c7ff-42ec-bee1-594d77540808) not
>>>> found
>>>>
>>>> And from the first selinux alert:
>>>>
>>>> # sealert -l d05d8373-fae7-447e-b45a-74940959809e
>>>> Error
>>>> query_alerts error (1003): id (d05d8373-fae7-447e-b45a-74940959809e) not
>>>> found
>>>>
>>>> I viewed the alerts with the SELinux troubleshooter, but I did NOT tell
>>>> it to delete the alert :(
>>>>
>>> No problem, are you able to reproduce it? If yes, please do and then
>>> attach:
>>>
>>> # ausearch -m AVC,USER_AVC -ts today
>> # ausearch -m AVC,USER_AVC -ts today
>> ----
>> time->Tue May 12 03:22:06 2020
>> type=AVC msg=audit(1589268126.630:3796): avc: denied { add_name } for
>> pid=142359 comm="mycron" name="root"
>> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permissive=0
>>
>> May 12 03:22:06 lx140e audit[142359]: AVC avc: denied { add_name }
>> for pid=142359 comm="mycron" name="root"
>> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permissive=0
>> May 12 03:22:09 lx140e systemd[1]: Started
>> dbus-:1.1-org.fedoraproject.Setroubleshootd@20.service.
>> May 12 03:22:09 lx140e audit[1]: SERVICE_START pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>> msg='unit=dbus-:1.1-org.fedoraproject.Setroubleshootd@20 comm="systemd"
>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>> May 12 03:22:13 lx140e systemd[1]: Started
>> dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10.service.
>> May 12 03:22:13 lx140e audit[1]: SERVICE_START pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>> msg='unit=dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10
>> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
>> terminal=? res=success'
>> May 12 03:22:19 lx140e setroubleshoot[142374]: SELinux is preventing
>> mycron from add_name access on the directory root. For complete SELinux
>> messages run: sealert -l 9fd5890f-400b-4ae0-8a98-43575ac4913a
>> May 12 03:22:19 lx140e python3[142374]: SELinux is preventing mycron
>> from add_name access on the directory root.#012#012***** Plugin
>> catchall (100. confidence) suggests **************************#012#012If
>> you believe that mycron should be allowed add_name access on the root
>> directory by default.#012Then you should report this as a bug.#012You
>> can generate a local policy module to allow this access.#012Do#012allow
>> this access for now by executing:#012# ausearch -c 'mycron' --raw |
>> audit2allow -M my-mycron#012# semodule -X 300 -i my-mycron.pp#012
>> May 12 03:22:23 lx140e systemd[1]:
>> dbus-:1.1-org.fedoraproject.Setroubleshootd@20.service: Succeeded.
>> May 12 03:22:23 lx140e audit[1]: SERVICE_STOP pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>> msg='unit=dbus-:1.1-org.fedoraproject.Setroubleshootd@20 comm="systemd"
>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>> May 12 03:22:23 lx140e systemd[1]:
>> dbus-:1.1-org.fedoraproject.Setroubleshootd@20.service: Consumed 3.306s
>> CPU time.
>> May 12 03:22:25 lx140e systemd[1]:
>> dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10.service: Succeeded.
>> May 12 03:22:25 lx140e audit[1]: SERVICE_STOP pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>> msg='unit=dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10
>> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
>> terminal=? res=success'
>> May 12 03:22:25 lx140e systemd[1]:
>> dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@10.service:
>> Consumed 5.271s CPU time.
>>
>> # sealert -l 9fd5890f-400b-4ae0-8a98-43575ac4913a
>> Error
>> query_alerts error (1003): id (9fd5890f-400b-4ae0-8a98-43575ac4913a) not
>> found
>>
>>
> Can you attach your "mycron" script? THere is some issue with SELinux
> domain transition.
I just made a few improvements to it, but here is what ran last night:
local]# cat mycron
#!/bin/sh
# the sed commands only work if USER == MAILTO in crontab
exec 3>> /var/spool/mail/$USER
exec 100>/var/tmp/$USERlock.lock || exit 1
flock -w 120 100 || exit 1
currentDate=$(date +'%a %b %d %T %Y')
echo "From cron@localhost $currentDate" >&3
currentDate2=$(date +'%a, %e %b %Y %T %z (%Z)')
echo "Date: $currentDate2" >&3
echo "Message-ID: $(uuidgen)@$HOSTNAME" >&3
# (cat) >&3
(sed -e "/^From: / s/$USER/$USER@$HOSTNAME/"|sed -e "/^To: /
s/$USER/$USER@$HOSTNAME/") >&3
echo "" >&3
The flock stuff was added yesterday, and was not in the previous failures.