It would be nice if the interface would be smart enough and allow output from the cron job
to be sent, but no one is perfect :)
----
type=AVC msg=audit(1246715821.417:10142): avc: denied { write } for pid=11916
comm="winbind" path="pipe:[591689]" dev=pipefs ino=591689
scontext=system_u:system_r:system_cronjob_t:s0
tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
----
type=AVC msg=audit(1246715821.780:10143): avc: denied { write } for pid=11925
comm="winbindd" path="pipe:[591689]" dev=pipefs ino=591689
scontext=system_u:system_r:winbind_t:s0
tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
Sincerely yours,
Vadym Chepkov
--- On Sat, 7/4/09, Vadym Chepkov <chepkov(a)yahoo.com> wrote:
From: Vadym Chepkov <chepkov(a)yahoo.com>
Subject: Re: Domain transition missing
To: "Dominick Grift" <domg472(a)gmail.com>
Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
Date: Saturday, July 4, 2009, 10:00 AM
This worked well too, thank you
system_u:system_r:winbind_t:SystemLow root
11926 1 0 09:57 ?
00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11928
11926 0 09:57 ? 00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11954
11926 0 09:57 ? 00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11956
11926 0 09:57 ? 00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11957
11926 0 09:57 ? 00:00:00 winbindd
Sincerely yours,
Vadym Chepkov
--- On Sat, 7/4/09, Dominick Grift <domg472(a)gmail.com>
wrote:
> From: Dominick Grift <domg472(a)gmail.com>
> Subject: Re: Domain transition missing
> To: "Vadym Chepkov" <chepkov(a)yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
> Date: Saturday, July 4, 2009, 9:28 AM
> On Sat, 2009-07-04 at 06:18 -0700,
> Vadym Chepkov wrote:
> > That would be unfortunate. Mine approach is not
> uncommon. If you look closely you will see the same
> technique in wast scripts. spamassassin restarts
itself when
> it updates anti-spam rules, clamav does that
(antivirus) and
> on and on. I use Fedora 11, by the way.
> >
> > For now, instead of creating a new policy I just
added
> 'runcon -t unconfind_t ' in the cron, and it seemed to
did
> the trick.
> >
> > Sincerely yours,
> > Vadym Chepkov
> >
>
> Looking here:
>
http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/ser...
> line 235 to line 269.
>
> That seems like a interface one might use in your
> situation:
>
> cron_system_entry(winbind_t, winbind_exec_t)
>
> I admit that using cron with SELinux is not very easy
> currently
>
> > --- On Sat, 7/4/09, Dominick Grift <domg472(a)gmail.com>
> wrote:
> >
> > > From: Dominick Grift <domg472(a)gmail.com>
> > > Subject: Re: Domain transition missing
> > > To: "Vadym Chepkov" <chepkov(a)yahoo.com>
> > > Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
> > > Date: Saturday, July 4, 2009, 8:57 AM
> > > On Sat, 2009-07-04 at 05:48 -0700,
> > > Vadym Chepkov wrote:
> > > > I really get used to running my
scripts
> unconfined,
> > > how I can accomplish it in this scenario?
> > > >
> > > > Sincerely yours,
> > > > Vadym Chepkov
> > > >
> > >
> > > if you want the system to run jobs you will
need
> to write
> > > some policy or
> > > extend the system_cronjob_t domain i think
> > >
> > >
> > > Were those the only avc denial you got? I
would
> expect more
> > > denials.
> > >
> > > > --- On Sat, 7/4/09, Dominick Grift
<domg472(a)gmail.com>
> > > wrote:
> > > >
> > > > > From: Dominick Grift <domg472(a)gmail.com>
> > > > > Subject: Re: Domain transition
missing
> > > > > To: "Vadym Chepkov" <chepkov(a)yahoo.com>
> > > > > Cc: "Fedora SELinux"
<fedora-selinux-list(a)redhat.com>
> > > > > Date: Saturday, July 4, 2009, 8:41
AM
> > > > > On Sat, 2009-07-04 at 14:38
+0200,
> > > > > Dominick Grift wrote:
> > > > > > On Sat, 2009-07-04 at 05:11
-0700,
> Vadym
> > > Chepkov
> > > > > wrote:
> > > > > > > Hi,
> > > > > > >
> > > > > > > Last night I got a
nasty
> surprise from
> > > selinux. I
> > > > > am using winbind for external
> authentication and
> > > since it
> > > > > has history of failures I have a
simple
> watchdog
> > > implemented
> > > > > to check the status and restart it
if
> necessary.
> > > That
> > > > > is what happened last night and
> as a law
> > > abiding
> > > > > selinux citizen I used 'service
winbind
> restart',
> > > but it
> > > > > seems the proper domain
transitions is
> missing
> > > and winbind
> > > > > was started in system_cronjob_t
domain
> instead of
> > > winbind_t
> > > > > and none of other domains could
connect
> to it.
> > > > > > >
> > > > > > > I think jobs running
from
> cron should
> > > be granted
> > > > > the same transition rules as
> from
> > > unconfined_t.
> > > > > > >
> > > > > > > I will file bugzilla
report
> about it,
> > > but could
> > > > > somebody help me with modifying
my
> local policy
> > > until/if it
> > > > > gets implemented, please? Thank
you.
> > > > > > >
> > > > > > > Sincerely yours,
> > > > > > > Vadym
> Chepkov
> > > > > >
> > > > > > A domain transition would
be:
> > > > > >
> > > > > > policy_module(mywinbind,
0.0.1)
> > > > > >
> > > > > > require { type
system_cronjob_t,
> > > winbind_exec_t,
> > > > > winbind_t; }
> > > > > >
> domain_auto_trans(system_cronjob_t,
> > > winbind_exec_t,
> > > > > winbind_t)
> > > > > >
> > > > > > Can you show us the full raw
avc
> denial?
> > > > >
> > > > >
> > > > > But personally would deal with
this in
> a
> > > different way. I
> > > > > would write
> > > > > policy for the script that
restarts
> winbind and
> > > then i
> > > > > would create a
> > > > > domain transition for the domain
in
> which the
> > > script runs
> > > > > to winbind_t.
> > > > >
> > > > > Mainly because i wouldnt want to
> extend/modify
> > > > > system_cronjob_t
> > > > >
> > > > > So: system_cronjob_t ->
> myscript_exec_t ->
> > > myscript_t
> > > > > -> winbind_exec_t
> > > > > -> winbind_t
> > > > >
> > > > > > > --
> > > > > > > fedora-selinux-list
mailing
> list
> > > > > > > fedora-selinux-list(a)redhat.com
> > > > > > >
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > > > >
> > > > >
> > > > >
> > >
> > >
>
>