It would be nice if the interface would be smart enough and allow
output from the cron job to be sent, but no one is perfect :)
----
type=AVC msg=audit(1246715821.417:10142): avc: denied { write } for pid=11916
comm="winbind" path="pipe:[591689]" dev=pipefs ino=591689
scontext=system_u:system_r:system_cronjob_t:s0
tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
----
type=AVC msg=audit(1246715821.780:10143): avc: denied { write } for pid=11925
comm="winbindd" path="pipe:[591689]" dev=pipefs ino=591689
scontext=system_u:system_r:winbind_t:s0
tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
Sincerely yours,
Vadym Chepkov
--- On Sat, 7/4/09, Vadym Chepkov<chepkov(a)yahoo.com> wrote:
> From: Vadym Chepkov<chepkov(a)yahoo.com>
> Subject: Re: Domain transition missing
> To: "Dominick Grift"<domg472(a)gmail.com>
> Cc: "Fedora SELinux"<fedora-selinux-list(a)redhat.com>
> Date: Saturday, July 4, 2009, 10:00 AM
> This worked well too, thank you
>
> system_u:system_r:winbind_t:SystemLow root
> 11926 1 0 09:57 ?
> 00:00:00 winbindd
> system_u:system_r:winbind_t:SystemLow root 11928
> 11926 0 09:57 ? 00:00:00 winbindd
> system_u:system_r:winbind_t:SystemLow root 11954
> 11926 0 09:57 ? 00:00:00 winbindd
> system_u:system_r:winbind_t:SystemLow root 11956
> 11926 0 09:57 ? 00:00:00 winbindd
> system_u:system_r:winbind_t:SystemLow root 11957
> 11926 0 09:57 ? 00:00:00 winbindd
>
>
> Sincerely yours,
> Vadym Chepkov
>
>
> --- On Sat, 7/4/09, Dominick Grift<domg472(a)gmail.com>
> wrote:
>
>> From: Dominick Grift<domg472(a)gmail.com>
>> Subject: Re: Domain transition missing
>> To: "Vadym Chepkov"<chepkov(a)yahoo.com>
>> Cc: "Fedora SELinux"<fedora-selinux-list(a)redhat.com>
>> Date: Saturday, July 4, 2009, 9:28 AM
>> On Sat, 2009-07-04 at 06:18 -0700,
>> Vadym Chepkov wrote:
>>> That would be unfortunate. Mine approach is not
>> uncommon. If you look closely you will see the same
>> technique in wast scripts. spamassassin restarts
> itself when
>> it updates anti-spam rules, clamav does that
> (antivirus) and
>> on and on. I use Fedora 11, by the way.
>>> For now, instead of creating a new policy I just
> added
>> 'runcon -t unconfind_t ' in the cron, and it seemed to
> did
>> the trick.
>>> Sincerely yours,
>>> Vadym Chepkov
>>>
>> Looking here:
>>
http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/ser...
>> line 235 to line 269.
>>
>> That seems like a interface one might use in your
>> situation:
>>
>> cron_system_entry(winbind_t, winbind_exec_t)
>>
>> I admit that using cron with SELinux is not very easy
>> currently
>>
>>> --- On Sat, 7/4/09, Dominick Grift<domg472(a)gmail.com>
>> wrote:
>>>> From: Dominick Grift<domg472(a)gmail.com>
>>>> Subject: Re: Domain transition missing
>>>> To: "Vadym Chepkov"<chepkov(a)yahoo.com>
>>>> Cc: "Fedora SELinux"<fedora-selinux-list(a)redhat.com>
>>>> Date: Saturday, July 4, 2009, 8:57 AM
>>>> On Sat, 2009-07-04 at 05:48 -0700,
>>>> Vadym Chepkov wrote:
>>>>> I really get used to running my
> scripts
>> unconfined,
>>>> how I can accomplish it in this scenario?
>>>>> Sincerely yours,
>>>>> Vadym Chepkov
>>>>>
>>>> if you want the system to run jobs you will
> need
>> to write
>>>> some policy or
>>>> extend the system_cronjob_t domain i think
>>>>
>>>>
>>>> Were those the only avc denial you got? I
> would
>> expect more
>>>> denials.
>>>>
>>>>> --- On Sat, 7/4/09, Dominick Grift
> <domg472(a)gmail.com>
>>>> wrote:
>>>>>> From: Dominick Grift<domg472(a)gmail.com>
>>>>>> Subject: Re: Domain transition
> missing
>>>>>> To: "Vadym Chepkov"<chepkov(a)yahoo.com>
>>>>>> Cc: "Fedora
SELinux"<fedora-selinux-list(a)redhat.com>
>>>>>> Date: Saturday, July 4, 2009, 8:41
> AM
>>>>>> On Sat, 2009-07-04 at 14:38
> +0200,
>>>>>> Dominick Grift wrote:
>>>>>>> On Sat, 2009-07-04 at 05:11
> -0700,
>> Vadym
>>>> Chepkov
>>>>>> wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Last night I got a
> nasty
>> surprise from
>>>> selinux. I
>>>>>> am using winbind for external
>> authentication and
>>>> since it
>>>>>> has history of failures I have a
> simple
>> watchdog
>>>> implemented
>>>>>> to check the status and restart it
> if
>> necessary.
>>>> That
>>>>>> is what happened last night and
>> as a law
>>>> abiding
>>>>>> selinux citizen I used 'service
> winbind
>> restart',
>>>> but it
>>>>>> seems the proper domain
> transitions is
>> missing
>>>> and winbind
>>>>>> was started in system_cronjob_t
> domain
>> instead of
>>>> winbind_t
>>>>>> and none of other domains could
> connect
>> to it.
>>>>>>>> I think jobs running
> from
>> cron should
>>>> be granted
>>>>>> the same transition rules as
>> from
>>>> unconfined_t.
>>>>>>>> I will file bugzilla
> report
>> about it,
>>>> but could
>>>>>> somebody help me with modifying
> my
>> local policy
>>>> until/if it
>>>>>> gets implemented, please? Thank
> you.
>>>>>>>> Sincerely yours,
>>>>>>>> Vadym
>> Chepkov
>>>>>>> A domain transition would
> be:
>>>>>>> policy_module(mywinbind,
> 0.0.1)
>>>>>>> require { type
> system_cronjob_t,
>>>> winbind_exec_t,
>>>>>> winbind_t; }
>> domain_auto_trans(system_cronjob_t,
>>>> winbind_exec_t,
>>>>>> winbind_t)
>>>>>>> Can you show us the full raw
> avc
>> denial?
>>>>>>
>>>>>> But personally would deal with
> this in
>> a
>>>> different way. I
>>>>>> would write
>>>>>> policy for the script that
> restarts
>> winbind and
>>>> then i
>>>>>> would create a
>>>>>> domain transition for the domain
> in
>> which the
>>>> script runs
>>>>>> to winbind_t.
>>>>>>
>>>>>> Mainly because i wouldnt want to
>> extend/modify
>>>>>> system_cronjob_t
>>>>>>
>>>>>> So: system_cronjob_t ->
>> myscript_exec_t ->
>>>> myscript_t
>>>>>> -> winbind_exec_t
>>>>>> -> winbind_t
>>>>>>
>>>>>>>> --
>>>>>>>> fedora-selinux-list
> mailing
>> list
>>>>>>>> fedora-selinux-list(a)redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>>
>>>>
>>
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Miroslav,
I think you should add
dontaudit $1 crond_t:fifo_file rw_fifo_file_perms;
To cron_system_entry to eliminate this leaked file descriptor problem.