Bug 1627075
| Summary: | Create a SELinux boolean to disable cron-logrotate transition | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Benjamin Lefoul <lef> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> | |
| Severity: | low | Docs Contact: | ||
| Priority: | low | |||
| Version: | 7.5 | CC: | fedoraproject, fkrska, lvrabec, mgrepl, mmalik, plautrba, ssekidde, vmojzis, zpytela | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1672199 (view as bug list) | Environment: | ||
| Last Closed: | 2019-03-14 12:50:50 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
Is anyone looking at this? Should I post a ticket on the Red Hat customer portal as well? A while back, I have reported this at IBM as "dsmc command requires dubious SELinux permissions such as execstack" and at Red Hat as a link to this BZ ticket. Both teams are welcome to discuss here. (In reply to Benjamin Lefoul from comment #0) > /etc/logrotate.conf in turn includes config found in /etc/logrotate.d, among > which a file with a "postrotate" instruction calling another script in my > system, which in turn had to execute something with "execstack" (I know, > that's bad, but I have no control over this). Clarification: the "something" in question was IBM's dsmc. See pull request here please: https://github.com/fedora-selinux/selinux-policy-contrib/pull/87 This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable. |
I think some additional boolean tuning for logrotate would be very welcome in the policy. I am experiencing SELinux denials because of the relationship between cron and logrotate. In my case, crond_t transitions to system_cronjob_t by executing the following bin_t file: ~] ll -Z /etc/cron.daily/logrotate -rwx------. root root system_u:object_r:bin_t:s0 /etc/cron.daily/logrotate See: allow system_cronjob_t bin_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ; allow crond_t system_cronjob_t : process transition ; allow crond_t bin_t : file { ioctl read getattr lock execute execute_no_trans open } ; However, /etc/cron.daily/logrotate does call explicitely "/usr/sbin/logrotate /etc/logrotate.conf", the only logrotate_exec_t on my system btw: ~] find / -context "*logrotate_exec_t*" /usr/sbin/logrotate Both crond_t and system_cronjob_t can execute that: allow system_cronjob_t logrotate_exec_t : file { read getattr execute open } ; allow crond_t logrotate_exec_t : file { read getattr execute open } ; ...to transition into logrotate_t: allow logrotate_t logrotate_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ; allow system_cronjob_t logrotate_t : process transition ; allow crond_t logrotate_t : process transition ; /etc/logrotate.conf in turn includes config found in /etc/logrotate.d, among which a file with a "postrotate" instruction calling another script in my system, which in turn had to execute something with "execstack" (I know, that's bad, but I have no control over this). Ah, but that is one thing logrotate_t cannot do when system_cronjob_t (and crond_t) can, look: ~] sesearch -s crond_t -AC | grep execstack ET allow crond_t crond_t : process execstack ; [ selinuxuser_execstack ] ~] sesearch -s system_cronjob_t -AC | grep execstack ET allow system_cronjob_t system_cronjob_t : process execstack ; [ selinuxuser_execstack ] ~] sesearch -s logrotate_t -AC | grep execstack ~] So a solution for me was to edit /etc/cron.daily/logrotate and use runcon by replacing: "/usr/sbin/logrotate /etc/logrotate.conf" with: "runcon -t system_cronjob_t /usr/sbin/logrotate /etc/logrotate.conf" Obviously I don't like having to use runcon in an executable in my centralized config management tool. It would have been nice to have a boolean such as cron_logrotate_transition_disabled to prevent system_cronjob_t and crond_t to transition to logrotate_t (execute_no_trans?). Combined with the selinuxuser_execstack boolean, that would provide enough flexibility to solve most SELinux problems between cron and logrotate. For the record, we already have cron_userdomain_transition: ~] sesearch -b cron_userdomain_transition -p transition -AC Found 6 semantic av rules: ET allow crond_t sysadm_t : process transition ; [ cron_userdomain_transition ] ET allow crond_t unconfined_t : process transition ; [ cron_userdomain_transition ] DF allow crond_t unconfined_cronjob_t : process transition ; [ cron_userdomain_transition ] ET allow crond_t openshift_domain : process transition ; [ cron_userdomain_transition ] ET allow crond_t staff_t : process transition ; [ cron_userdomain_transition ] ET allow crond_t user_t : process transition ; [ cron_userdomain_transition ] But that is not quite what I want. A cron_logrotate_transition_disabled boolean would be welcome.