Bug 185973
| Summary: | Anacron issues blank Emails when SELinux enforcing | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ted Rule <ejtr> | ||||
| Component: | anacron | Assignee: | Marcela Mašláňová <mmaslano> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Brock Organ <borgan> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 5 | CC: | djuran, orion, stanis.trendelenburg, tadej.j | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | anacron-2.3-36.FC4 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2006-09-19 13:40:31 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 126354 [details]
Patch to suitably manipulate anacron's file descriptors.
Thanks for the patch - looks good to me - tested with/without SELinux enforcing. Patch applied in anacron-2.3-36.FC4, released to FC-4 Updates/Testing today. anacron-2.3-36.FC4 has been pushed for FC4, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report. Looks like this patch needs to be added to FC5 and devel (FC6). See bug 205747 |
Description of problem: When SELinux is set to enforcing, the Email which would normally arise from anacron's invocation of /etc/cron.daily has a blank body and subject Version-Release number of selected component (if applicable): anacron-2.3-34 ( FC4 Core ) How reproducible: setenforce 1 Set logrotate to debug mode with "-v" in /etc/cron.daily/logrotate. This merely ensures that at least one Job generates some output. Leave machine depowered overnight, Repower machine after 4am. Actual results: Empty Email from the cron.daily Job launched by anacron. No obvious errors from SELinux. Expected results: logrotate output from the cron.daily Job. Additional info: After some investigation with SELinux enableaudit, it transpired that this extra line in SELinux policy would re-enable the Email: allow system_mail_t { system_crond_tmp_t }:file { append }; Even more investigation showed that anacron was not being careful enough in how it passed the file-descriptor containing the Job output to sendmail. anacron-2.3-34 opens a file-descriptor read/write on a temporary file to accumulate stdout/stderr for passing to sendmail. Once the FD is open, the tempfile is unlinked. Once the Job is finished, the descriptor is "turned around" and used as stdin to a child sendmail process. The problem appears to be that SELinux then forbids sendmail to have an open inherited file-descriptor with write-permission on stdin. As a patch for this problem, I've recoded runjob.c in anacron such that the temporary file is opened twice ( once WRITE_ONLY , and once READ_ONLY ), with the appropriate FD's passed to different places, and various FD's closed or re-opened to /dev/null where appropriate. This tested again against the normal SELinux strict policy ( selinux-policy-strict-1.27.1-2.22 ) without the file:append policy modification shown above.