Bug 205747
Summary: | Anacron sends empty email instead of job output | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stanis Trendelenburg <stanis.trendelenburg> | ||||
Component: | anacron | Assignee: | Marcela Mašláňová <mmaslano> | ||||
Status: | CLOSED ERRATA | QA Contact: | Brock Organ <borgan> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 7 | CC: | djuran, nphilipp, orion, sdsmall, tadej.j | ||||
Target Milestone: | --- | Keywords: | Regression, Reopened | ||||
Target Release: | --- | ||||||
Hardware: | i386 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | anacron-2.3-40 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-08-03 13:45:06 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Stanis Trendelenburg
2006-09-08 11:31:42 UTC
SELinux appears to be the culprit. Running with enableaudit.pp I see: Sep 8 11:28:58 lynx kernel: audit(1157736538.737:392): avc: denied { append } for pid=12261 comm="sendmail" name="file6ubq5i" dev=tmpfs ino=12577 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:system_crond_tmp_t:s0 tclass=file Looks like the handoff of the temp file from anacron to sendmail is breaking. FYI - anacron sets the tempfile to fd 0, rewinds it, the execs sendmail. But why sould sendmail then try to append to the file? It doesn't seem to actually try to append to the files. However, comparing straces from a good run (enforcing off) vs. bad: (much stuff removed) < good, > bad 364c364 < fstat64(0, {st_mode=S_IFREG|0600, st_size=122, ...}) = 0 --- > fstat64(0, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0 910,913c910,914 < munmap(0xb7f5f000, 4096) = 0 < fstat64(0, {st_mode=S_IFREG|0600, st_size=122, ...}) = 0 < read(0, "From: root (Anacron)\nTo: root\nCo"..., 4096) = 122 < statfs(".", {f_type="EXT2_SUPER_MAGIC", f_bsize=1024, f_blocks=505604, f_bfree=404350, f_bavail=378246, f_files=130560, f_ffree=129772, f_fsid={0, 0}, f_namelen=255, f_frsize=1 024}) = 0 --- > munmap(0xb7ff3000, 4096) = 0 > fstat64(0, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0 > ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfd3ac68) = -1 ENOTTY (Inappropriate ioctl fo r device) > read(0, "", 4096) = 0 > statfs(".", {f_type="EXT2_SUPER_MAGIC", f_bsize=1024, f_blocks=505604, f_bfree=404346, f_bavail=378242, f_files=130560, f_ffree=129772, f_fsid={0, 0}, f_namelen=255, f_frsize=1 024}) = 0 917c918 Looks like it's treating stdin as a character device in one and a regular file in the other. In one the read succeeds, in the other it doesn't. No idea why. Runs should be identical except for enforcing being on or off. Maybe when sendmail is execed and stdin is attached to a file, it would implicitly be given append priviledge, so selinux is preventing that and attatching stdin to /dev/null instead? Maybe anacron neds to be modified to hand off the mail file in different, more secure way? Clarification: Upon execve, SELinux rechecks access to all open file descriptors that are not close-on-exec based on their current flags. In this case, it appears that the caller is passing a descriptor to the output file that was opened with O_CREAT|O_WRONLY|O_APPEND, so SELinux rechecks append access upon the exec into the new domain for sendmail. Likely can just allow it. Otherwise, the caller has to fabricate another descriptor that has only read access to the file, which could be racy. If you set permissive mode what other avc's are generated? This looks the same as bug 185973, which was resolved via a patch to anacron for FC4. (In reply to comment #5) > If you set permissive mode what other avc's are generated? I don't see any others. Created attachment 136013 [details]
audit messages in permissive mode
Attached the audit.log messages triggered by anacron sending an email when in
in permissive mode.
Somehow this patch never got attached to devel, so I am moving to rawhide. anacron-2.3-40.fc6.src.rpm I rebuilt the FC5 anacron with the fdclose patch from the FC4 version and that works. Reopened bug 185973 to have it added to FC5 and devel. fc6 package is in rawhide, fc5 package is built but need the package owner to submit for fedora update. I pushed it for update today. I just found the problem reappeared on F7, I got an SELinux AVC denial: avc: denied { read } for comm="sendmail" dev=dm-2 egid=51 euid=0 exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=0 gid=0 items=0 name="fileiU3huO" path=2F746D702F66696C6569553368754F202864656C6574656429 pid=24301 scontext=system_u:system_r:system_mail_t:s0 sgid=51 subj=system_u:system_r:system_mail_t:s0 suid=0 tclass=file tcontext=system_u:object_r:crond_tmp_t:s0 tty=(none) uid=0 Along that, I got an empty email from anacron. NB: Cron itself didn't show that problem. The patch is in all branches, so I'll try avoid this bug on my computer. Could you tell me your version of vixie-cron, anacron and crontabs? Here are the versions of these (and those of sendmail, selinux-policy-targeted): vixie-cron-4.1-82.fc7 anacron-2.3-47.fc7 crontabs-1.10-14.fc7 selinux-policy-targeted-2.6.4-26.fc7 sendmail-8.14.1-2 I tried run it with selinux-policy-targeted-2.6.4-14.fc7 and it's working. Looks like some change in selinux policy. My actual packages are: selinux-policy-targeted-2.6.4-29.fc7 selinux-policy-2.6.4-29.fc7 crontabs-1.10-14.fc7 anacron-2.3-47.fc7 vixie-cron-4.1-82.fc7 sendmail-8.14.1-2 Now it's working. Anacron wasn't working with one version of selinux-policy (I think). Could you test it and let me know? Works for me with these versions. |