Bug 205747

Summary: Anacron sends empty email instead of job output
Product: [Fedora] Fedora Reporter: Stanis Trendelenburg <stanis.trendelenburg>
Component: anacronAssignee: Marcela Mašláňová <mmaslano>
Status: CLOSED ERRATA QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: 7CC: djuran, nphilipp, orion, sdsmall, tadej.j
Target Milestone: ---Keywords: Regression, Reopened
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: anacron-2.3-40 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-03 13:45:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit messages in permissive mode none

Description Stanis Trendelenburg 2006-09-08 11:31:42 UTC 
Description of problem:
When a script run by anacron generates output, instead of the script output, an
empty mail (no subject, no body) is sent to root@localhost.

Version-Release number of selected component (if applicable):
anacron-2.3-39.fc5

Steps to Reproduce:
1. Create a script that produces output, e.g. as /tmp/test.sh:

  #!/bin/bash
  echo test

2. Add the script as a job to /etc/anacrontab:

  1  1  test  /tmp/test.sh

3. Restart anacron
  # service anacron restart
  
Actual results:
An empty mail is sent to root@localhost:

Return-Path: <root>
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by localhost.localdomain (8.13.7/8.13.7) with ESMTP id k88AtHbi004449
	for <root>; Fri, 8 Sep 2006 12:55:17 +0200
Received: (from root@localhost)
	by localhost.localdomain (8.13.7/8.13.7/Submit) id k88AtHoG004448
	for root; Fri, 8 Sep 2006 12:55:17 +0200
Date: Fri, 8 Sep 2006 12:55:17 +0200
From: Anacron <root>
Message-Id: <200609081055.k88AtHoG004448>


Expected results:
The mail should have a subject line, and the message body should contain the
word 'test'.

Additional info:
There are no unusual messages in /var/log/cron:

Sep  8 12:54:17 localhost anacron[4442]: Anacron 2.3 started on 2006-09-08
Sep  8 12:54:17 localhost anacron[4442]: Will run job `test' in 1 min.
Sep  8 12:54:17 localhost anacron[4442]: Jobs will be executed sequentially
Sep  8 12:55:17 localhost anacron[4442]: Job `test' started
Sep  8 12:55:17 localhost anacron[4442]: Job `test' terminated (mailing output)
Sep  8 12:55:17 localhost anacron[4442]: Normal exit (1 jobs run)

I have a shell script in /etc/cron.daily that usually generates output. The
problem first occured at Aug. 30, 2006. Before, everything was working as
expected. /var/log/yum shows 3 updates possibly related to the problem happened
around this time:

Aug 29 11:26:45 Updated: selinux-policy-targeted.noarch 2.3.7-2.fc5
Aug 29 11:26:47 Updated: vixie-cron.i386 4:4.1-56.fc5
Aug 31 11:16:31 Updated: anacron.i386 2.3-39.fc5

The strange thing is, the start of the failing mail messages seems to coincide
with the vixie-cron update, not the anacron upate:

2006-08-29 11:03  The last time a successful mail was sent by anacron
2006-08-29 11:26  vixie-cron update
2006-08-30 01:09  First empty mail from anacron, from this time on all are mails    
                  sent by anacron are empty.
2006-08-31 11:16  anacron update

It may also be an SELinux issue introduced with the policy update, but I didn't
find any SELinux errors in the logs.
Comment 1 Orion Poplawski 2006-09-08 17:40:48 UTC 
SELinux appears to be the culprit.  Running with enableaudit.pp I see:

Sep  8 11:28:58 lynx kernel: audit(1157736538.737:392): avc:  denied  { append }
for  pid=12261 comm="sendmail" name="file6ubq5i" dev=tmpfs ino=12577
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:system_crond_tmp_t:s0 tclass=file

Looks like the handoff of the temp file from anacron to sendmail is breaking. 
FYI - anacron sets the tempfile to fd 0, rewinds it, the execs sendmail.
Comment 2 Daniel Walsh 2006-09-08 19:00:35 UTC 
But why sould sendmail then try to append to the file?
Comment 3 Orion Poplawski 2006-09-08 20:51:36 UTC 
It doesn't seem to actually try to append to the files.  However, comparing
straces from a good run (enforcing off) vs. bad:

(much stuff removed)

< good, > bad

364c364
< fstat64(0, {st_mode=S_IFREG|0600, st_size=122, ...}) = 0
---
> fstat64(0, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0
910,913c910,914
< munmap(0xb7f5f000, 4096)          = 0
< fstat64(0, {st_mode=S_IFREG|0600, st_size=122, ...}) = 0
< read(0, "From: root (Anacron)\nTo: root\nCo"..., 4096) = 122
< statfs(".", {f_type="EXT2_SUPER_MAGIC", f_bsize=1024, f_blocks=505604,
f_bfree=404350,
f_bavail=378246, f_files=130560, f_ffree=129772, f_fsid={0, 0}, f_namelen=255,
f_frsize=1
024}) = 0
---
> munmap(0xb7ff3000, 4096)          = 0
> fstat64(0, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0
> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfd3ac68) = -1 ENOTTY (Inappropriate
ioctl fo
r device)
> read(0, "", 4096)                 = 0
> statfs(".", {f_type="EXT2_SUPER_MAGIC", f_bsize=1024, f_blocks=505604,
f_bfree=404346,
f_bavail=378242, f_files=130560, f_ffree=129772, f_fsid={0, 0}, f_namelen=255,
f_frsize=1
024}) = 0
917c918

Looks like it's treating stdin as a character device in one and a regular file
in the other.  In one the read succeeds, in the other it doesn't.  No idea why.
 Runs should be identical except for enforcing being on or off.  

Maybe when sendmail is execed and stdin is attached to a file, it would
implicitly be given append priviledge, so selinux is preventing that and
attatching stdin to /dev/null instead?

Maybe anacron neds to be modified to hand off the mail file in different, more
secure way?
Comment 4 Stephen Smalley 2006-09-11 15:23:17 UTC 
Clarification:  Upon execve, SELinux rechecks access to all open file
descriptors that are not close-on-exec based on their current flags.  In this
case, it appears that the caller is passing a descriptor to the output file that
was opened with O_CREAT|O_WRONLY|O_APPEND, so SELinux rechecks append access
upon the exec into the new domain for sendmail.

Likely can just allow it.  Otherwise, the caller has to fabricate another
descriptor that has only read access to the file, which could be racy.
Comment 5 Daniel Walsh 2006-09-11 15:30:54 UTC 
If you set permissive mode what other avc's are generated?
Comment 6 Stephen Smalley 2006-09-11 15:43:00 UTC 
This looks the same as bug 185973, which was resolved via a patch to anacron for
FC4.
Comment 7 Orion Poplawski 2006-09-11 15:47:46 UTC 
(In reply to comment #5)
> If you set permissive mode what other avc's are generated?

I don't see any others.
Comment 8 Stanis Trendelenburg 2006-09-11 16:31:03 UTC 
Created attachment 136013 [details]
audit messages in permissive mode

Attached the audit.log messages triggered by anacron sending an email when in
in permissive mode.
Comment 9 Daniel Walsh 2006-09-11 21:06:59 UTC 
Somehow this patch never got attached to devel, so I am moving to rawhide.

anacron-2.3-40.fc6.src.rpm
Comment 10 Orion Poplawski 2006-09-12 17:16:54 UTC 
I rebuilt the FC5 anacron with the fdclose patch from the FC4 version and that
works.  Reopened bug 185973 to have it added to FC5 and devel.
Comment 11 Daniel Walsh 2006-09-13 13:54:46 UTC 
fc6 package is in rawhide, fc5 package is built but need the package owner to
submit for fedora update.
Comment 12 Marcela Mašláňová 2006-09-19 13:47:53 UTC 
I pushed it for update today.
Comment 13 Nils Philippsen 2007-07-20 10:54:38 UTC 
I just found the problem reappeared on F7, I got an SELinux AVC denial:

avc: denied { read } for comm="sendmail" dev=dm-2 egid=51 euid=0
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=0 gid=0 items=0
name="fileiU3huO" path=2F746D702F66696C6569553368754F202864656C6574656429
pid=24301 scontext=system_u:system_r:system_mail_t:s0 sgid=51
subj=system_u:system_r:system_mail_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:crond_tmp_t:s0 tty=(none) uid=0

Along that, I got an empty email from anacron.
Comment 14 Nils Philippsen 2007-07-20 11:01:24 UTC 
NB: Cron itself didn't show that problem.
Comment 15 Marcela Mašláňová 2007-07-20 11:37:19 UTC 
The patch is in all branches, so I'll try avoid this bug on my computer.
Could you tell me your version of vixie-cron, anacron and crontabs?
Comment 16 Nils Philippsen 2007-07-20 14:06:24 UTC 
Here are the versions of these (and those of sendmail, selinux-policy-targeted):

vixie-cron-4.1-82.fc7
anacron-2.3-47.fc7
crontabs-1.10-14.fc7
selinux-policy-targeted-2.6.4-26.fc7
sendmail-8.14.1-2
Comment 17 Marcela Mašláňová 2007-07-31 13:16:52 UTC 
I tried run it with selinux-policy-targeted-2.6.4-14.fc7 and it's working.
Looks like some change in selinux policy.
Comment 18 Marcela Mašláňová 2007-07-31 13:50:53 UTC 
My actual packages are:
selinux-policy-targeted-2.6.4-29.fc7
selinux-policy-2.6.4-29.fc7
crontabs-1.10-14.fc7
anacron-2.3-47.fc7
vixie-cron-4.1-82.fc7
sendmail-8.14.1-2
Now it's working. Anacron wasn't working with one version of selinux-policy (I
think). Could you test it and let me know?
Comment 19 Nils Philippsen 2007-08-03 13:45:06 UTC 
Works for me with these versions.