Bug 2173255
| Summary: | Calling 'chronyc sources' from a cron script gives unusual selinux context errors | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | John Dodson <jwadodson> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 37 | CC: | dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-37.20-1.fc37 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-10 01:40:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Thank you John for the report, this needs to be fixed asap. FEDORA-2023-13093d1386 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-13093d1386 FEDORA-2023-13093d1386 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-13093d1386` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-13093d1386 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-13093d1386 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. Sadly I now get a new selinux problem with the new policy where sendmail is initiated by
cron job completions... (one step forward 2 back?)
Source Context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects net [ dir ]
Source sendmail
Source Path sendmail
type=AVC msg=audit(11/05/23 04:51:03.183:4430) : avc: denied { search } for pid=2148974 comm=sendmail name=net dev="proc" ino=17407 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
|
Description of problem: Calling 'chronyc sources' from a cron script gives unusual selinux context errors Version-Release number of selected component (if applicable): selinux-policy.noarch 37.19-1.fc37 selinux-policy-targeted.noarch 37.19-1.fc37 chrony.x86_64 4.3-1.fc37 cronie.x86_64 1.6.1-3.fc37 cronie-anacron.x86_64 1.6.1-3.fc37 crontabs.noarch 1.11-28.20190603git.fc37 How reproducible: Always Steps to Reproduce: 1. run chronyc sources within a cron script gives... type=AVC msg=audit(25/02/23 03:47:56.609:1976) : avc: denied { sendto } for pid=936 comm=chronyd path=/run/chrony/chronyc.486558.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(25/02/23 03:47:57.611:1977) : avc: denied { sendto } for pid=936 comm=chronyd path=/run/chrony/chronyc.486558.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(25/02/23 03:47:59.620:1980) : avc: denied { sendto } for pid=936 comm=chronyd path=/run/chrony/chronyc.486558.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 2. A work around is to use sudo to an ornery user, but that gives a pam/sudo & secure-log entry for each event which is less than desirable. 3. Actual results: See selinux errors above. Expected results: No selinux errors or at least not one that says the script is rpm_script_t which it seems everything run by cron is/inherits. At least chronyc/d "reads" should not generate an selinux error. But then I'm not sure that is able to be diferrentiated by the selinux "machine". I bow to greater knowledge... Additional info: