Bug 353571

Summary: /usr/bin/crontab blocked by selinux
Product: [Fedora] Fedora Reporter: John Poelstra <poelstra>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 8CC: matt_domsch, orion, sundaram, wwoods
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-31 16:11:26 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 235703    

Description John Poelstra 2007-10-26 00:31:42 EDT
Description of problem:

crontab -e run as root gives error message "access denied"

Version-Release number of selected component (if applicable):
# rpm -qa | grep selinux
libselinux-python-2.0.37-1.fc8
selinux-policy-3.0.8-32.fc8
libselinux-2.0.37-1.fc8
selinux-policy-targeted-3.0.8-32.fc8
libselinux-2.0.37-1.fc8


How reproducible:
100%

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Summary
    SELinux is preventing unix_update (unconfined_crontab_t) "read" to <Unknown>
    (shadow_t).

Detailed Description
    SELinux denied access requested by unix_update. It is not expected that this
    access is required by unix_update and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:unconfined_crontab_t:s0
Target Context                system_u:object_r:shadow_t:s0
Target Objects                None [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-32.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     yardsale
Platform                      Linux yardsale 2.6.23.1-31.fc8 #1 SMP Tue Oct 23
                              14:54:38 EDT 2007 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 25 Oct 2007 09:19:29 PM PDT
Last Seen                     Thu 25 Oct 2007 09:22:14 PM PDT
Local ID                      42505bd4-88c8-4d80-9e6e-f8470ab98f03
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=unix_update dev=sda1 name=shadow pid=5474
scontext=system_u:system_r:unconfined_crontab_t:s0 tclass=file
tcontext=system_u:object_r:shadow_t:s0

~~~~~~~~~~~~~~~~~~~~~

Summary
    SELinux is preventing unix_update (unconfined_crontab_t) "getattr" to pipe
    (unconfined_crontab_t).

Detailed Description
    SELinux denied access requested by unix_update. It is not expected that this
    access is required by unix_update and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:unconfined_crontab_t:s0
Target Context                system_u:system_r:unconfined_crontab_t:s0
Target Objects                pipe [ fifo_file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-32.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     yardsale
Platform                      Linux yardsale 2.6.23.1-31.fc8 #1 SMP Tue Oct 23
                              14:54:38 EDT 2007 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 25 Oct 2007 09:19:29 PM PDT
Last Seen                     Thu 25 Oct 2007 09:22:14 PM PDT
Local ID                      0e71cdfa-9a60-4636-b438-30436c1a473e
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm=unix_update dev=pipefs path=pipe:[58444]
pid=5474 scontext=system_u:system_r:unconfined_crontab_t:s0 tclass=fifo_file
tcontext=system_u:system_r:unconfined_crontab_t:s0

~~~~~~~~~~~~~~~~~~~~~~
Summary
    SELinux is preventing /sbin/unix_update (unconfined_crontab_t)
    "execute_no_trans" to /sbin/unix_update (updpwd_exec_t).

Detailed Description
    SELinux denied access requested by /sbin/unix_update. It is not expected
    that this access is required by /sbin/unix_update and this access may signal
    an intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /sbin/unix_update, restorecon -v
    /sbin/unix_update If this does not work, there is currently no automatic way
    to allow this access. Instead,  you can generate a local policy module to
    allow this access - see http://fedora.redhat.com/docs/selinux-faq-
    fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling
    SELinux protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:unconfined_crontab_t:s0
Target Context                system_u:object_r:updpwd_exec_t:s0
Target Objects                /sbin/unix_update [ file ]
Affected RPM Packages         pam-0.99.8.1-10.fc8
                              [application]pam-0.99.8.1-10.fc8 [target]
Policy RPM                    selinux-policy-3.0.8-32.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     yardsale
Platform                      Linux yardsale 2.6.23.1-31.fc8 #1 SMP Tue Oct 23
                              14:54:38 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 25 Oct 2007 09:22:14 PM PDT
Last Seen                     Thu 25 Oct 2007 09:22:14 PM PDT
Local ID                      ba2cf533-6183-48d4-b042-288c791fded7
Line Numbers                  

Raw Audit Messages            

avc: denied { execute_no_trans } for comm=unix_update dev=sda1 egid=0 euid=0
exe=/sbin/unix_update exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=unix_update
path=/sbin/unix_update pid=5474
scontext=system_u:system_r:unconfined_crontab_t:s0 sgid=0
subj=system_u:system_r:unconfined_crontab_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:updpwd_exec_t:s0 tty=pts0 uid=0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Summary
    SELinux is preventing /usr/bin/crontab (unconfined_crontab_t) "write" to
    <Unknown> (unconfined_crontab_t).

Detailed Description
    SELinux denied access requested by /usr/bin/crontab. It is not expected that
    this access is required by /usr/bin/crontab and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:unconfined_crontab_t:s0
Target Context                system_u:system_r:unconfined_crontab_t:s0
Target Objects                None [ netlink_audit_socket ]
Affected RPM Packages         vixie-cron-4.2-3.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-32.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     yardsale
Platform                      Linux yardsale 2.6.23.1-31.fc8 #1 SMP Tue Oct 23
                              14:54:38 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 25 Oct 2007 09:22:14 PM PDT
Last Seen                     Thu 25 Oct 2007 09:22:14 PM PDT
Local ID                      32958f61-bc0e-4fcf-8e3d-7cdb72fa44ff
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm=crontab egid=0 euid=0 exe=/usr/bin/crontab
exit=116 fsgid=0 fsuid=0 gid=0 items=0 pid=5473
scontext=system_u:system_r:unconfined_crontab_t:s0 sgid=0
subj=system_u:system_r:unconfined_crontab_t:s0 suid=0
tclass=netlink_audit_socket tcontext=system_u:system_r:unconfined_crontab_t:s0
tty=pts0 uid=0
Comment 1 Daniel Walsh 2007-10-26 08:48:10 EDT
Fixed in selinux-policy-3.0.8-36.fc8.src.rpm
Comment 2 Rahul Sundaram 2007-10-26 13:50:01 EDT
I haven't been able to reproduce this with the new policy update. John, can you
quickly confirm whether this update fixes the problem for you?
Comment 3 John Poelstra 2007-10-26 15:56:13 EDT
please point me to a download location for the udpated RPM
Comment 4 Rahul Sundaram 2007-10-26 16:07:19 EDT
Koji to the rescue

http://koji.fedoraproject.org/koji/buildinfo?buildID=22493
Comment 5 John Poelstra 2007-10-27 12:39:11 EDT
still broken

doesn't get flagged or alert by setroubleshoot either.

# strace crontab -e
execve("/usr/bin/crontab", ["crontab", "-e"], [/* 26 vars */]) = -1 EACCES
(Permission denied)
dup(2)                                  = 3
fcntl(3, F_GETFL)                       = 0x8002 (flags O_RDWR|O_LARGEFILE)
fstat(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x2aaaaaac8000
lseek(3, 0, SEEK_CUR)                   = -1 ESPIPE (Illegal seek)
write(3, "strace: exec: Permission denied\n", 32strace: exec: Permission denied
) = 32
close(3)                                = 0
munmap(0x2aaaaaac8000, 4096)            = 0
exit_group(1)                           = ?
Comment 6 Matt Domsch 2007-10-27 22:11:03 EDT
confirmed 3.0.8-36 fails for me too.
Comment 7 Jeremy Katz 2007-10-28 16:04:25 EDT
Looking in my audit.log, I see the following

type=SELINUX_ERR msg=audit(1193601682.942:777): security_compute_sid:  invalid
context system_u:system_r:unconfined_crontab_t:s0 for
scontext=system_u:system_r:unconfined_t:s0
tcontext=system_u:object_r:crontab_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1193601682.942:777): arch=40000003 syscall=11 success=no
exit=-13 a0=9dba058 a1=9dbaf08 a2=9dc19b0 a3=0 items=0 ppid=17973 pid=24090
auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=pts8 comm="bash" exe="/bin/bash" subj=system_u:system_r:unconfined_t:s0
key=(null)
Comment 8 Nalin Dahyabhai 2007-10-29 16:51:17 EDT
Confirmed this with 3.0.8-38, confirmed fixed in 3.0.8-39.
Comment 9 Jeremy Katz 2007-10-29 17:01:12 EDT
And confirmed with -40 building now
Comment 10 John Poelstra 2007-10-31 12:41:51 EDT
still broken with the same error message... running on x86_64

# rpm -qa | grep selinux
selinux-policy-targeted-3.0.8-42.fc8
libselinux-2.0.37-1.fc8
libselinux-python-2.0.37-1.fc8
libselinux-2.0.37-1.fc8
selinux-policy-3.0.8-42.fc8

Do I need to relabel or change something to correctly test this?
Comment 11 Will Woods 2007-10-31 13:33:32 EDT
WORKSFORME on a fresh install. Maybe you need to do a "fixfiles restore
/var/spool/cron"?
Comment 12 Will Woods 2007-10-31 16:11:26 EDT
Reporter can't test anymore and we can't reproduce the problem. Closing (again).