Bug 517170
Summary: | fcron does not work with SELinux (targeted) in enforcing or permissive mode | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tim Landscheidt <tim> | ||||
Component: | fcron | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 16 | CC: | dwalsh, kasal, mcepl, mcepl, mgrepl, pertusus, sochotni | ||||
Target Milestone: | --- | Keywords: | Reopened, SELinux | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-02-14 02:42:41 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Tim Landscheidt
2009-08-12 19:58:14 UTC
Could you please run "restorecon -R -v /var/spool" and paste the output here? Beside the terse log quote, more information is needed. Could you please reproduce the bug and then issue the command ausearch -m AVC | grep fcron and attach the output here? Thank you. Also are you seeing avc messages in /var/log/audit/audit.log? Okay, to be more detailed :-): 1. I installed as root fcron-3.0.4-6.fc11.i586 again (with selinux-policy-targeted-3.6.12-82.fc11.noarch "enforcing"). 2. I started it as root by "service fcron start". 3. I created as user a file "fc" in my home directory with the content "@ 5 touch /var/tmp/beenhere". 4. I ran as user "fcrontab fc" that outputted: | 12:58:48 installing file /home/tim/fc for user tim | Modifications will be taken into account at 12h59. 5. "/var/log/cron" contains the lines: | Sep 16 12:54:02 passepartout fcron[3500]: fcron[3500] 3.0.4 started | Sep 16 12:54:02 passepartout fcron[3500]: updating configuration from /var/spool/fcron | Sep 16 12:54:02 passepartout fcron[3500]: removing file tim | Sep 16 12:54:02 passepartout fcron[3500]: adding file tim | Sep 16 12:54:02 passepartout fcron[3500]: Could not read tim (may have just been removed): No such file or directory | Sep 16 12:58:48 passepartout fcrontab[3572]: installing file /home/tim/fc for user tim | Sep 16 12:58:50 passepartout fcron[3500]: updating configuration from /var/spool/fcron | Sep 16 12:58:50 passepartout fcron[3500]: adding new file tim | Sep 16 12:58:50 passepartout fcron[3500]: ENTRYPOINT FAILED for user "tim" (CONTEXT user_u:user_r:postfix_postdrop_t:s0) for file CONTEXT unconfined_u:object_r:cron_spool_t:s0 6. "ausearch -m AVC | grep fcron" (as root) gives no output. 7. I ran as root "restorecon -R -v /var/spool" with no output. 8. I reran as user "fcrontab fc" that outputted: | 13:03:24 installing file /home/tim/fc for user tim | Modifications will be taken into account at 13h04. 9. "/var/log/cron" gets appended by: | Sep 16 13:03:24 passepartout fcrontab[3619]: installing file /home/tim/fc for user tim | Sep 16 13:03:50 passepartout fcron[3500]: updating configuration from /var/spool/fcron | Sep 16 13:03:50 passepartout fcron[3500]: adding new file tim | Sep 16 13:03:50 passepartout fcron[3500]: ENTRYPOINT FAILED for user "tim" (CONTEXT user_u:user_r:postfix_postdrop_t:s0) for file CONTEXT unconfined_u:object_r:cron_spool_t:s0 10. "ausearch -m AVC | grep fcron" (as root) gives no output again. 11. (No file /var/tmp/beenhere gets created :-).) During this test, I did not see any messages in /var/log/audit/audit.log that relate to fcron (or avc for that matter). Your file contexts seem to be all screwed up. Do you have seedit installed? rpm -q seedit If so remove it. You have users running as user_u and unconfined_u is this intentional, or do you not understand what I am asking? a) I have no seedit installed. b) I do not unterstand what you are asking :-). c) Despite b), it is not intentional as I do not remember at any time after the installation of F11 to have consciously tweaked policies or whatever in this regard (the only change I remember was to allow Apache to send mail and connect to the database). Could you give me the output from the following commands semanage user -l semanage login -l semodule -l | grep unconfined Sure: | [root@passepartout ~]# export LANG=en_US.UTF-8 | [root@passepartout ~]# semanage user -l | Labeling MLS/ MLS/ | SELinux User Prefix MCS Level MCS Range SELinux Roles | guest_u user s0 s0 guest_r | root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r | staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r | sysadm_u user s0 s0-s0:c0.c1023 sysadm_r | system_u user s0 s0-s0:c0.c1023 system_r | unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r | user_u user s0 s0 user_r | xguest_u user s0 s0 xguest_r | [root@passepartout ~]# semanage login -l | Login Name SELinux User MLS/MCS Range | __default__ unconfined_u s0-s0:c0.c1023 | root unconfined_u s0-s0:c0.c1023 | system_u system_u s0-s0:c0.c1023 | [root@passepartout ~]# semodule -l | grep unconfined | unconfined 3.0.1 | unconfineduser 1.0.0 | [root@passepartout ~]# Miroslav can you take a look at this to see if you can recreate it. This message is a reminder that Fedora 11 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 11. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '11'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 11's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 11 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. On a fresh install of Fedora 16, the bug is still around. The log output of installing a new user fcrontab has slightly changed, though: | Apr 10 12:53:04 passepartout fcrontab[6041]: installing file /home/tim/src/etc/fcrontab for user tim | Apr 10 12:53:50 passepartout fcron[5464]: updating configuration from /var/spool/fcron | Apr 10 12:53:50 passepartout fcron[5464]: adding new file tim | Apr 10 12:53:50 passepartout fcron[5464]: NO CONTEXT for user "(null)": Invalid argument | Apr 10 12:53:50 passepartout fcron[5464]: ENTRYPOINT FAILED for user "tim" (CONTEXT (null)) for file CONTEXT unconfined_u:object_r:cron_spool_t:s0 | Apr 10 12:56:31 passepartout fcrontab[6107]: listing tim's fcrontab (The "NO CONTEXT" line is new.) From a look at fcron.c: | if(get_default_context(user_name, NULL, &cf->cf_user_context)) | error_e("NO CONTEXT for user \"%s\"", cf->cf_user_context); it seems to me that at least the cf->cf_user_context in the error_e() call should be user_name instead. And shouldn't get_default_context() not be passed the SELinux username? user_name looks - in the non-root case - to be the Linux username. Created attachment 576630 [details]
Initial patch.
This patch works for me (and nothing more), but should be reviewed by someone with SELinux skills. One thing I noticed was that the man pages for get_default_context() and fgetfilecon() require that the contexts are freed with freecon() after use. The current release has not a single call to freecon() so that there should be a (very small) memory leak.
If you change labeling for fcrontab from cron_spool_t to user_cron_spool, does it work then? Thanks for the patch, will look at it. Just to clarify: What fcrontab (input file, /var/spool/fcron/$USER or /var/spool/fcron/$USER.orig) do you mean and how and when should I change it (chcon, etc. after installation of new fcrontab, before daemon start, etc.)? I would prefer something I could feed to "semanage fcontext -a" :-). BTW, I just see that with my patch, /var/spool/fcron reads: | [root@passepartout ~]# ll /var/spool/fcron | insgesamt 8 | -rw-------. 1 root root 1134 11. Apr 12:26 tim | -rw-r-----. 1 fcron fcron 879 10. Apr 23:38 tim.orig | [root@passepartout ~]# I don't know if the different ownerships were originally intended or are a byproduct of my patch. I apologize. What does $ ls -Z /var/spool/fcron/$USER Basically try to run $ chcon -R -t user_cron_spool_t /var/spool/fcron Okay, here's what I did: 1. "$ fcrontab -r" to remove existing fcrontab. 2. "Downgraded" to fcron-3.0.6-2.fc16.i686.rpm shipped with Fedora. 3. "# service fcron restart" to make sure that Fedora's daemon is used. 4. "# ls -aZ /var/spool/fcron": | [root@passepartout ~]# ls -aZ /var/spool/fcron | drwxrwx---. fcron fcron system_u:object_r:cron_spool_t:s0 . | drwxr-xr-x. root root system_u:object_r:var_spool_t:s0 .. 5. "# chcon -R -t user_cron_spool_t /var/spool/fcron". 6. "# ls -aZ /var/spool/fcron": | [root@passepartout ~]# ls -aZ /var/spool/fcron | drwxrwx---. fcron fcron system_u:object_r:user_cron_spool_t:s0 . | drwxr-xr-x. root root system_u:object_r:var_spool_t:s0 .. 7. "$ fcrontab fcrontab" to install fcrontab. 8. /var/log/cron: | Apr 12 18:41:10 passepartout fcrontab[16459]: installing file /home/tim/src/etc/fcrontab for user tim 9. "# ls -aZ /var/spool/fcron": | [root@passepartout ~]# ls -aZ /var/spool/fcron | drwxrwx---. fcron fcron system_u:object_r:user_cron_spool_t:s0 . | drwxr-xr-x. root root system_u:object_r:var_spool_t:s0 .. | -rw-r-----. fcron fcron unconfined_u:object_r:user_cron_spool_t:s0 fcrontab.sig | -rw-------. tim fcron unconfined_u:object_r:user_cron_spool_t:s0 new.tim | -rw-r-----. fcron fcron unconfined_u:object_r:user_cron_spool_t:s0 tim.orig 10. Then the daemon reads the file (/var/log/cron): | Apr 12 18:41:50 passepartout fcron[16433]: updating configuration from /var/spool/fcron | Apr 12 18:41:50 passepartout fcron[16433]: adding new file tim | Apr 12 18:41:50 passepartout fcron[16433]: NO CONTEXT for user "(null)": Invalid argument | Apr 12 18:41:50 passepartout fcron[16433]: ENTRYPOINT FAILED for user "tim" (CONTEXT (null)) for file CONTEXT unconfined_u:object_r:user_cron_spool_t:s0 11. And "# ls -aZ /var/spool/fcron": | [root@passepartout ~]# ls -aZ /var/spool/fcron | drwxrwx---. fcron fcron system_u:object_r:user_cron_spool_t:s0 . | drwxr-xr-x. root root system_u:object_r:var_spool_t:s0 .. | -rw-------. tim fcron unconfined_u:object_r:user_cron_spool_t:s0 new.tim | -rw-r-----. fcron fcron unconfined_u:object_r:user_cron_spool_t:s0 tim.orig ok, I see it now. Ok, you are right, there is an issue with fcron+SELinux. Your solution will work. But we should use a solution which we have for cronie. Sure, that's fine with me. BTW, maybe the scarcely documented "fcron_crond" boolean (whose setting doesn't affect the error here) could be obsoleted in the process if there was a separate fcron "policy module" (I'm not sure if this is the correct SELinux terminology). ATM I don't see a reason why cronie and fcron must share contexts. Could someone please outline the solution for cronie so that interested developers can have a stab at bringing fcron up to par? Basically just checkout cronie fedora git repo. This is on my TODO list. I had done this already and not gotten any wiser on what was needed :-). Before you invest too much energy though: I basically want to enable fcron in Fedora for user-level hourly/daily/weekly jobs (cf. also bug 517753). Looking at cronie's code, it shouldn't be too hard to port the more common of fcron's features to it. So your work on fcron's SELinux compliance will certainly be appreciated, but as I seem to be the only fcron/SELinux user in Fedoraland :-), you shouldn't spend too much effort on this. Re-assigning to Miroslav Grepl, as the issue is on his TODO list. He told me he'll provide the patches once he has some spare time.. For the record this happens in current F18 beta as well. Or maybe it's just caused by me updating from older Fedoras. Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |