RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1627075 - Create a SELinux boolean to disable cron-logrotate transition
Summary: Create a SELinux boolean to disable cron-logrotate transition
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.5
Hardware: Unspecified
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-09-10 11:50 UTC by Benjamin Lefoul
Modified: 2023-10-06 17:54 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1672199 (view as bug list)
Environment:
Last Closed: 2019-03-14 12:50:50 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy-contrib pull 87 0 None closed Red Hat Bug 1627075 - Create a SELinux boolean to disable cron-logrotate transition 2020-07-01 12:46:35 UTC

Description Benjamin Lefoul 2018-09-10 11:50:00 UTC 
I think some additional boolean tuning for logrotate would be very welcome in the policy.

I am experiencing SELinux denials because of the relationship between cron and logrotate. In my case, crond_t transitions to system_cronjob_t by executing the following bin_t file:

~] ll -Z /etc/cron.daily/logrotate 
-rwx------. root root system_u:object_r:bin_t:s0       /etc/cron.daily/logrotate

See:
   allow system_cronjob_t bin_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ; 
   allow crond_t system_cronjob_t : process transition ; 
   allow crond_t bin_t : file { ioctl read getattr lock execute execute_no_trans open } ; 

However, /etc/cron.daily/logrotate does call explicitely "/usr/sbin/logrotate /etc/logrotate.conf", the only logrotate_exec_t on my system btw:

~] find / -context "*logrotate_exec_t*"
/usr/sbin/logrotate

Both crond_t and system_cronjob_t can execute that:
   allow system_cronjob_t logrotate_exec_t : file { read getattr execute open } ; 
   allow crond_t logrotate_exec_t : file { read getattr execute open } ; 

...to transition into logrotate_t:
   allow logrotate_t logrotate_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ; 
   allow system_cronjob_t logrotate_t : process transition ; 
   allow crond_t logrotate_t : process transition ; 

/etc/logrotate.conf in turn includes config found in /etc/logrotate.d, among which a file with a "postrotate" instruction calling another script in my system, which in turn had to execute something with "execstack" (I know, that's bad, but I have no control over this).

Ah, but that is one thing logrotate_t cannot do when system_cronjob_t (and crond_t) can, look:

~] sesearch -s crond_t -AC | grep execstack
ET allow crond_t crond_t : process execstack ; [ selinuxuser_execstack ]
~] sesearch -s system_cronjob_t -AC | grep execstack
ET allow system_cronjob_t system_cronjob_t : process execstack ; [ selinuxuser_execstack ]
~] sesearch -s logrotate_t -AC | grep execstack
~]


So a solution for me was to edit /etc/cron.daily/logrotate and use runcon by replacing:
"/usr/sbin/logrotate /etc/logrotate.conf" with:
"runcon -t system_cronjob_t /usr/sbin/logrotate /etc/logrotate.conf"

Obviously I don't like having to use runcon in an executable in my centralized config management tool.

It would have been nice to have a boolean such as cron_logrotate_transition_disabled to prevent system_cronjob_t and crond_t to transition to logrotate_t (execute_no_trans?). Combined with the selinuxuser_execstack boolean, that would provide enough flexibility to solve most SELinux problems between cron and logrotate.

For the record, we already have cron_userdomain_transition:

~] sesearch -b cron_userdomain_transition -p transition -AC
Found 6 semantic av rules:
ET allow crond_t sysadm_t : process transition ; [ cron_userdomain_transition ]
ET allow crond_t unconfined_t : process transition ; [ cron_userdomain_transition ]
DF allow crond_t unconfined_cronjob_t : process transition ; [ cron_userdomain_transition ]
ET allow crond_t openshift_domain : process transition ; [ cron_userdomain_transition ]
ET allow crond_t staff_t : process transition ; [ cron_userdomain_transition ]
ET allow crond_t user_t : process transition ; [ cron_userdomain_transition ]


But that is not quite what I want.

A cron_logrotate_transition_disabled boolean would be welcome.
Comment 2 Benjamin Lefoul 2018-10-12 12:12:21 UTC 
Is anyone looking at this? Should I post a ticket on the Red Hat customer portal as well?
Comment 3 Benjamin Lefoul 2019-01-17 07:54:29 UTC 
A while back, I have reported this at IBM as "dsmc command requires dubious SELinux permissions such as execstack" and at Red Hat as a link to this BZ ticket.
Both teams are welcome to discuss here.
Comment 4 Benjamin Lefoul 2019-01-17 07:56:24 UTC 
(In reply to Benjamin Lefoul from comment #0)

> /etc/logrotate.conf in turn includes config found in /etc/logrotate.d, among
> which a file with a "postrotate" instruction calling another script in my
> system, which in turn had to execute something with "execstack" (I know,
> that's bad, but I have no control over this).


Clarification: the "something" in question was IBM's dsmc.
Comment 5 Benjamin Lefoul 2019-02-12 09:52:23 UTC 
See pull request here please: https://github.com/fedora-selinux/selinux-policy-contrib/pull/87
Comment 6 Zdenek Pytela 2019-03-14 12:50:50 UTC 
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.
Note You need to log in before you can comment on or make changes to this bug.