Bug 185973 - Anacron issues blank Emails when SELinux enforcing
Anacron issues blank Emails when SELinux enforcing
Product: Fedora
Classification: Fedora
Component: anacron (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Marcela Mašláňová
Brock Organ
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2006-03-20 11:37 EST by Ted Rule
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version: anacron-2.3-36.FC4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-09-19 09:40:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to suitably manipulate anacron's file descriptors. (3.27 KB, patch)
2006-03-20 11:37 EST, Ted Rule
no flags Details | Diff

  None (edit)
Description Ted Rule 2006-03-20 11:37:20 EST
Description of problem:

When SELinux is set to enforcing, the Email which would normally arise from
anacron's invocation of /etc/cron.daily has a blank body and subject

Version-Release number of selected component (if applicable):

anacron-2.3-34 ( FC4 Core )

How reproducible:

setenforce 1

Set logrotate to debug mode with "-v" in /etc/cron.daily/logrotate. This merely
ensures that at least one Job generates some output.

Leave machine depowered overnight,

Repower machine after 4am.
Actual results:

Empty Email from the cron.daily Job launched by anacron.
No obvious errors from SELinux.

Expected results:

logrotate output from the cron.daily Job.

Additional info:

After some investigation with SELinux enableaudit, it transpired that this
extra line in SELinux policy would re-enable the Email:

allow system_mail_t { system_crond_tmp_t }:file { append };

Even more investigation showed that anacron was not being careful enough in how
it passed the file-descriptor containing the Job output to sendmail.

anacron-2.3-34 opens a file-descriptor read/write on a temporary file to
accumulate stdout/stderr for passing to sendmail. Once the FD is open, the
tempfile is unlinked. Once the Job is finished, the descriptor is "turned
around" and used as stdin to a child sendmail process.

The problem appears to be that SELinux then forbids sendmail to have an open
inherited file-descriptor with write-permission on stdin.

As a patch for this problem, I've recoded runjob.c in anacron such that the
temporary file is opened twice ( once WRITE_ONLY , and once READ_ONLY ), with
the appropriate FD's passed to different places, and various FD's closed or
re-opened to /dev/null where appropriate.

This tested again against the normal SELinux strict policy
( selinux-policy-strict-1.27.1-2.22 )
without the file:append policy modification shown above.
Comment 1 Ted Rule 2006-03-20 11:37:20 EST
Created attachment 126354 [details]
Patch to suitably manipulate anacron's file descriptors.
Comment 2 Jason Vas Dias 2006-03-20 14:13:06 EST
Thanks for the patch - looks good to me - tested with/without SELinux enforcing.
Patch applied in anacron-2.3-36.FC4, released to FC-4 Updates/Testing today.
Comment 3 Fedora Update System 2006-03-20 14:35:53 EST
anacron-2.3-36.FC4 has been pushed for FC4, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 4 Orion Poplawski 2006-09-12 13:15:45 EDT
Looks like this patch needs to be added to FC5 and devel (FC6).  See bug  205747

Note You need to log in before you can comment on or make changes to this bug.