Description of problem: When a script run by anacron generates output, instead of the script output, an empty mail (no subject, no body) is sent to root@localhost. Version-Release number of selected component (if applicable): anacron-2.3-39.fc5 Steps to Reproduce: 1. Create a script that produces output, e.g. as /tmp/test.sh: #!/bin/bash echo test 2. Add the script as a job to /etc/anacrontab: 1 1 test /tmp/test.sh 3. Restart anacron # service anacron restart Actual results: An empty mail is sent to root@localhost: Return-Path: <root> Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by localhost.localdomain (8.13.7/8.13.7) with ESMTP id k88AtHbi004449 for <root>; Fri, 8 Sep 2006 12:55:17 +0200 Received: (from root@localhost) by localhost.localdomain (8.13.7/8.13.7/Submit) id k88AtHoG004448 for root; Fri, 8 Sep 2006 12:55:17 +0200 Date: Fri, 8 Sep 2006 12:55:17 +0200 From: Anacron <root> Message-Id: <200609081055.k88AtHoG004448> Expected results: The mail should have a subject line, and the message body should contain the word 'test'. Additional info: There are no unusual messages in /var/log/cron: Sep 8 12:54:17 localhost anacron[4442]: Anacron 2.3 started on 2006-09-08 Sep 8 12:54:17 localhost anacron[4442]: Will run job `test' in 1 min. Sep 8 12:54:17 localhost anacron[4442]: Jobs will be executed sequentially Sep 8 12:55:17 localhost anacron[4442]: Job `test' started Sep 8 12:55:17 localhost anacron[4442]: Job `test' terminated (mailing output) Sep 8 12:55:17 localhost anacron[4442]: Normal exit (1 jobs run) I have a shell script in /etc/cron.daily that usually generates output. The problem first occured at Aug. 30, 2006. Before, everything was working as expected. /var/log/yum shows 3 updates possibly related to the problem happened around this time: Aug 29 11:26:45 Updated: selinux-policy-targeted.noarch 2.3.7-2.fc5 Aug 29 11:26:47 Updated: vixie-cron.i386 4:4.1-56.fc5 Aug 31 11:16:31 Updated: anacron.i386 2.3-39.fc5 The strange thing is, the start of the failing mail messages seems to coincide with the vixie-cron update, not the anacron upate: 2006-08-29 11:03 The last time a successful mail was sent by anacron 2006-08-29 11:26 vixie-cron update 2006-08-30 01:09 First empty mail from anacron, from this time on all are mails sent by anacron are empty. 2006-08-31 11:16 anacron update It may also be an SELinux issue introduced with the policy update, but I didn't find any SELinux errors in the logs.
SELinux appears to be the culprit. Running with enableaudit.pp I see: Sep 8 11:28:58 lynx kernel: audit(1157736538.737:392): avc: denied { append } for pid=12261 comm="sendmail" name="file6ubq5i" dev=tmpfs ino=12577 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:system_crond_tmp_t:s0 tclass=file Looks like the handoff of the temp file from anacron to sendmail is breaking. FYI - anacron sets the tempfile to fd 0, rewinds it, the execs sendmail.
But why sould sendmail then try to append to the file?
It doesn't seem to actually try to append to the files. However, comparing straces from a good run (enforcing off) vs. bad: (much stuff removed) < good, > bad 364c364 < fstat64(0, {st_mode=S_IFREG|0600, st_size=122, ...}) = 0 --- > fstat64(0, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0 910,913c910,914 < munmap(0xb7f5f000, 4096) = 0 < fstat64(0, {st_mode=S_IFREG|0600, st_size=122, ...}) = 0 < read(0, "From: root (Anacron)\nTo: root\nCo"..., 4096) = 122 < statfs(".", {f_type="EXT2_SUPER_MAGIC", f_bsize=1024, f_blocks=505604, f_bfree=404350, f_bavail=378246, f_files=130560, f_ffree=129772, f_fsid={0, 0}, f_namelen=255, f_frsize=1 024}) = 0 --- > munmap(0xb7ff3000, 4096) = 0 > fstat64(0, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0 > ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfd3ac68) = -1 ENOTTY (Inappropriate ioctl fo r device) > read(0, "", 4096) = 0 > statfs(".", {f_type="EXT2_SUPER_MAGIC", f_bsize=1024, f_blocks=505604, f_bfree=404346, f_bavail=378242, f_files=130560, f_ffree=129772, f_fsid={0, 0}, f_namelen=255, f_frsize=1 024}) = 0 917c918 Looks like it's treating stdin as a character device in one and a regular file in the other. In one the read succeeds, in the other it doesn't. No idea why. Runs should be identical except for enforcing being on or off. Maybe when sendmail is execed and stdin is attached to a file, it would implicitly be given append priviledge, so selinux is preventing that and attatching stdin to /dev/null instead? Maybe anacron neds to be modified to hand off the mail file in different, more secure way?
Clarification: Upon execve, SELinux rechecks access to all open file descriptors that are not close-on-exec based on their current flags. In this case, it appears that the caller is passing a descriptor to the output file that was opened with O_CREAT|O_WRONLY|O_APPEND, so SELinux rechecks append access upon the exec into the new domain for sendmail. Likely can just allow it. Otherwise, the caller has to fabricate another descriptor that has only read access to the file, which could be racy.
If you set permissive mode what other avc's are generated?
This looks the same as bug 185973, which was resolved via a patch to anacron for FC4.
(In reply to comment #5) > If you set permissive mode what other avc's are generated? I don't see any others.
Created attachment 136013 [details] audit messages in permissive mode Attached the audit.log messages triggered by anacron sending an email when in in permissive mode.
Somehow this patch never got attached to devel, so I am moving to rawhide. anacron-2.3-40.fc6.src.rpm
I rebuilt the FC5 anacron with the fdclose patch from the FC4 version and that works. Reopened bug 185973 to have it added to FC5 and devel.
fc6 package is in rawhide, fc5 package is built but need the package owner to submit for fedora update.
I pushed it for update today.
I just found the problem reappeared on F7, I got an SELinux AVC denial: avc: denied { read } for comm="sendmail" dev=dm-2 egid=51 euid=0 exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=0 gid=0 items=0 name="fileiU3huO" path=2F746D702F66696C6569553368754F202864656C6574656429 pid=24301 scontext=system_u:system_r:system_mail_t:s0 sgid=51 subj=system_u:system_r:system_mail_t:s0 suid=0 tclass=file tcontext=system_u:object_r:crond_tmp_t:s0 tty=(none) uid=0 Along that, I got an empty email from anacron.
NB: Cron itself didn't show that problem.
The patch is in all branches, so I'll try avoid this bug on my computer. Could you tell me your version of vixie-cron, anacron and crontabs?
Here are the versions of these (and those of sendmail, selinux-policy-targeted): vixie-cron-4.1-82.fc7 anacron-2.3-47.fc7 crontabs-1.10-14.fc7 selinux-policy-targeted-2.6.4-26.fc7 sendmail-8.14.1-2
I tried run it with selinux-policy-targeted-2.6.4-14.fc7 and it's working. Looks like some change in selinux policy.
My actual packages are: selinux-policy-targeted-2.6.4-29.fc7 selinux-policy-2.6.4-29.fc7 crontabs-1.10-14.fc7 anacron-2.3-47.fc7 vixie-cron-4.1-82.fc7 sendmail-8.14.1-2 Now it's working. Anacron wasn't working with one version of selinux-policy (I think). Could you test it and let me know?
Works for me with these versions.