Bug 224328 - anacron fails under FC6/SELinux/strict
anacron fails under FC6/SELinux/strict
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-25 05:03 EST by Ted Rule
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:12:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ted Rule 2007-01-25 05:03:33 EST
Description of problem:

The default policy under FC6/SELinux/strict, ( 2.4.6-27 ), doesn't allow for the
correct operation of anacron.

This is mainly because anacron itself, unlike crond, doesn't internally
setexeccon from crond_t to system_crond_t
before launching its child Jobs. Under targeted policy, crond_t and
system_crond_t are aliases for each other, and
therefore I presume the problem doesn't arise. Because of this, anacron's child
Jobs are launched in crond_t,
which doesn't have the correct permissions to run most of the standard Jobs in
/etc/cron.daily, in particular logrotate and logwatch.

As a workround therefore, I've re-created the anacron_exec_t type, and created
an additional policy module
for anacron's needs. This basically involves making initrc_t transition to
system_crond_t when launching anacron,
granting system_crond_t some permissions which crond_t already has, and allowing
system_crond_t to run anacron_exec_t itself so
as to update anacron's timestamp files in /var/spool/anacron.

I suspect that the better solution for the overall problem may be to recode
anacron to perform the same setexeccon() call
which crond uses; some additional problems I've found with crond's interaction
with sendmail meant that I found it quicker
to patch the SELinux policy for the present. 


Hence my revised anacron policy is now the following - together with the manual
relabelling of /usr/sbin/anacron itself to anacron_exec_t.
I would suggest that these patches be merged into the existing cron.fc/cron.te


cat /root/selinux.local/localanacron.fc

# anacrond executable will have:
# label: system_u:object_r:anacron_exec_t
# MLS sensitivity: s0
# MCS categories: <none>

# We cant easily override the /usr/sbin/anacron setting in Fedora policy,
# so we create a clone binary and label as anacron_exec_t
/usr/sbin/anacrond              --     
gen_context(system_u:object_r:anacron_exec_t,s0)

# The latest 2.4.6-23 policy already contains this:
#/var/lock/subsys/anacron       --     
gen_context(system_u:object_r:cron_lock_t,s0)

# The latest 2.4.6-23 policy already contains this:
#/var/spool/anacron(/.*)?              
gen_context(system_u:object_r:cron_spool_t,s0)



cat /root/selinux.local/localanacron.fc

policy_module(localanacron,0.1.2)

require {
        type system_crond_t;
        type system_crond_lock_t;
        type cron_spool_t;
        type crond_var_run_t;
}

########################################
#
# Anacron local policy
#

type anacron_exec_t;
corecmd_executable_file(anacron_exec_t)

# anacron transitions directly to system_crond_t,
# rather than crond_t because it doesnt currently
# perform a setexeccon internally
init_daemon_domain(system_crond_t,anacron_exec_t)

# Additional permissions for system_crond_t / anacron under
# strict, when system_crond_t != crond_t
ifdef(`strict_policy',`
        # Allow anacron to update spool files in /var/spool/anacron
        allow system_crond_t cron_spool_t:file create_file_perms;

        # Allow anacron to write to /var/run/anacron.pid
        allow system_crond_t crond_var_run_t:file create_file_perms;
        files_pid_filetrans(system_crond_t,crond_var_run_t,file)

        # Allow anacron to handle creation of files in the
        # /var/lock directory. (anacron)
        allow system_crond_t system_crond_lock_t:file manage_file_perms;
        files_lock_filetrans(system_crond_t,system_crond_lock_t,file)

        # Allow crond to run anacron so as to update /var/spool/anacron
        # timestamp files
        can_exec(system_crond_t, anacron_exec_t)
')




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2007-07-16 16:23:52 EDT
Should be fixed in the current release.
Comment 2 Daniel Walsh 2007-08-22 10:12:03 EDT
Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.