433607 – SELinux doesn't allow uux to be run from cron

Bug 433607 - SELinux doesn't allow uux to be run from cron

Summary: SELinux doesn't allow uux to be run from cron

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	8
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Radek Vokál
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-02-20 10:31 UTC by Nils Philippsen
Modified:	2008-11-17 22:03 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-11-17 22:03:07 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nils Philippsen 2008-02-20 10:31:54 UTC

With the update to selinux-policy-3.0.8-84.fc8, I get AVC denials for uux which
is run by uucico which I run from a cronjob:

--- 8< ---
Summary
    SELinux is preventing /usr/bin/uux (uux_t) "read write" to anon_inode
    (anon_inodefs_t).

Detailed Description
    SELinux denied access requested by /usr/bin/uux. It is not expected that
    this access is required by /usr/bin/uux and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for anon_inode, restorecon -v
    anon_inode If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:uux_t:s0
Target Context                system_u:object_r:anon_inodefs_t:s0
Target Objects                anon_inode [ file ]
Affected RPM Packages         uucp-1.07-16.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-84.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     wombat
Platform                      Linux wombat 2.6.23.15-137.fc8 #1 SMP Sun Feb 10
                              17:03:13 EST 2008 x86_64 x86_64
Alert Count                   120
First Seen                    Tue 22 Jan 2008 09:19:20 AM CET
Last Seen                     Wed 20 Feb 2008 11:17:45 AM CET
Local ID                      c1b9dd66-db33-4b2a-8949-a9b8d4cb22ed
Line Numbers                  

Raw Audit Messages            

avc: denied { read write } for comm=uux dev=anon_inodefs egid=14 euid=10
exe=/usr/bin/uux exit=0 fsgid=14 fsuid=10 gid=14 items=0
path=anon_inode:[eventpoll] pid=8519 scontext=system_u:system_r:uux_t:s0 sgid=14
subj=system_u:system_r:uux_t:s0 suid=10 tclass=file
tcontext=system_u:object_r:anon_inodefs_t:s0 tty=(none) uid=10
--- >8 ---

Comment 1 Josef Kubin 2008-02-20 13:25:45 UTC

I'll fix it.

Comment 4 Daniel Walsh 2008-02-26 22:48:57 UTC

You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-89.fc8

Comment 5 Tony Fu 2008-10-06 01:27:29 UTC

User jkubin's account has been closed

Comment 6 Daniel Walsh 2008-11-17 22:03:07 UTC

Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.