Bug 509638 - selinux policy starts winbind in wrong domain when started from cron
Summary: selinux policy starts winbind in wrong domain when started from cron
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-04 12:23 UTC by Vadym Chepkov
Modified: 2010-04-27 17:34 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-04-27 17:34:55 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Vadym Chepkov 2009-07-04 12:23:22 UTC
selinux-policy-targeted-3.6.12-53.fc11.noarch

when a script running from a cron job restarts winbind service using 
'/sbin/service winbind condrestart' winbind daemon starts in system_cronjob_t  domain instead of winbind_t

Comment 1 Vadym Chepkov 2009-07-04 16:25:27 UTC
I added
cron_system_entry(winbind_t, winbind_exec_t)

to the local policy and the winbind starts properly, but one problem still exists.

I redirect output of the service winbind condrestart >/dev/null

This generates AVC because MLS levels do not match:

type=SYSCALL msg=audit(1246718701.674:10609): arch=40000003 syscall=11 success=yes exit=0 a0=bfa8df49 a1=bfa8dc94 a2=980d858 a3=bfa8dc84 items=0 ppid=25378 pid=25384 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=790 comm="winbind" exe="/bin/bash" subj=system_u:system_r:system_cronjob_t:s0 key=(null)
type=AVC msg=audit(1246718701.674:10609): avc:  denied  { write } for  pid=25384 comm="winbind" path="pipe:[621476]" dev=pipefs ino=621476 scontext=system_u:system_r:system_cronjob_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
----
type=SYSCALL msg=audit(1246718702.026:10610): arch=40000003 syscall=11 success=yes exit=0 a0=8157c10 a1=8157358 a2=81572a8 a3=8157358 items=0 ppid=25391 pid=25392 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=790 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1246718702.026:10610): avc:  denied  { write } for  pid=25392 comm="winbindd" path="pipe:[621476]" dev=pipefs ino=621476 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file

Comment 2 Daniel Walsh 2009-07-06 18:16:54 UTC
What as the label on the /etc/init.d/winbind script.  This should have worked without the policy change mentioned above.

cron jobs are supposed to be able to execute initrc scripts and transition to the proper domains.

Comment 3 Vadym Chepkov 2009-07-06 18:59:29 UTC
ls -Z /etc/init.d/winbind 
-rwxr-xr-x. root root system_u:object_r:samba_initrc_exec_t:SystemLow /etc/init.d/winbind

cron jobs suppose to, but 

cron_system_entry(winbind_t, winbind_exec_t) is not in standard policy.

Comment 4 Daniel Walsh 2009-07-06 20:10:12 UTC
cronjobs are supposed to transition to initrc_t which then will transition to winbind_t

system_crond_t -> initrc_exec_type -> initrc_t

initrc_t -> winbind_exec_t -> winbind_t


Do you see any

Comment 5 Vadym Chepkov 2009-07-06 20:21:47 UTC
I run in permissive mode, because I can't make it to work properly at the moment
and when service winbind condrestart from cron job I can see winbind running in system_cronjob_t domain and I I get all sort of denials after that.

Comment 6 Daniel Walsh 2009-07-06 20:46:09 UTC

*** This bug has been marked as a duplicate of bug 509502 ***

Comment 7 Vadym Chepkov 2009-07-06 20:53:34 UTC
I maybe miss something, but how are they duplicate? They are not even close?

Comment 8 Daniel Walsh 2009-07-06 21:02:56 UTC
oops picked wrong bugzilla.

Comment 9 Daniel Walsh 2009-07-27 18:16:42 UTC
Vadym is this working for you now?

Comment 10 Vadym Chepkov 2009-07-28 03:31:06 UTC
Only after I added cron_system_entry(winbind_t, winbind_exec_t) into my local policy.
This declaration is missing in policy-targeted

Comment 11 Daniel Walsh 2009-07-28 14:07:13 UTC
Vadym that should not be required, if cron is starting winbind via an initscript.  If it is starting the executable directly then it is necessary.

Comment 12 Vadym Chepkov 2009-07-28 14:28:03 UTC
Doesn't look this way.

here is crontab entry:
26 * * * * root /etc/init.d/winbind condrestart>/dev/null

without cron_system_entry in policy:

Jul 28 10:26:02 pegasus CROND[30771]: (root) CMD (/etc/init.d/winbind condrestart>/dev/null)

 ps -efZ|grep winbind
system_u:system_r:system_cronjob_t:SystemLow root 30781 1  0 10:26 ?   00:00:00 winbindd
system_u:system_r:system_cronjob_t:SystemLow root 30783 30781  0 10:26 ? 00:00:00 winbindd


when the entry is in the policy  - all is fine.

Comment 13 Daniel Walsh 2009-07-28 15:58:58 UTC
I tried this before and it worked for me.  

My crontab looks like

26 * * * * /etc/init.d/winbind condrestart>/dev/null

In F11. and it works.

Using selinux-policy-3.6.12-62.fc11

# ls -lZ /etc/init.d/winbind 
-rwxr-xr-x. root root system_u:object_r:samba_initrc_exec_t:s0 /etc/init.d/winbind

Not sure what the "root" entry on your machine was.

Miroslav, can you try this on your machine and make sure that winbind is still running as winbind_t after the cron job runs.

Comment 14 Vadym Chepkov 2009-07-28 16:43:07 UTC
[root@pegasus ~]# semanage user -l|grep root
root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r

Comment 15 Daniel Walsh 2009-07-28 17:21:46 UTC
Vadym, sorry that was not what I meant.

You stated that the crontab on your machine was

26 * * * * root /etc/init.d/winbind condrestart>/dev/null

            ^^  Is illegal on my machine?  Is this a typo?

Comment 16 Vadym Chepkov 2009-07-28 17:28:49 UTC
this is entry from /etc/cron.d/
You have to specify user id there.

Comment 17 Daniel Walsh 2009-07-28 18:57:46 UTC
Ahhh something different

Let me try that out.

Comment 18 Daniel Walsh 2009-07-28 19:00:23 UTC
Still works for me.

Do you have another machine you could try this on?

Comment 19 Vadym Chepkov 2009-07-28 20:21:51 UTC
sure, on this server selinux is enforcing

[root@hut ~]# service winbind start
Starting Winbind services:                                 [  OK  ]

[root@hut ~]# ps -efZ|grep winbind
unconfined_u:system_r:winbind_t:s0 root  13402     1  0 16:14 ?        00:00:00 winbindd
unconfined_u:system_r:winbind_t:s0 root  13404 13402  0 16:14 ?        00:00:00 winbindd

[root@hut ~]# cat /etc/cron.d/test 
20 * * * * root /etc/init.d/winbind condrestart >/dev/null

[root@hut ~]# service crond reload
Reloading crond:                                           [  OK  ]

[root@hut ~]# tail /var/log/cron
Jul 28 16:20:01 hut CROND[13562]: (root) CMD (/etc/init.d/winbind condrestart >/dev/null)

[root@hut ~]# ps -efZ|grep winbind
system_u:system_r:system_cronjob_t:s0 root 13577   1  0 16:20 ?        00:00:00 winbindd
system_u:system_r:system_cronjob_t:s0 root 13579 13577  0 16:20 ?      00:00:00 winbindd

[root@hut ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.6.12-62.fc11.noarch

Same.

Comment 20 Daniel Walsh 2009-07-29 14:10:04 UTC
Well I have been able to recreate this on one machine, here.  But I still do not know why.

system_cronjob_t  should be able to transition to initrc_t.  When executing samba_initrc_exec_t

What does

ps -eZ | grep crond

Say?

Comment 21 Daniel Walsh 2009-07-29 15:38:43 UTC
Found it,

Miroslav can you change
init_spec_domtrans_script(system_cronjob_t)
to
init_domtrans_script(system_cronjob_t)

Comment 22 Miroslav Grepl 2009-07-31 09:09:47 UTC
Fixed in selinux-policy-3.6.12-71.fc11

Comment 23 Bug Zapper 2010-04-27 15:28:59 UTC
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping


Note You need to log in before you can comment on or make changes to this bug.