cron vs. anacron
I'm still investigating a problem I reported to the list a while ago on
CentOS 5.6: certain jobs run through cron work perfectly, but when run through anacron (for example, cron.daily on a freshly installed system) generate errors. Both anacron and crond are running in the same context: # ps -ZC anacron -C crond LABEL PID TTY TIME CMD system_u:system_r:crond_t:SystemLow-SystemHigh 2779 ? 00:00:00 crond system_u:system_r:crond_t:SystemLow-SystemHigh 2792 ? 00:00:00 anacron I added a "ps -eZ" command to a logwatch report to test this, and found something interesting: under anacron, the only process which had its SELinux context listed was the ps command itself. Can someone explain why the logwatch process run by crond transitions to unconfined_t, while the same process run by anacron remains in logwatch_t:s0-s0:c0.c1023? Run by cron: LABEL PID TTY TIME CMD system_u:system_r:init_t 1 ? 00:00:02 init system_u:system_r:kernel_t 2 ? 00:00:00 migration/0 system_u:system_r:kernel_t 3 ? 00:00:00 ksoftirqd/0 system_u:system_r:kernel_t 4 ? 00:00:00 events/0 system_u:system_r:kernel_t 5 ? 00:00:00 khelper system_u:system_r:kernel_t 6 ? 00:00:00 kthread system_u:system_r:kernel_t 9 ? 00:00:00 kblockd/0 ... user_u:system_r:unconfined_t 3559 ? 00:00:00 run-parts user_u:system_r:unconfined_t 3564 ? 00:00:00 0logwatch user_u:system_r:unconfined_t 3565 ? 00:00:00 awk user_u:system_r:unconfined_t 3605 ? 00:00:00 perl user_u:system_r:sendmail_t 3611 ? 00:00:00 sendmail user_u:system_r:unconfined_t 3616 ? 00:00:00 sh user_u:system_r:unconfined_t 3617 ? 00:00:00 ps Run by anacron: LABEL PID TTY TIME CMD - 1 ? 00:00:02 init - 2 ? 00:00:00 migration/0 - 3 ? 00:00:00 ksoftirqd/0 - 4 ? 00:00:00 events/0 - 5 ? 00:00:00 khelper - 6 ? 00:00:00 kthread - 9 ? 00:00:00 kblockd/0 ... - 4069 ? 00:00:00 run-parts - 4072 ? 00:00:00 0logwatch - 4073 ? 00:00:00 awk - 4105 ? 00:00:00 perl - 4107 ? 00:00:00 sendmail - 4116 ? 00:00:00 sh system_u:system_r:logwatch_t:s0-s0:c0.c1023 4117 ? 00:00:00 ps AVC entries at the time of the anacron jobs are time->Mon Feb 13 12:27:37 2012 type=SYSCALL msg=audit(1329136057.506:52): arch=40000003 syscall=3 success=yes exit=177 a0=6 a1=2be900 a2=3ff a3=2be8a0 items=0 ppid=4108 pid=4109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1329136057.506:52): avc: denied { sys_ptrace } for pid=4109 comm="ps" capability=19 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=capability time->Mon Feb 13 12:27:37 2012 type=SYSCALL msg=audit(1329136057.512:53): arch=40000003 syscall=3 success=no exit=-13 a0=6 a1=8d7ee20 a2=fff a3=fff items=0 ppid=4108 pid=4109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1329136057.512:53): avc: denied { getattr } for pid=4109 comm="ps" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=process time->Mon Feb 13 12:27:37 2012 type=SYSCALL msg=audit(1329136057.524:104): arch=40000003 syscall=3 success=yes exit=168 a0=6 a1=2be900 a2=3ff a3=2be8a0 items=0 ppid=4108 pid=4109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1329136057.524:104): avc: denied { ptrace } for pid=4109 comm="ps" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process time->Mon Feb 13 12:27:37 2012 type=SYSCALL msg=audit(1329136057.524:105): arch=40000003 syscall=3 success=no exit=-13 a0=6 a1=8d7ee20 a2=fff a3=fff items=0 ppid=4108 pid=4109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1329136057.524:105): avc: denied { getattr } for pid=4109 comm="ps" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process time->Mon Feb 13 12:27:37 2012 type=SYSCALL msg=audit(1329136057.688:254): arch=40000003 syscall=5 success=no exit=-13 a0=99ead34 a1=18800 a2=8058b0c a3=110 items=0 ppid=4108 pid=4114 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="du" exe="/usr/bin/du" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1329136057.688:254): avc: denied { read } for pid=4114 comm="du" name="pm" dev=dm-0 ino=491689 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hald_log_t:s0 tclass=dir Moray. "To err is human; to purr, feline." -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
cron vs. anacron
> From: Moray Henderson [mailto:Moray.Henderson@ict-software.org]
> Sent: 13 February 2012 13:05 > > Can someone explain why the logwatch process run by crond transitions > to unconfined_t, while the same process run by anacron remains in > logwatch_t:s0-s0:c0.c1023? Does this answer my own question? [root@centos services]# ldd /usr/sbin/crond linux-gate.so.1 => (0x00550000) libselinux.so.1 => /lib/libselinux.so.1 (0x00671000) libpam.so.0 => /lib/libpam.so.0 (0x001c8000) libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x00803000) libaudit.so.0 => /lib/libaudit.so.0 (0x00a2e000) libc.so.6 => /lib/libc.so.6 (0x0031c000) libdl.so.2 => /lib/libdl.so.2 (0x00110000) libsepol.so.1 => /lib/libsepol.so.1 (0x00bb0000) /lib/ld-linux.so.2 (0x00eef000) [root@centos services]# ldd /usr/sbin/anacron linux-gate.so.1 => (0x005d3000) libc.so.6 => /lib/libc.so.6 (0x0014d000) /lib/ld-linux.so.2 (0x00129000) Am I right that crond can do type transitions because it was written with libselinux.so in mind, while anacron can't because it wasn't? Although somehow my ps process did manage to get to logwatch_t. Am I right that that was a bug? Looks like it's been fixed in CentOS 6. Unfortunately I'm stuck on 5 for this project. I'll have to come up with a workaround. Moray. "To err is human; to purr, feline." -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
cron vs. anacron
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 02/13/2012 10:29 AM, Moray Henderson wrote: >> From: Moray Henderson [mailto:Moray.Henderson@ict-software.org] >> Sent: 13 February 2012 13:05 >> >> Can someone explain why the logwatch process run by crond >> transitions to unconfined_t, while the same process run by >> anacron remains in logwatch_t:s0-s0:c0.c1023? > > Does this answer my own question? > > [root@centos services]# ldd /usr/sbin/crond linux-gate.so.1 => > (0x00550000) libselinux.so.1 => /lib/libselinux.so.1 (0x00671000) > libpam.so.0 => /lib/libpam.so.0 (0x001c8000) libpam_misc.so.0 => > /lib/libpam_misc.so.0 (0x00803000) libaudit.so.0 => > /lib/libaudit.so.0 (0x00a2e000) libc.so.6 => /lib/libc.so.6 > (0x0031c000) libdl.so.2 => /lib/libdl.so.2 (0x00110000) > libsepol.so.1 => /lib/libsepol.so.1 (0x00bb0000) /lib/ld-linux.so.2 > (0x00eef000) [root@centos services]# ldd /usr/sbin/anacron > linux-gate.so.1 => (0x005d3000) libc.so.6 => /lib/libc.so.6 > (0x0014d000) /lib/ld-linux.so.2 (0x00129000) > > Am I right that crond can do type transitions because it was > written with libselinux.so in mind, while anacron can't because it > wasn't? Although somehow my ps process did manage to get to > logwatch_t. > > Am I right that that was a bug? Looks like it's been fixed in > CentOS 6. Unfortunately I'm stuck on 5 for this project. I'll have > to come up with a workaround. > > > > Moray. "To err is human; to purr, feline." > > > > > -- selinux mailing list selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux There is two ways to do transitions. One can be written in policy. Processes running as a_t executing files labeles as b_exec_t will transition to c_t. Or applications can have SELinux awareness built into then, as cron does. Cron is just using SELinux awareness for user jobs, I believe. When a user creates a cron job, the cronjob gets labeled with the level and user type of the user that created the job, then when cron runs the job it looks up the label and asks the kernel: If I have a file labeled X, which context should I run it as. The kernel responds with Y and cron will attempt to run the job as Y. Since anacron does not have SELinux awareness in it, it can not do the second object and only the first. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85O3IACgkQrlYvE4MpobMKXwCcC81+cyYzkX UKp5T3o2a29eoP fIsAnAyqINZFQYrhyWHIbSIGAVN+FGkC =Ppc6 -----END PGP SIGNATURE----- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
cron vs. anacron
> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
> Sent: 13 February 2012 16:34 > > On 02/13/2012 10:29 AM, Moray Henderson wrote: > >> From: Moray Henderson [mailto:Moray.Henderson@ict-software.org] > >> Sent: 13 February 2012 13:05 > >> > >> Can someone explain why the logwatch process run by crond > >> transitions to unconfined_t, while the same process run by > >> anacron remains in logwatch_t:s0-s0:c0.c1023? > > > > Does this answer my own question? > > > > [root@centos services]# ldd /usr/sbin/crond linux-gate.so.1 => > > (0x00550000) libselinux.so.1 => /lib/libselinux.so.1 (0x00671000) > > libpam.so.0 => /lib/libpam.so.0 (0x001c8000) libpam_misc.so.0 => > > /lib/libpam_misc.so.0 (0x00803000) libaudit.so.0 => > > /lib/libaudit.so.0 (0x00a2e000) libc.so.6 => /lib/libc.so.6 > > (0x0031c000) libdl.so.2 => /lib/libdl.so.2 (0x00110000) > > libsepol.so.1 => /lib/libsepol.so.1 (0x00bb0000) /lib/ld-linux.so.2 > > (0x00eef000) [root@centos services]# ldd /usr/sbin/anacron > > linux-gate.so.1 => (0x005d3000) libc.so.6 => /lib/libc.so.6 > > (0x0014d000) /lib/ld-linux.so.2 (0x00129000) > > > > Am I right that crond can do type transitions because it was > > written with libselinux.so in mind, while anacron can't because it > > wasn't? Although somehow my ps process did manage to get to > > logwatch_t. > > > > Am I right that that was a bug? Looks like it's been fixed in > > CentOS 6. Unfortunately I'm stuck on 5 for this project. I'll have > > to come up with a workaround. > > > > > > > > Moray. "To err is human; to purr, feline." > > > > > > > > > > -- selinux mailing list selinux@lists.fedoraproject.org > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > There is two ways to do transitions. One can be written in policy. > > Processes running as a_t executing files labeles as b_exec_t will > transition to c_t. > > Or applications can have SELinux awareness built into then, as cron > does. Cron is just using SELinux awareness for user jobs, I believe. > > When a user creates a cron job, the cronjob gets labeled with the > level and user type of the user that created the job, then when cron > runs the job it looks up the label and asks the kernel: > > If I have a file labeled X, which context should I run it as. The > kernel responds with Y and cron will attempt to run the job as Y. > > Since anacron does not have SELinux awareness in it, it can not do the > second object and only the first. I see - so because /etc/crontab says that /etc/cron.daily jobs should be run as root, cron gives the jobs root's normal context. On plain CentOS in targeted mode, that's unconfined_t. Anacron just launches the logwatch script, and because its file context is logwatch_exec_t the kernel transitions its process to logwatch_t. That all makes sense now. Thanks for the explanation. Moray. “To err is human; to purr, feline.” -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
| All times are GMT. The time now is 08:32 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.