FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-13-2012, 12:05 PM
Moray Henderson
 
Default cron vs. anacron

I'm still investigating a problem I reported to the list a while ago on
CentOS 5.6: certain jobs run through cron work perfectly, but when run
through anacron (for example, cron.daily on a freshly installed system)
generate errors.

Both anacron and crond are running in the same context:

# ps -ZC anacron -C crond
LABEL PID TTY TIME CMD
system_u:system_r:crond_t:SystemLow-SystemHigh 2779 ? 00:00:00 crond
system_u:system_r:crond_t:SystemLow-SystemHigh 2792 ? 00:00:00 anacron


I added a "ps -eZ" command to a logwatch report to test this, and found
something interesting: under anacron, the only process which had its
SELinux context listed was the ps command itself.

Can someone explain why the logwatch process run by crond transitions to
unconfined_t, while the same process run by anacron remains in
logwatch_t:s0-s0:c0.c1023?


Run by cron:
LABEL PID TTY TIME CMD
system_u:system_r:init_t 1 ? 00:00:02 init
system_u:system_r:kernel_t 2 ? 00:00:00 migration/0
system_u:system_r:kernel_t 3 ? 00:00:00 ksoftirqd/0
system_u:system_r:kernel_t 4 ? 00:00:00 events/0
system_u:system_r:kernel_t 5 ? 00:00:00 khelper
system_u:system_r:kernel_t 6 ? 00:00:00 kthread
system_u:system_r:kernel_t 9 ? 00:00:00 kblockd/0
...
user_u:system_r:unconfined_t 3559 ? 00:00:00 run-parts
user_u:system_r:unconfined_t 3564 ? 00:00:00 0logwatch
user_u:system_r:unconfined_t 3565 ? 00:00:00 awk
user_u:system_r:unconfined_t 3605 ? 00:00:00 perl
user_u:system_r:sendmail_t 3611 ? 00:00:00 sendmail
user_u:system_r:unconfined_t 3616 ? 00:00:00 sh
user_u:system_r:unconfined_t 3617 ? 00:00:00 ps


Run by anacron:
LABEL PID TTY TIME CMD
- 1 ? 00:00:02 init
- 2 ? 00:00:00 migration/0
- 3 ? 00:00:00 ksoftirqd/0
- 4 ? 00:00:00 events/0
- 5 ? 00:00:00 khelper
- 6 ? 00:00:00 kthread
- 9 ? 00:00:00 kblockd/0
...
- 4069 ? 00:00:00 run-parts
- 4072 ? 00:00:00 0logwatch
- 4073 ? 00:00:00 awk
- 4105 ? 00:00:00 perl
- 4107 ? 00:00:00 sendmail
- 4116 ? 00:00:00 sh
system_u:system_r:logwatch_t:s0-s0:c0.c1023 4117 ? 00:00:00 ps


AVC entries at the time of the anacron jobs are

time->Mon Feb 13 12:27:37 2012
type=SYSCALL msg=audit(1329136057.506:52): arch=40000003 syscall=3
success=yes exit=177 a0=6 a1=2be900 a2=3ff a3=2be8a0 items=0 ppid=4108
pid=4109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1329136057.506:52): avc: denied { sys_ptrace } for
pid=4109 comm="ps" capability=19
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=capability
time->Mon Feb 13 12:27:37 2012
type=SYSCALL msg=audit(1329136057.512:53): arch=40000003 syscall=3
success=no exit=-13 a0=6 a1=8d7ee20 a2=fff a3=fff items=0 ppid=4108 pid=4109
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="ps" exe="/bin/ps"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1329136057.512:53): avc: denied { getattr } for
pid=4109 comm="ps" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=process
time->Mon Feb 13 12:27:37 2012
type=SYSCALL msg=audit(1329136057.524:104): arch=40000003 syscall=3
success=yes exit=168 a0=6 a1=2be900 a2=3ff a3=2be8a0 items=0 ppid=4108
pid=4109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1329136057.524:104): avc: denied { ptrace } for
pid=4109 comm="ps" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process
time->Mon Feb 13 12:27:37 2012
type=SYSCALL msg=audit(1329136057.524:105): arch=40000003 syscall=3
success=no exit=-13 a0=6 a1=8d7ee20 a2=fff a3=fff items=0 ppid=4108 pid=4109
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="ps" exe="/bin/ps"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1329136057.524:105): avc: denied { getattr } for
pid=4109 comm="ps" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process
time->Mon Feb 13 12:27:37 2012
type=SYSCALL msg=audit(1329136057.688:254): arch=40000003 syscall=5
success=no exit=-13 a0=99ead34 a1=18800 a2=8058b0c a3=110 items=0 ppid=4108
pid=4114 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="du" exe="/usr/bin/du"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1329136057.688:254): avc: denied { read } for pid=4114
comm="du" name="pm" dev=dm-0 ino=491689
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_ubject_r:hald_log_t:s0 tclass=dir



Moray.
"To err is human; to purr, feline."




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-13-2012, 02:29 PM
Moray Henderson
 
Default cron vs. anacron

> From: Moray Henderson [mailto:Moray.Henderson@ict-software.org]
> Sent: 13 February 2012 13:05
>
> Can someone explain why the logwatch process run by crond transitions
> to unconfined_t, while the same process run by anacron remains in
> logwatch_t:s0-s0:c0.c1023?

Does this answer my own question?

[root@centos services]# ldd /usr/sbin/crond
linux-gate.so.1 => (0x00550000)
libselinux.so.1 => /lib/libselinux.so.1 (0x00671000)
libpam.so.0 => /lib/libpam.so.0 (0x001c8000)
libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x00803000)
libaudit.so.0 => /lib/libaudit.so.0 (0x00a2e000)
libc.so.6 => /lib/libc.so.6 (0x0031c000)
libdl.so.2 => /lib/libdl.so.2 (0x00110000)
libsepol.so.1 => /lib/libsepol.so.1 (0x00bb0000)
/lib/ld-linux.so.2 (0x00eef000)
[root@centos services]# ldd /usr/sbin/anacron
linux-gate.so.1 => (0x005d3000)
libc.so.6 => /lib/libc.so.6 (0x0014d000)
/lib/ld-linux.so.2 (0x00129000)

Am I right that crond can do type transitions because it was written with
libselinux.so in mind, while anacron can't because it wasn't? Although
somehow my ps process did manage to get to logwatch_t.

Am I right that that was a bug? Looks like it's been fixed in CentOS 6.
Unfortunately I'm stuck on 5 for this project. I'll have to come up with a
workaround.



Moray.
"To err is human; to purr, feline."




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-13-2012, 03:33 PM
Daniel J Walsh
 
Default cron vs. anacron

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/13/2012 10:29 AM, Moray Henderson wrote:
>> From: Moray Henderson [mailto:Moray.Henderson@ict-software.org]
>> Sent: 13 February 2012 13:05
>>
>> Can someone explain why the logwatch process run by crond
>> transitions to unconfined_t, while the same process run by
>> anacron remains in logwatch_t:s0-s0:c0.c1023?
>
> Does this answer my own question?
>
> [root@centos services]# ldd /usr/sbin/crond linux-gate.so.1 =>
> (0x00550000) libselinux.so.1 => /lib/libselinux.so.1 (0x00671000)
> libpam.so.0 => /lib/libpam.so.0 (0x001c8000) libpam_misc.so.0 =>
> /lib/libpam_misc.so.0 (0x00803000) libaudit.so.0 =>
> /lib/libaudit.so.0 (0x00a2e000) libc.so.6 => /lib/libc.so.6
> (0x0031c000) libdl.so.2 => /lib/libdl.so.2 (0x00110000)
> libsepol.so.1 => /lib/libsepol.so.1 (0x00bb0000) /lib/ld-linux.so.2
> (0x00eef000) [root@centos services]# ldd /usr/sbin/anacron
> linux-gate.so.1 => (0x005d3000) libc.so.6 => /lib/libc.so.6
> (0x0014d000) /lib/ld-linux.so.2 (0x00129000)
>
> Am I right that crond can do type transitions because it was
> written with libselinux.so in mind, while anacron can't because it
> wasn't? Although somehow my ps process did manage to get to
> logwatch_t.
>
> Am I right that that was a bug? Looks like it's been fixed in
> CentOS 6. Unfortunately I'm stuck on 5 for this project. I'll have
> to come up with a workaround.
>
>
>
> Moray. "To err is human; to purr, feline."
>
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


There is two ways to do transitions. One can be written in policy.

Processes running as a_t executing files labeles as b_exec_t will
transition to c_t.

Or applications can have SELinux awareness built into then, as cron
does. Cron is just using SELinux awareness for user jobs, I believe.

When a user creates a cron job, the cronjob gets labeled with the
level and user type of the user that created the job, then when cron
runs the job it looks up the label and asks the kernel:

If I have a file labeled X, which context should I run it as. The
kernel responds with Y and cron will attempt to run the job as Y.

Since anacron does not have SELinux awareness in it, it can not do the
second object and only the first.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk85O3IACgkQrlYvE4MpobMKXwCcC81+cyYzkX UKp5T3o2a29eoP
fIsAnAyqINZFQYrhyWHIbSIGAVN+FGkC
=Ppc6
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-14-2012, 01:51 PM
Moray Henderson
 
Default cron vs. anacron

> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
> Sent: 13 February 2012 16:34
>
> On 02/13/2012 10:29 AM, Moray Henderson wrote:
> >> From: Moray Henderson [mailto:Moray.Henderson@ict-software.org]
> >> Sent: 13 February 2012 13:05
> >>
> >> Can someone explain why the logwatch process run by crond
> >> transitions to unconfined_t, while the same process run by
> >> anacron remains in logwatch_t:s0-s0:c0.c1023?
> >
> > Does this answer my own question?
> >
> > [root@centos services]# ldd /usr/sbin/crond linux-gate.so.1 =>
> > (0x00550000) libselinux.so.1 => /lib/libselinux.so.1 (0x00671000)
> > libpam.so.0 => /lib/libpam.so.0 (0x001c8000) libpam_misc.so.0 =>
> > /lib/libpam_misc.so.0 (0x00803000) libaudit.so.0 =>
> > /lib/libaudit.so.0 (0x00a2e000) libc.so.6 => /lib/libc.so.6
> > (0x0031c000) libdl.so.2 => /lib/libdl.so.2 (0x00110000)
> > libsepol.so.1 => /lib/libsepol.so.1 (0x00bb0000) /lib/ld-linux.so.2
> > (0x00eef000) [root@centos services]# ldd /usr/sbin/anacron
> > linux-gate.so.1 => (0x005d3000) libc.so.6 => /lib/libc.so.6
> > (0x0014d000) /lib/ld-linux.so.2 (0x00129000)
> >
> > Am I right that crond can do type transitions because it was
> > written with libselinux.so in mind, while anacron can't because it
> > wasn't? Although somehow my ps process did manage to get to
> > logwatch_t.
> >
> > Am I right that that was a bug? Looks like it's been fixed in
> > CentOS 6. Unfortunately I'm stuck on 5 for this project. I'll have
> > to come up with a workaround.
> >
> >
> >
> > Moray. "To err is human; to purr, feline."
> >
> >
> >
> >
> > -- selinux mailing list selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> There is two ways to do transitions. One can be written in policy.
>
> Processes running as a_t executing files labeles as b_exec_t will
> transition to c_t.
>
> Or applications can have SELinux awareness built into then, as cron
> does. Cron is just using SELinux awareness for user jobs, I believe.
>
> When a user creates a cron job, the cronjob gets labeled with the
> level and user type of the user that created the job, then when cron
> runs the job it looks up the label and asks the kernel:
>
> If I have a file labeled X, which context should I run it as. The
> kernel responds with Y and cron will attempt to run the job as Y.
>
> Since anacron does not have SELinux awareness in it, it can not do the
> second object and only the first.

I see - so because /etc/crontab says that /etc/cron.daily jobs should be run as root, cron gives the jobs root's normal context. On plain CentOS in targeted mode, that's unconfined_t.

Anacron just launches the logwatch script, and because its file context is logwatch_exec_t the kernel transitions its process to logwatch_t.

That all makes sense now. Thanks for the explanation.


Moray.
“To err is human; to purr, feline.”




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 09:23 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org