Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   cron -> epylog -> links (http://www.linux-archive.org/fedora-selinux-support/705809-cron-epylog-links.html)

Zdenek Pytela 09-20-2012 02:50 PM

cron -> epylog -> links
 
Hello everybody,
every night cron calls epylog and it launches links.
links wants to create a temporary file links.tmp and write to ~/.links
directory and to check bookmarks/history and other files.
As epylog is run as root, admin_home is affected.
If run from a cli, no alert is displayed.
It is (probably) run from publishers.py at line 264:

exitcode = os.system('%s -dump %s > %s 2>/dev/null'
% (self.lynx, htmlfile, plainfile)

As a2a recommends, it is easy to make a local policy file.

#============= logwatch_t ==============
#!!!! The source type 'logwatch_t' can write to a 'dir' of the following types:
# logwatch_cache_t, logwatch_tmp_t

allow logwatch_t admin_home_t:dir { write remove_name add_name setattr };
#!!!! The source type 'logwatch_t' can write to a 'file' of the following types:
# logwatch_lock_t, logwatch_var_run_t, logwatch_cache_t, logwatch_tmp_t

allow logwatch_t admin_home_t:file { rename write read create unlink open };

(and similar).
This looks to me as too big unconfining.
I think that relabeling of .elinks directory and its files are better solution.
Maybe this is a job for transition which I am not still familiar with.
But I am also surprised that this happen to nobody else, as most of the
epylog.conf settings are default. All of my hosts have this bug-or-what-it-is.

Thanks in advance,

--

--Zdenek Pytela, <pytela@phil.muni.cz>

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Konstantin Ryabitsev 09-20-2012 03:14 PM

cron -> epylog -> links
 
On Thu, Sep 20, 2012 at 10:50 AM, Zdenek Pytela <pytela@phil.muni.cz> wrote:

* * * * Hello everybody,

every night cron calls epylog and it launches links.

links wants to create a temporary file links.tmp and write to ~/.links

directory and to check bookmarks/history and other files.

As epylog is run as root, admin_home is affected.

If run from a cli, no alert is displayed.

It is (probably) run from publishers.py at line 264:



exitcode = os.system('%s -dump %s > %s 2>/dev/null'

* * * * * * * * * * * * * * * * *% (self.lynx, htmlfile, plainfile)

Hi, Zdenek:
You can either dontaudit that, or set this in your epylog.conf:

lynx = /usr/bin/elinks -config-dir /var/lib/epylog/.elinks
Best,--
Konstantin Ryabitsev
LinuxFoundation.org
Montral, Qubec

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Miroslav Grepl 09-21-2012 01:36 PM

cron -> epylog -> links
 
On 09/20/2012 04:50 PM, Zdenek Pytela wrote:

Hello everybody,
every night cron calls epylog and it launches links.
links wants to create a temporary file links.tmp and write to ~/.links
directory and to check bookmarks/history and other files.
As epylog is run as root, admin_home is affected.
If run from a cli, no alert is displayed.
It is (probably) run from publishers.py at line 264:

exitcode = os.system('%s -dump %s > %s 2>/dev/null'
% (self.lynx, htmlfile, plainfile)

As a2a recommends, it is easy to make a local policy file.

#============= logwatch_t ==============
#!!!! The source type 'logwatch_t' can write to a 'dir' of the following types:
# logwatch_cache_t, logwatch_tmp_t

allow logwatch_t admin_home_t:dir { write remove_name add_name setattr };
#!!!! The source type 'logwatch_t' can write to a 'file' of the following types:
# logwatch_lock_t, logwatch_var_run_t, logwatch_cache_t, logwatch_tmp_t

allow logwatch_t admin_home_t:file { rename write read create unlink open };

(and similar).
This looks to me as too big unconfining.
I think that relabeling of .elinks directory and its files are better solution.
Maybe this is a job for transition which I am not still familiar with.
But I am also surprised that this happen to nobody else, as most of the
epylog.conf settings are default. All of my hosts have this bug-or-what-it-is.

Thanks in advance,


What OS?

# rpm -q selinux-policy

Is this

~/.links

default location?

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Zdenek Pytela 09-24-2012 02:34 PM

cron -> epylog -> links
 
Konstantin Ryabitsev pise:
> On Thu, Sep 20, 2012 at 10:50 AM, Zdenek Pytela <pytela@phil.muni.cz> wrote:
>
> > Hello everybody,
> > every night cron calls epylog and it launches links.
> > links wants to create a temporary file links.tmp and write to ~/.links
> > directory and to check bookmarks/history and other files.
> > As epylog is run as root, admin_home is affected.
> > If run from a cli, no alert is displayed.
> > It is (probably) run from publishers.py at line 264:
> >
> > exitcode = os.system('%s -dump %s > %s 2>/dev/null'
> > % (self.lynx, htmlfile, plainfile)
> >
>
> Hi, Zdenek:
>
> You can either dontaudit that, or set this in your epylog.conf:
>
> lynx = /usr/bin/elinks -config-dir /var/lib/epylog/.elinks
Nice workaround. I have just find another one in the elinks man
page: -no-home, it is much shorter ;-). Thanks,

--

--Zdeněk Pytela, <pytela@phil.muni.cz>
CIT FF MU
+420 54949 5301

Servisn* linka CIT: [54949]*1542*, cit-servis@phil.muni.cz
CIT servery a s*tě: [54949]*1543*, cit-sys@phil.muni.cz
Hlášen* závad, požadavky: http://www.phil.muni.cz/pozadavek/

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Zdenek Pytela 09-24-2012 02:47 PM

cron -> epylog -> links
 
Miroslav Grepl pise:
> On 09/20/2012 04:50 PM, Zdenek Pytela wrote:
> > Hello everybody,
> >every night cron calls epylog and it launches links.
> >links wants to create a temporary file links.tmp and write to ~/.links
> >directory and to check bookmarks/history and other files.
> >As epylog is run as root, admin_home is affected.
> >If run from a cli, no alert is displayed.
> >It is (probably) run from publishers.py at line 264:
> >
> >exitcode = os.system('%s -dump %s > %s 2>/dev/null'
> > % (self.lynx, htmlfile, plainfile)
> >
> >As a2a recommends, it is easy to make a local policy file.
> >
> >#============= logwatch_t ==============
> >#!!!! The source type 'logwatch_t' can write to a 'dir' of the following types:
> ># logwatch_cache_t, logwatch_tmp_t
> >
> >allow logwatch_t admin_home_t:dir { write remove_name add_name setattr };
> >#!!!! The source type 'logwatch_t' can write to a 'file' of the following types:
> ># logwatch_lock_t, logwatch_var_run_t, logwatch_cache_t, logwatch_tmp_t
> >
> >allow logwatch_t admin_home_t:file { rename write read create unlink open };
> >
> >(and similar).
> >This looks to me as too big unconfining.
> >I think that relabeling of .elinks directory and its files are better solution.
> >Maybe this is a job for transition which I am not still familiar with.
> >But I am also surprised that this happen to nobody else, as most of the
> >epylog.conf settings are default. All of my hosts have this bug-or-what-it-is.
> >
> >Thanks in advance,
> >
> What OS?
f16, f17

> # rpm -q selinux-policy
selinux-policy-3.10.0-91.fc16
selinux-policy-devel-3.10.0-146.fc17
latest at that time

> Is this
>
> ~/.links
>
> default location?
Yes it is:
elinks(1)
...
ELINKS_CONFDIR
The location of the directory containing configuration files. If
not set the default is ~/.elinks/.
...
and other references in the FILES section.
It can be changed or switched off.

--

--Zdenek Pytela, <pytela@phil.muni.cz>

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 03:49 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.