FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 11-28-2007, 07:16 PM
Aleksander Adamowski
 
Default RHEL5 + strict policy: Unprivileged user cron - "Unauthorized SELinux context"

Hi!

I'm using selinux-policy-strict-2.4.6-30.el5.

I've added a job to apache's crontab (crontab -e -u apache).

Now I can see those errors in /var/log/cron:

crond[27249]: (apache) Unauthorized SELinux context, but SELinux in
permissive mode, continuing (cron/apache)
crond[29358]: (apache) NULL security context for user, but SELinux in
permissive mode, continuing ()



Google search found a suggestion that FC6 cron policy is broken,
resulting in similar symptoms (but for root instead of apache user), but
what about RHEL5?


I've also added a simple apache cronjob that simply writes output from
"id -Z" to a file in /tmp and it has written the following context data:


root:system_r:crond_t:SystemLow-SystemHigh

Why is the user root? Shouldn't it be user_u or system_u or something
like that?


--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-28-2007, 11:10 PM
Aleksander Adamowski
 
Default RHEL5 + strict policy: Unprivileged user cron - "Unauthorized SELinux context"

Stephen Smalley pisze:

On Wed, 2007-11-28 at 21:16 +0100, Aleksander Adamowski wrote:

crond[27249]: (apache) Unauthorized SELinux context, but SELinux in
permissive mode, continuing (cron/apache)
crond[29358]: (apache) NULL security context for user, but SELinux in
permissive mode, continuing ()



Sounds like it just stayed in crond's context since it failed the check
and the system was permissive. Naturally, in enforcing mode, it would
have not executed the job at all.

crond computes a context for the user's cron job in the usual manner,
then applies a entrypoint permission check between that context and the
file context on the crontab file (which gets picked up from a
combination of its creator and the parent directory). If that check
fails, then crond refuses to execute the crontab commands in that
process context. The check is intended to prevent injection of commands
from one context into another via crontab, unless authorized by policy
of course.


That's reasonable.

I'd have expected it to try to run the cron job in user_u:user_r:
user_crond_t:s0 since apache wouldn't have a specific entry in seusers.
So it would have wanted the crontab file to have user_cron_spool_t on
it, which would have happened if a user_t process created it. If
instead an admin created it and it got sysadm_cron_spool_t or
staff_cron_spool_t, that might explain it. So you could relabel it or
allow that permission. First though check the current label on the
crontab file.


Yes, you're right. That was precisely the cause.
I've used "crontab -e -u apache" as root.
The files in /var/spool/cron got sysadm_cron_spool_t type (the full
context was rootbject_r:sysadm_cron_spool_t).


After running "fixfiles relabel /var/spool/cron/", the apache crontab
got system_ubject_r:user_cron_spool_t.


Now cron runs fine and doesn't log anything suspicious.

IMHO crontab should be modified to relabel crontab files that are edited
using the "-u" option, but this is a question to Dan - should I file a
new bug to bugzilla.redhat.com on this?


--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 08:30 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org