Classification: UNCLASSIFIED
Caveats: NONE
Attached. I did notice some cron + bash related messages, so hopefully the
answer is in there. They seemed to refer to our su wrapper, which I admit
could be the problem, if cron is calling su in some way. I believe it's
needed for some form of 2-factor authentication when using su. It was
previously labeled as unconfined; yesterday I changed the labeling to match
that of the su binary in the original RHEL6 coreutils package, but that didn't
seem to help. I also tried reinstalling coreutils and using the standard su
binary, but that didn't help either (I just get the same messages for "su"
instead of "su.real").
bash-4.1# ls -lZ /bin/su*
lrwxrwxrwx. root root unconfined_u:object_r:bin_t:s0 /bin/su ->
/bin/su.wrapper
-r-xr-xr-x. root root system_u:object_r:su_exec_t:s0 /bin/su.real
-r-sr-xr-x. root root system_u:object_r:su_exec_t:s0 /bin/su.wrapper
The attached file shows the commands run both with and without dontaudit
disabled:
10:12:30 runcon -u system_u -r system_r -t system_cronjob_t
/etc/cron.daily/puppet-state
10:14:25 semodule -B
10:15:06 runcon -u system_u -r system_r -t system_cronjob_t
/etc/cron.daily/puppet-state
10:15:16 ausearch -m avc -ts recent &> /root/avc3.txt
--
Ray Shaw (Contractor, STG)
Army Research Laboratory
CIO, Unix Support
> -----Original Message-----
> From: Jeremy Young [mailto:jrm16020@gmail.com]
> Sent: Thursday, August 14, 2014 9:43 AM
> To: Shaw, Ray V CTR USARMY ARL (US)
> Cc: selinux@lists.fedoraproject.org
> Subject: Re: cron issues with bash source (UNCLASSIFIED)
>
> There are a few ways that you could speed up your troubleshooting:
>
> 1. Schedule your job with a file in /etc/cron.d to run the script in
> /etc/cron.daily on a much more frequent interval 2. Use runcon to run
> your script with the same context that crond would have when executing.
> For example:
> runcon -u system_u -r system_r -t system_cronjob_t
> /etc/cron.daily/logrotate
>
> After you run the scripts (or at the end of the scripts), can you run
> this and provide the raw audit messages?
> ausearch -m avc -ts recent
>
>
> On Thu, Aug 14, 2014 at 8:17 AM, Shaw, Ray V CTR USARMY ARL (US)
> <ray.v.shaw.ctr@mail.mil> wrote:
>
>
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> Background info: running RHEL6 with the latest updates, so
> selinux-policy-targeted-3.7.19-231.el6_5.3.noarch.
>
> When moving from Permissive to Enforcing, two scripts in
> /etc/cron.daily that use the bash "." operator to include a functions
> file can no longer do so. The functions file sets $PATH and other
> environment variables, so subsequent commands in the scripts fail.
>
> Interestingly, when run out of root's crontab, the scripts work
> just fine. The context when doing that (gathered by placing id -Z in
> the script) is:
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> Not sure why; the script itself isn't unlabeled:
>
> bash-4.1# ls -lZ /usr/local/sbin/puppet-state
> -rwx------. root root system_u:object_r:bin_t:s0
> /usr/local/sbin/puppet-state
>
> When run from /etc/cron.daily (or cron.hourly, where I placed a
> copy for faster testing), the context is:
>
> system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
>
> bash-4.1# ls -lZ /etc/cron.hourly/puppet-state
> -rwx------. root root system_u:object_r:bin_t:s0
> /etc/cron.hourly/puppet-state
>
> The exact command in question it's failing to run is:
>
> . /opt/puppet/scripts/functions
>
> Which is labeled thusly:
>
> bash-4.1# ls -lZ /opt/puppet/scripts/functions
> -r-x------. root root unconfined_u:object_r:usr_t:s0
> /opt/puppet/scripts/functions
>
> In either Enforcing or Permissive, I wasn't seeing anything that
> looked relevant, so I ran semodule -DB. This is the only thing cron-
> related, but (and I'm not very experienced with SELinux, so maybe I'm
> missing something) that doesn't seem like it:
>
> bash-4.1# cat /var/log/audit/audit.log-20140814 | grep cron |
> audit2allow -w
> type=AVC msg=audit(1407915503.212:155119): avc: denied {
> rlimitinh } for pid=26239 comm="prelink"
> scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tclass=process
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable
> module to allow this access.
>
> type=AVC msg=audit(1407915503.212:155119): avc: denied { siginh
> } for pid=26239 comm="prelink"
> scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tclass=process
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable
> module to allow this access.
>
> I suppose we could run them out of root's crontab, but they're
> easier to manage in cron.daily, and I'd like to solve the problem. Any
> assistance is greatly appreciated. A search of the list archives
> didn't turn up this issue; sorry if I've missed it.
>
> --
> Ray Shaw (Contractor, STG)
> Army Research Laboratory
>
> Classification: UNCLASSIFIED
> Caveats: NONE
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
> --
>
> Jeremy Young <mailto:jrm16020@gmail.com> , M.S., RHCSA
>
>
Classification: UNCLASSIFIED
Caveats: NONE
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux