-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/19/2013 07:34 AM, Jean-David Beyer wrote:
On 01/18/2013 10:30 AM, Jean-David Beyer wrote:
> On 01/18/2013 09:24 AM, Miroslav Grepl wrote:
[snip]
>> Hi, I believe we should collect all AVC msgs. Could you execute
>>
>> # semanage permissive -a system_mail_t
Should I turn this off again? I.e., set it to 'enforcing'?
Yes once you are
done collecting the AVC's and are happy that it is working
properly.
semanage permissive -d system_mail_t
>
> Done.
>>
>> which will make the domain as permissive. So nothing will be denied
>> and we will see AVC msgs in /var/log/audit/audit.log. Also I believe
>> the local policy is better than a rebuild of the policy package.
>>
>
[snip]
> What I have already done is this:
>
>
> Jan 13 03:52:17 DellT7600 kernel: type=1400 audit(1358067137.751:38575):
> avc: denied { read } for pid=19533 comm="mailx"
> name="report.2013Jan130344" dev=sdb8 ino=525338
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:cron_log_t:s0 tclass=file
>
> I tried to fix it with this:
>
> sealert -l b6766d24-f5e8-4db5-94eb-a153b7e0f35a SELinux is preventing
> /bin/mailx from read access on the file report.2013Jan180316.
>
> ***** Plugin catchall (100. confidence) suggests
> ***************************
>
> If you believe that mailx should be allowed read access on the
> report.2013Jan180316 file by default. Then you should report this as a
> bug. You can generate a local policy module to allow this access. Do
> allow this access for now by executing: # grep mailx
> /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
>
>
> DellT7600:root[/var/log]# grep mailx /var/log/audit/audit.log |
> audit2allow -M mymail1 ******************** IMPORTANT
> *********************** To make this policy package active, execute:
>
> semodule -i mymail1.pp
>
> DellT7600:root[/var/log]# semodule -i mymail1.pp
>
> But my guess it will fail tomorrow anyway because the file in question
> tomorrow will be a different one, named something like
> report.2013Jan190316. We will see.
My guess was wrong. I am glad to be wrong in this case. But will all those
audit2allow things I ran persist over a reboot? I hesitate to reboot the
machine to test this but perhaps I had better. I saved (most of) those
outputs of those
grep mailx /var/log/audit/audit.log | audit2allow -M mymail1 semodule -i
mymail1.pp
things, but I do not imagine they will be automatically re-run; will they?
Does SELinux save them somewhere so they can be used again?
There are a bunch of these; in particular, this one:
[/var/log]$ cat mymail1.te
module mymail1 1.0;
require { type cron_log_t; type system_mail_t; class file read; }
#============= system_mail_t ============== allow system_mail_t
cron_log_t:file read;
I guess I would like to know if the immediately above thing fixed it,or if
the
semanage permissive -a system_mail_t
did it.
>
> dominick.grift has another idea, but I am too new at this to fully
> understand what he says to do. I have been writing computer program since
> about 1956, but SELinux is a bit beyond me. I do not want to take a month
> off to learn all about SELinux if I can possibly help it.
>
Well it ran right last night.
/var/log/syslog had this to say.
Running my script.
Jan 19 03:07:14 DellT7600 run-parts(/etc/cron.daily)[13004]: starting
zBackup.daily Jan 19 03:14:02 DellT7600 sendmail[13259]: r0J8E2QF013259:
from=root, size=1312, class=0, nrcpts=1,
msgid=<201301190814.r0J8E2QF013259(a)DellT7600.localdomain> ,
relay=root@localhost Jan 19 03:14:02 DellT7600 sendmail[13262]:
r0J8E2l5013262: from=<root(a)DellT7600.localdomain>, size=1586, class=0,
nrcpts=1, msgid=<201301190814.r0J8E2QF01325 9(a)DellT7600.localdomain>,
proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Jan 19
03:14:02 DellT7600 sendmail[13259]: r0J8E2QF013259: to=jeandavid8,
ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay,
pri=31312, relay =[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent
(r0J8E2l5013262 Message accepted for delivery) Jan 19 03:14:02 DellT7600
run-parts(/etc/cron.daily)[13266]: finished zBackup.daily
Then the entire /etc/cron.daily directory finishing up running under
run_parts. There is output to be mailed to me because there is set -x in my
script for debugging.
Jan 19 03:14:02 DellT7600 anacron[12982]: Job `cron.daily' terminated
(mailing output) Jan 19 03:14:02 DellT7600 sendmail[13263]:
r0J8E2l5013262: to=<jeandavid8(a)DellT7600.localdomain>,
ctladdr=<root(a)DellT7600.localdomain> (0/0), delay=00:00:00,
xdelay=00:00:00, mailer=local, pri=31826, dsn=2.0.0, stat=Sent Jan 19
03:14:02 DellT7600 sendmail[13267]: r0J8E2rG013267: from=root, size=2045,
class=0, nrcpts=1,
msgid=<201301190814.r0J8E2rG013267(a)DellT7600.localdomain> ,
relay=root@localhost Jan 19 03:14:02 DellT7600 sendmail[13268]:
r0J8E2pb013268: from=<root(a)DellT7600.localdomain>, size=2333, class=0,
nrcpts=1, msgid=<201301190814.r0J8E2rG01326 7(a)DellT7600.localdomain>,
proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Jan 19
03:14:02 DellT7600 sendmail[13267]: r0J8E2rG013267: to=root, ctladdr=root
(0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=32045,
relay=[127. 0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (r0J8E2pb013268
Message accepted for delivery) Jan 19 03:14:02 DellT7600 anacron[12982]:
Normal exit (1 job run) Jan 19 03:14:02 DellT7600 sendmail[13269]:
r0J8E2pb013268: to=jeandavid8, ctladdr=<root(a)DellT7600.localdomain> (0/0),
delay=00:00:00, xdelay=00:00:00, mailer =local, pri=32569, dsn=2.0.0,
stat=Sent
Now I will try to find the related stuff in /var/log/audit...
This is the last entry related that I can find. It is the failure from
yesterday. Nothing I can find about the success today.
type=AVC msg=audit(1358497393.637:38545): avc: denied { read } for
pid=6812 comm="mailx" name="report.2013Jan180316" dev=sdb8 ino=525382
scontext=system_u :system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cron_log_t:s0 tclass=file type=SYSCALL
msg=audit(1358497393.637:38545): arch=c000003e syscall=21 success=no
exit=-13 a0=7fff48054f22 a1=4 a2=7fff48054f22 a3=f items=0 ppid=6773
pid=6812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=589 comm="mailx" exe="/bin/mailx"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
The set -x output from my script said (in part):
/etc/cron.daily/zBackup.daily:
+ id -a uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
+ /bin/env
+ /bin/mailx -s 'DellT7600 find|cpio Report' -a
/var/log/Backups/report.2013Jan190307 jeandavid8 + /bin/chmod 0664
/var/log/Backups/report.2013Jan190307 + /bin/chgrp jeandavid8
/var/log/Backups/report.2013Jan190307 + exit 0
And the /bin/env output is:
SHELL=/bin/sh MAILTO=root USER=root PATH=/sbin:/bin:/usr/sbin:/usr/bin
PWD=/ HOME=/ SHLVL=6 START_HOURS_RANGE=3 LOGNAME=root RANDOM_DELAY=45
_=/bin/env
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
We do not currently allow log files mailed off the system by the system
mailer. I guess we could add a boolean for this. but I do not believe we
should allow this by default.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlD9bX4ACgkQrlYvE4MpobNHTgCffTvAc6Qs3nJIYJoToJ4CXxyM
XBYAoNHJr+eBNvYNUdnJREGLtpQjZ/9G
=2wD+
-----END PGP SIGNATURE-----