On 01/18/2013 10:30 AM, Jean-David Beyer wrote:
On 01/18/2013 09:24 AM, Miroslav Grepl wrote:
[snip]
> Hi,
> I believe we should collect all AVC msgs. Could you execute
>
> # semanage permissive -a system_mail_t
Should I turn this off again? I.e., set it to 'enforcing'?
Done.
>
> which will make the domain as permissive. So nothing will be denied and
> we will see AVC msgs in /var/log/audit/audit.log. Also I believe the
> local policy is better than a rebuild of the policy package.
>
[snip]
What I have already done is this:
Jan 13 03:52:17 DellT7600 kernel: type=1400 audit(1358067137.751:38575):
avc: denied { read } for pid=19533 comm="mailx"
name="report.2013Jan130344" dev=sdb8 ino=525338
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cron_log_t:s0 tclass=file
I tried to fix it with this:
sealert -l b6766d24-f5e8-4db5-94eb-a153b7e0f35a
SELinux is preventing /bin/mailx from read access on the file
report.2013Jan180316.
***** Plugin catchall (100. confidence) suggests
***************************
If you believe that mailx should be allowed read access on the
report.2013Jan180316 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mailx /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
DellT7600:root[/var/log]# grep mailx /var/log/audit/audit.log |
audit2allow -M mymail1
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i mymail1.pp
DellT7600:root[/var/log]# semodule -i mymail1.pp
But my guess it will fail tomorrow anyway because the file in question
tomorrow will be a different one, named something like
report.2013Jan190316. We will see.
My guess was wrong. I am glad to be wrong in this case.
But will all those audit2allow things I ran persist over a reboot? I
hesitate to reboot the machine to test this but perhaps I had better. I
saved (most of) those outputs of those
grep mailx /var/log/audit/audit.log | audit2allow -M mymail1
semodule -i mymail1.pp
things, but I do not imagine they will be automatically re-run; will
they? Does SELinux save them somewhere so they can be used again?
There are a bunch of these; in particular, this one:
[/var/log]$ cat mymail1.te
module mymail1 1.0;
require {
type cron_log_t;
type system_mail_t;
class file read;
}
#============= system_mail_t ==============
allow system_mail_t cron_log_t:file read;
I guess I would like to know if the immediately above thing fixed it,or
if the
semanage permissive -a system_mail_t
did it.
dominick.grift has another idea, but I am too new at this to fully
understand what he says to do. I have been writing computer program
since about 1956, but SELinux is a bit beyond me. I do not want to take
a month off to learn all about SELinux if I can possibly help it.
Well it ran right last night.
/var/log/syslog had this to say.
Running my script.
Jan 19 03:07:14 DellT7600 run-parts(/etc/cron.daily)[13004]: starting
zBackup.daily
Jan 19 03:14:02 DellT7600 sendmail[13259]: r0J8E2QF013259: from=root,
size=1312, class=0, nrcpts=1,
msgid=<201301190814.r0J8E2QF013259(a)DellT7600.localdomain>
, relay=root@localhost
Jan 19 03:14:02 DellT7600 sendmail[13262]: r0J8E2l5013262:
from=<root(a)DellT7600.localdomain>, size=1586, class=0, nrcpts=1,
msgid=<201301190814.r0J8E2QF01325
9(a)DellT7600.localdomain>, proto=ESMTP, daemon=MTA,
relay=localhost.localdomain [127.0.0.1]
Jan 19 03:14:02 DellT7600 sendmail[13259]: r0J8E2QF013259:
to=jeandavid8, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00,
mailer=relay, pri=31312, relay
=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (r0J8E2l5013262 Message
accepted for delivery)
Jan 19 03:14:02 DellT7600 run-parts(/etc/cron.daily)[13266]: finished
zBackup.daily
Then the entire /etc/cron.daily directory finishing up running under
run_parts. There is output to be mailed to me because there is set -x in
my script for debugging.
Jan 19 03:14:02 DellT7600 anacron[12982]: Job `cron.daily' terminated
(mailing output)
Jan 19 03:14:02 DellT7600 sendmail[13263]: r0J8E2l5013262:
to=<jeandavid8(a)DellT7600.localdomain>,
ctladdr=<root(a)DellT7600.localdomain> (0/0), delay=00:00:00,
xdelay=00:00:00, mailer=local, pri=31826, dsn=2.0.0, stat=Sent
Jan 19 03:14:02 DellT7600 sendmail[13267]: r0J8E2rG013267: from=root,
size=2045, class=0, nrcpts=1,
msgid=<201301190814.r0J8E2rG013267(a)DellT7600.localdomain>
, relay=root@localhost
Jan 19 03:14:02 DellT7600 sendmail[13268]: r0J8E2pb013268:
from=<root(a)DellT7600.localdomain>, size=2333, class=0, nrcpts=1,
msgid=<201301190814.r0J8E2rG01326
7(a)DellT7600.localdomain>, proto=ESMTP, daemon=MTA,
relay=localhost.localdomain [127.0.0.1]
Jan 19 03:14:02 DellT7600 sendmail[13267]: r0J8E2rG013267: to=root,
ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay,
pri=32045, relay=[127.
0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (r0J8E2pb013268 Message
accepted for delivery)
Jan 19 03:14:02 DellT7600 anacron[12982]: Normal exit (1 job run)
Jan 19 03:14:02 DellT7600 sendmail[13269]: r0J8E2pb013268:
to=jeandavid8, ctladdr=<root(a)DellT7600.localdomain> (0/0),
delay=00:00:00, xdelay=00:00:00, mailer
=local, pri=32569, dsn=2.0.0, stat=Sent
Now I will try to find the related stuff in /var/log/audit...
This is the last entry related that I can find. It is the failure from
yesterday. Nothing I can find about the success today.
type=AVC msg=audit(1358497393.637:38545): avc: denied { read } for
pid=6812 comm="mailx" name="report.2013Jan180316" dev=sdb8 ino=525382
scontext=system_u
:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cron_log_t:s0 tclass=file
type=SYSCALL msg=audit(1358497393.637:38545): arch=c000003e syscall=21
success=no exit=-13 a0=7fff48054f22 a1=4 a2=7fff48054f22 a3=f items=0
ppid=6773 pid=6812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=589 comm="mailx" exe="/bin/mailx"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
The set -x output from my script said (in part):
/etc/cron.daily/zBackup.daily:
+ id -a
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
+ /bin/env
+ /bin/mailx -s 'DellT7600 find|cpio Report' -a
/var/log/Backups/report.2013Jan190307 jeandavid8
+ /bin/chmod 0664 /var/log/Backups/report.2013Jan190307
+ /bin/chgrp jeandavid8 /var/log/Backups/report.2013Jan190307
+ exit 0
And the /bin/env output is:
SHELL=/bin/sh
MAILTO=root
USER=root
PATH=/sbin:/bin:/usr/sbin:/usr/bin
PWD=/
HOME=/
SHLVL=6
START_HOURS_RANGE=3
LOGNAME=root
RANDOM_DELAY=45
_=/bin/env