On Sat, 2009-07-04 at 05:44 -0700, Vadym Chepkov wrote:
Thank you
Every single daemon out there was choking, just a few:
type=AVC msg=audit(1246707387.606:8922): avc: denied { connectto } for pid=1313
comm="dovecot-auth" path="/var/run/winbindd/pipe"
scontext=unconfined_u:system_r:dovecot_auth_t:s0
tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707463.608:8931): avc: denied { connectto } for pid=6828
comm="sendmail" path="/var/run/winbindd/pipe"
scontext=unconfined_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707468.105:8932): avc: denied { connectto } for pid=6841
comm="procmail" path="/var/run/winbindd/pipe"
scontext=unconfined_u:system_r:procmail_t:s0
tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707508.622:8935): avc: denied { connectto } for pid=6847
comm="sendmail" path="/var/run/winbindd/pipe"
scontext=unconfined_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707508.629:8936): avc: denied { connectto } for pid=6851
comm="dbus-daemon-lau" path="/var/run/winbindd/pipe"
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707632.720:8963): avc: denied { connectto } for pid=7855
comm="pop3" path="/var/run/winbindd/pipe"
scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0
tclass=unix_stream_socket
type=AVC msg=audit(1246707632.732:8964): avc: denied { connectto } for pid=7857
comm="dbus-daemon-lau" path="/var/run/winbindd/pipe"
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
Sincerely yours,
Vadym Chepkov
You need to run winbind in the winbind_t domain.
1. create a policy for your cronjob script.
2. make it so that system_cronjob_t transitions to the domain of your
cronjob script.
3. make your cronjob script domain auto transition to winbind_t
It is not so simple to make his work properly the way cron is currently
configured in SELinux.
I can help you make a policy though but i would need some info
1. where is the cron script located (/path/name)
2. whats ur distro
3. what is the type of winbind executable? ls -alZ /path/to/winbind
Here is an example for a backup cron script i made earlier:
http://desktop1/~dgrift/stuff/modules/backupdgrift.te
http://desktop1/~dgrift/stuff/modules/backupdgrift.if
http://desktop1/~dgrift/stuff/modules/backupdgrift.fc
--- On Sat, 7/4/09, Dominick Grift <domg472(a)gmail.com> wrote:
> From: Dominick Grift <domg472(a)gmail.com>
> Subject: Re: Domain transition missing
> To: "Vadym Chepkov" <chepkov(a)yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
> Date: Saturday, July 4, 2009, 8:38 AM
> On Sat, 2009-07-04 at 05:11 -0700,
> Vadym Chepkov wrote:
> > Hi,
> >
> > Last night I got a nasty surprise from selinux. I am
> using winbind for external authentication and since it has
> history of failures I have a simple watchdog implemented to
> check the status and restart it if necessary. That is
> what happened last night and as a law abiding selinux
> citizen I used 'service winbind restart', but it seems the
> proper domain transitions is missing and winbind was started
> in system_cronjob_t domain instead of winbind_t and none of
> other domains could connect to it.
> >
> > I think jobs running from cron should be granted the
> same transition rules as from unconfined_t.
> >
> > I will file bugzilla report about it, but could
> somebody help me with modifying my local policy until/if it
> gets implemented, please? Thank you.
> >
> > Sincerely yours,
> > Vadym Chepkov
>
> A domain transition would be:
>
> policy_module(mywinbind, 0.0.1)
>
> require { type system_cronjob_t, winbind_exec_t, winbind_t;
> }
> domain_auto_trans(system_cronjob_t, winbind_exec_t,
> winbind_t)
>
> Can you show us the full raw avc denial?
>
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list(a)redhat.com
> >
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>