Thank you
Every single daemon out there was choking, just a few:
type=AVC msg=audit(1246707387.606:8922): avc: denied { connectto } for pid=1313 comm="dovecot-auth" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1246707463.608:8931): avc: denied { connectto } for pid=6828 comm="sendmail" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1246707468.105:8932): avc: denied { connectto } for pid=6841 comm="procmail" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:procmail_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1246707508.622:8935): avc: denied { connectto } for pid=6847 comm="sendmail" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1246707508.629:8936): avc: denied { connectto } for pid=6851 comm="dbus-daemon-lau" path="/var/run/winbindd/pipe" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1246707632.720:8963): avc: denied { connectto } for pid=7855 comm="pop3" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1246707632.732:8964): avc: denied { connectto } for pid=7857 comm="dbus-daemon-lau" path="/var/run/winbindd/pipe" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
Sincerely yours, Vadym Chepkov
--- On Sat, 7/4/09, Dominick Grift domg472@gmail.com wrote:
From: Dominick Grift domg472@gmail.com Subject: Re: Domain transition missing To: "Vadym Chepkov" chepkov@yahoo.com Cc: "Fedora SELinux" fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 8:38 AM On Sat, 2009-07-04 at 05:11 -0700, Vadym Chepkov wrote:
Hi,
Last night I got a nasty surprise from selinux. I am
using winbind for external authentication and since it has history of failures I have a simple watchdog implemented to check the status and restart it if necessary. That is what happened last night and as a law abiding selinux citizen I used 'service winbind restart', but it seems the proper domain transitions is missing and winbind was started in system_cronjob_t domain instead of winbind_t and none of other domains could connect to it.
I think jobs running from cron should be granted the
same transition rules as from unconfined_t.
I will file bugzilla report about it, but could
somebody help me with modifying my local policy until/if it gets implemented, please? Thank you.
Sincerely yours, Vadym Chepkov
A domain transition would be:
policy_module(mywinbind, 0.0.1)
require { type system_cronjob_t, winbind_exec_t, winbind_t; } domain_auto_trans(system_cronjob_t, winbind_exec_t, winbind_t)
Can you show us the full raw avc denial?
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Sat, 2009-07-04 at 05:44 -0700, Vadym Chepkov wrote:
Thank you
Every single daemon out there was choking, just a few:
type=AVC msg=audit(1246707387.606:8922): avc: denied { connectto } for pid=1313 comm="dovecot-auth" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1246707463.608:8931): avc: denied { connectto } for pid=6828 comm="sendmail" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1246707468.105:8932): avc: denied { connectto } for pid=6841 comm="procmail" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:procmail_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1246707508.622:8935): avc: denied { connectto } for pid=6847 comm="sendmail" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1246707508.629:8936): avc: denied { connectto } for pid=6851 comm="dbus-daemon-lau" path="/var/run/winbindd/pipe" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1246707632.720:8963): avc: denied { connectto } for pid=7855 comm="pop3" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1246707632.732:8964): avc: denied { connectto } for pid=7857 comm="dbus-daemon-lau" path="/var/run/winbindd/pipe" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
Sincerely yours, Vadym Chepkov
You need to run winbind in the winbind_t domain.
1. create a policy for your cronjob script. 2. make it so that system_cronjob_t transitions to the domain of your cronjob script. 3. make your cronjob script domain auto transition to winbind_t
It is not so simple to make his work properly the way cron is currently configured in SELinux.
I can help you make a policy though but i would need some info
1. where is the cron script located (/path/name) 2. whats ur distro 3. what is the type of winbind executable? ls -alZ /path/to/winbind
Here is an example for a backup cron script i made earlier:
http://desktop1/~dgrift/stuff/modules/backupdgrift.te http://desktop1/~dgrift/stuff/modules/backupdgrift.if http://desktop1/~dgrift/stuff/modules/backupdgrift.fc
--- On Sat, 7/4/09, Dominick Grift domg472@gmail.com wrote:
From: Dominick Grift domg472@gmail.com Subject: Re: Domain transition missing To: "Vadym Chepkov" chepkov@yahoo.com Cc: "Fedora SELinux" fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 8:38 AM On Sat, 2009-07-04 at 05:11 -0700, Vadym Chepkov wrote:
Hi,
Last night I got a nasty surprise from selinux. I am
using winbind for external authentication and since it has history of failures I have a simple watchdog implemented to check the status and restart it if necessary. That is what happened last night and as a law abiding selinux citizen I used 'service winbind restart', but it seems the proper domain transitions is missing and winbind was started in system_cronjob_t domain instead of winbind_t and none of other domains could connect to it.
I think jobs running from cron should be granted the
same transition rules as from unconfined_t.
I will file bugzilla report about it, but could
somebody help me with modifying my local policy until/if it gets implemented, please? Thank you.
Sincerely yours, Vadym Chepkov
A domain transition would be:
policy_module(mywinbind, 0.0.1)
require { type system_cronjob_t, winbind_exec_t, winbind_t; } domain_auto_trans(system_cronjob_t, winbind_exec_t, winbind_t)
Can you show us the full raw avc denial?
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org
-
Dominick Grift -
Vadym Chepkov