On 5/11/20 3:19 PM, Robert Moskowitz wrote:
On 5/11/20 9:04 AM, Lukas Vrabec wrote:
> On 5/11/20 2:23 PM, Robert Moskowitz wrote:
>> A little background first.
>>
>> This is for Fedora 32 workstation which does not come with a default MTA
>> and thus there is a slight challenge (ahem) getting CRON's output into
>> the local mailstore. I don't want to install an MTA (leave why for
>> Fedora users list discuss) and "procmail -f cron" leaves out a DATE
>> header. So I wrote my own little script that I put in /usr/local/mycron
>> that takes the output from cron and appends the proper content to
>> /var/spool/mail/$USER.
>>
>> Works fine for my personal crontab, but has selinux problems for
>> logwatch running as root (and probably any other cron task running as
>> root).
>>
>> So I first got told by selinux troubleshooting that I needed:
>>
>> ausearch -c 'mycron' --raw | audit2allow -M my-mycron
>> semodule -X 300 -i my-mycron.pp
>>
>> Which I did. Then after this night's run of logwatch, I see that I have
>> the selinux troubleshoot icon, but when I look, it is empty? So I grep
>> messages for logwatch, then grep the time it was running and found the
>> following:
>>
>> May 11 03:43:19 lx140e setroubleshoot[121345]: SELinux is preventing
>> mycron from add_name
>> access on the directory root. For complete SELinux messages run: sealert
>> -l 8eb93a73-c7ff-
>> 42ec-bee1-594d77540808
>> May 11 03:43:19 lx140e python3[121345]: SELinux is preventing mycron
>> from add_name access
>> on the directory root.#012#012***** Plugin catchall (100. confidence)
>> suggests ********
>> ******************#012#012If you believe that mycron should be allowed
>> add_name access on
>> the root directory by default.#012Then you should report this as a
>> bug.#012You can generat
>> e a local policy module to allow this access.#012Do#012allow this access
>> for now by execut
>> ing:#012# ausearch -c 'mycron' --raw | audit2allow -M my-mycron#012#
>> semodule -X 300 -i my
>> -mycron.pp#012
>> May 11 03:43:23 lx140e systemd[1]:
>> dbus-:1.1-org.fedoraproject.Setroubleshootd@15.service:
>> Succeeded.
>>
>> So it looks like now I am told to run:
>>
>> ausearch -c 'mycron' --raw | audit2allow -M my-mycron
>> semodule -X 300 -i my-mycron.pp
>>
>> Wait, that is the same I ran earlier? And why did I have to grep
>> messages to find these?
>>
> Hi,
>
> Could you please share output of this command:
>
> # sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808
# sealert -l 8eb93a73-c7ff-42ec-bee1-594d77540808
Error
query_alerts error (1003): id (8eb93a73-c7ff-42ec-bee1-594d77540808) not
found
And from the first selinux alert:
# sealert -l d05d8373-fae7-447e-b45a-74940959809e
Error
query_alerts error (1003): id (d05d8373-fae7-447e-b45a-74940959809e) not
found
I viewed the alerts with the SELinux troubleshooter, but I did NOT tell
it to delete the alert :(
No problem, are you able to reproduce it? If yes, please do and then attach:
# ausearch -m AVC,USER_AVC -ts today
Thanks,
Lukas.
> Then we can help you,
> Thanks,
> Lukas.
>
>> Now I did update mycron in between. Will I have to run this every time
>> I update mycron? How do I make it permanent? Also right now there is
>> no /var/spool/mail/root mbox file.
>>
>> thanks
--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.