ping

Alexey Tarasov glorg at bk.ru
Thu Dec 22 07:08:35 UTC 2005 

Russell Coker wrote:

>On Tuesday 20 December 2005 18:29, Alexey Tarasov <glorg at bk.ru> wrote:
>  
>
>>Problem 2.
>>ping is called by bash script, executed by cron with root rights (comand
>>line: ping -c 1 -w 5 > /dev/null )
>>
>>---
>>type=AVC msg=audit(1133295301.930:2739): avc:  denied  { write } for
>>pid=30341 comm="ping" name="[56893]" dev=pipefs ino=56893
>>scontext=root:system_r:ping_t:s0 tcontext=system_u:system_r:crond_t:s0
>>tclass=fifo_file
>>type=AVC msg=audit(1133295301.930:2739): avc:  denied  { read } for
>>pid=30341 comm="ping" name="[56892]" dev=pipefs ino=56892
>>scontext=root:system_r:ping_t:s0 tcontext=system_u:system_r:crond_t:s0
>>tclass=fifo_file
>>    
>>
>
>allow domain crond_t:fifo_file rw_file_perms;
>
>An obvious solution to this would be to grant permissions somewhat equivalent 
>to the above (actually we would not grant that, but it would creep towards it 
>over time).  But that sort of thing isn't what we really desire.
>
>I'm wondering whether the design of cron is ideal in this regard.  Maybe it 
>would be better if the functionality of collecting output and sending the 
>email would be better performed after dropping privs.  It would be easy 
>enough to write a little program that spawns a program, collects it's output, 
>and then email's such output (if any) to a specified address and then have 
>cron call such a program.  This would result in reducing the amount of code 
>in the cron daemon (IE reducing the amount of code running with significant 
>privs that can break the entire system if it is compromised), providing a 
>neat email utility that can be used for other purposes, and making the SE 
>Linux policy cleaner at the same time.
>
>What do you think of this idea? 
>  
>
I'm really don't care who will collect output of executed program. 
Anyway, I may run own mail-agent to send this data.
IMHO, collecting output data by crond is feature, that may be 
implemented in other way. This task is not really task of crond, which 
must only run progams at choosen time.
As for me,  I prefer set of programs with small functionality, flexible 
to configure, than big universal programs.

>PS  Please write two emails about two problems with two different subjects in 
>future.
>  
>
Ok, my fault. I've notice this behaviour of ping while was writing 
script for manual starting sendmail, not from init.

More information about the selinux mailing list