Mail from cron in Fedora 8
Paul Howarth
paul at city-fan.org
Fri Nov 9 10:55:43 UTC 2007
I have a cron job as follows:
# crontab -l -u softlib
45 4 * * * /softlib/scripts/updates-sync | Mail -s "Fedora updates
subset mirror report" phowarth
The script runs reposync to pull in a subset of the updates repo, and I
have the output piped into Mail.
This has been trouble free up until I upgraded to F8, with
selinux-policy-3.0.8-44.fc8.
With SELinux in enforcing mode, the email I receive simply says
"/usr/sbin/sendmail: Permission denied".
I tried creating a local policy module as usual and ended up with this:
policy_module(localmisc, 0.0.7)
require {
type system_mail_t;
class netlink_route_socket { bind create getattr nlmsg_read
read write };
}
#============= system_mail_t ==============
allow system_mail_t self:netlink_route_socket { bind create getattr
nlmsg_read read write };
unconfined_read_tmp_files(system_mail_t)
In permissive mode, this works, but in enforcing mode I just get the
usual "Permission denied" message. There are no more avcs in the audit
logs, but there is this:
type=SELINUX_ERR msg=audit(1194605105.159:168): security_compute_sid:
invalid context unconfined_u:unconfined_r:system_mail_t:s0 for
scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1194605105.159:168): arch=40000003 syscall=11
success=no exit=-13 a0=805848b a1=9cf82b8 a2=bfcbf338 a3=9cf82b8 items=0
ppid=1537 pid=1550 auid=4294967295 uid=1502 gid=1502 euid=1502 suid=1502
fsuid=1502 egid=1502 sgid=1502 fsgid=1502 tty=(none) comm="Mail"
exe="/bin/mail" subj=unconfined_u:unconfined_r:unconfined_crond_t:s0
key=(null)
I thought there might be something dontaudited so I tried using
enableaudit.pp but the F8 policy doesn't include this. What's the method
for finding troublesome dontaudits that need to be allows in F8?
Paul.
More information about the selinux
mailing list