cron issues with bash source (UNCLASSIFIED)

Shaw, Ray V CTR USARMY ARL (US) ray.v.shaw.ctr at mail.mil
Thu Aug 14 13:17:20 UTC 2014 

Classification: UNCLASSIFIED
Caveats: NONE

Background info: running RHEL6 with the latest updates, so selinux-policy-targeted-3.7.19-231.el6_5.3.noarch.

When moving from Permissive to Enforcing, two scripts in /etc/cron.daily that use the bash "." operator to include a functions file can no longer do so.  The functions file sets $PATH and other environment variables, so subsequent commands in the scripts fail.

Interestingly, when run out of root's crontab, the scripts work just fine.  The context when doing that (gathered by placing id -Z in the script) is:

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Not sure why; the script itself isn't unlabeled:

bash-4.1# ls -lZ /usr/local/sbin/puppet-state
-rwx------. root root system_u:object_r:bin_t:s0       /usr/local/sbin/puppet-state

When run from /etc/cron.daily (or cron.hourly, where I placed a copy for faster testing), the context is:

system_u:system_r:system_cronjob_t:s0-s0:c0.c1023

bash-4.1# ls -lZ /etc/cron.hourly/puppet-state
-rwx------. root root system_u:object_r:bin_t:s0       /etc/cron.hourly/puppet-state

The exact command in question it's failing to run is:

. /opt/puppet/scripts/functions

Which is labeled thusly:

bash-4.1# ls -lZ /opt/puppet/scripts/functions
-r-x------. root root unconfined_u:object_r:usr_t:s0   /opt/puppet/scripts/functions

In either Enforcing or Permissive, I wasn't seeing anything that looked relevant, so I ran semodule -DB.  This is the only thing cron-related, but (and I'm not very experienced with SELinux, so maybe I'm missing something) that doesn't seem like it:

bash-4.1# cat /var/log/audit/audit.log-20140814 | grep cron | audit2allow -w
type=AVC msg=audit(1407915503.212:155119): avc:  denied  { rlimitinh } for  pid=26239 comm="prelink" scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tclass=process

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1407915503.212:155119): avc:  denied  { siginh } for  pid=26239 comm="prelink" scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tclass=process

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

I suppose we could run them out of root's crontab, but they're easier to manage in cron.daily, and I'd like to solve the problem.  Any assistance is greatly appreciated.  A search of the list archives didn't turn up this issue; sorry if I've missed it.

--
Ray Shaw (Contractor, STG)
Army Research Laboratory

Classification: UNCLASSIFIED
Caveats: NONE

More information about the selinux mailing list