Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 224328 - anacron fails under FC6/SELinux/strict
Summary: anacron fails under FC6/SELinux/strict
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-01-25 10:03 UTC by Ted Rule
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-08-22 14:12:03 UTC


Attachments (Terms of Use)

Description Ted Rule 2007-01-25 10:03:33 UTC
Description of problem:

The default policy under FC6/SELinux/strict, ( 2.4.6-27 ), doesn't allow for the
correct operation of anacron.

This is mainly because anacron itself, unlike crond, doesn't internally
setexeccon from crond_t to system_crond_t
before launching its child Jobs. Under targeted policy, crond_t and
system_crond_t are aliases for each other, and
therefore I presume the problem doesn't arise. Because of this, anacron's child
Jobs are launched in crond_t,
which doesn't have the correct permissions to run most of the standard Jobs in
/etc/cron.daily, in particular logrotate and logwatch.

As a workround therefore, I've re-created the anacron_exec_t type, and created
an additional policy module
for anacron's needs. This basically involves making initrc_t transition to
system_crond_t when launching anacron,
granting system_crond_t some permissions which crond_t already has, and allowing
system_crond_t to run anacron_exec_t itself so
as to update anacron's timestamp files in /var/spool/anacron.

I suspect that the better solution for the overall problem may be to recode
anacron to perform the same setexeccon() call
which crond uses; some additional problems I've found with crond's interaction
with sendmail meant that I found it quicker
to patch the SELinux policy for the present. 


Hence my revised anacron policy is now the following - together with the manual
relabelling of /usr/sbin/anacron itself to anacron_exec_t.
I would suggest that these patches be merged into the existing cron.fc/cron.te


cat /root/selinux.local/localanacron.fc

# anacrond executable will have:
# label: system_u:object_r:anacron_exec_t
# MLS sensitivity: s0
# MCS categories: <none>

# We cant easily override the /usr/sbin/anacron setting in Fedora policy,
# so we create a clone binary and label as anacron_exec_t
/usr/sbin/anacrond              --     
gen_context(system_u:object_r:anacron_exec_t,s0)

# The latest 2.4.6-23 policy already contains this:
#/var/lock/subsys/anacron       --     
gen_context(system_u:object_r:cron_lock_t,s0)

# The latest 2.4.6-23 policy already contains this:
#/var/spool/anacron(/.*)?              
gen_context(system_u:object_r:cron_spool_t,s0)



cat /root/selinux.local/localanacron.fc

policy_module(localanacron,0.1.2)

require {
        type system_crond_t;
        type system_crond_lock_t;
        type cron_spool_t;
        type crond_var_run_t;
}

########################################
#
# Anacron local policy
#

type anacron_exec_t;
corecmd_executable_file(anacron_exec_t)

# anacron transitions directly to system_crond_t,
# rather than crond_t because it doesnt currently
# perform a setexeccon internally
init_daemon_domain(system_crond_t,anacron_exec_t)

# Additional permissions for system_crond_t / anacron under
# strict, when system_crond_t != crond_t
ifdef(`strict_policy',`
        # Allow anacron to update spool files in /var/spool/anacron
        allow system_crond_t cron_spool_t:file create_file_perms;

        # Allow anacron to write to /var/run/anacron.pid
        allow system_crond_t crond_var_run_t:file create_file_perms;
        files_pid_filetrans(system_crond_t,crond_var_run_t,file)

        # Allow anacron to handle creation of files in the
        # /var/lock directory. (anacron)
        allow system_crond_t system_crond_lock_t:file manage_file_perms;
        files_lock_filetrans(system_crond_t,system_crond_lock_t,file)

        # Allow crond to run anacron so as to update /var/spool/anacron
        # timestamp files
        can_exec(system_crond_t, anacron_exec_t)
')




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2007-07-16 20:23:52 UTC
Should be fixed in the current release.

Comment 2 Daniel Walsh 2007-08-22 14:12:03 UTC
Fixed in current release


Note You need to log in before you can comment on or make changes to this bug.