[DSE-User] wheezy backups running as system_u:system_r:crond_t
Gerald Turner
gturner at unzane.com
Wed May 8 17:29:01 UTC 2013
Hello, I need some advice please. I have a system which I've upgraded
From squeeze to wheezy, it runs a backup process from root's crontab,
prior to the upgrade I'm pretty sure the process was unconfined, but
since the upgrade it's running as system_u:system_r:crond_t. There are
hundreds of denials and it doesn't feel right allowing crond_t to read
everything.
# ls -Z /var/spool/cron/crontabs/root
unconfined_u:object_r:user_cron_spool_t:SystemLow /var/spool/cron/crontabs/root
# grep "avc:.*backup" /var/log/syslog.1 | head -n 1 | audit2why
May 8 03:12:14 shub-niggurath kernel: [135752.161009] type=1400 audit(1368007934.988:3023): avc: denied { getattr } for pid=7246 comm="rdiff-backup" path="/boot/config-3.2.0-4-amd64" dev=sda2 ino=393959 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boot_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
# grep "avc:.*backup" /var/log/syslog.1 | audit2allow -R -M example ; cat example.te
compilation failed:
make: /usr/share/selinux/devel/Makefile: No such file or directory
make: *** No rule to make target `/usr/share/selinux/devel/Makefile'. Stop.
policy_module(example, 1.0)
require {
type munin_log_t;
type httpd_sys_script_exec_t;
type uptimed_spool_t;
type syslogd_exec_t;
type postfix_virtual_exec_t;
type ntpd_exec_t;
type dhcp_state_t;
type groupadd_exec_t;
type fonts_cache_t;
type getty_exec_t;
type postfix_data_t;
type postfix_map_exec_t;
type admin_passwd_exec_t;
type sulogin_exec_t;
type modules_conf_t;
type ldconfig_cache_t;
type httpd_rotatelogs_exec_t;
type sshd_exec_t;
type fail2ban_exec_t;
type ntp_drift_t;
type semanage_exec_t;
type crond_t;
type ntpd_log_t;
type run_init_exec_t;
type restorecond_exec_t;
type postfix_smtpd_exec_t;
class dir { getattr read open };
class file { read getattr open };
}
#============= crond_t ==============
allow crond_t admin_passwd_exec_t:file getattr;
allow crond_t dhcp_state_t:dir { read getattr };
allow crond_t fail2ban_exec_t:file getattr;
allow crond_t fonts_cache_t:dir { read getattr open };
allow crond_t fonts_cache_t:file getattr;
allow crond_t getty_exec_t:file getattr;
allow crond_t groupadd_exec_t:file getattr;
allow crond_t httpd_rotatelogs_exec_t:file getattr;
allow crond_t httpd_sys_script_exec_t:dir { read getattr open };
allow crond_t ldconfig_cache_t:dir { read getattr open };
allow crond_t ldconfig_cache_t:file getattr;
allow crond_t modules_conf_t:dir read;
allow crond_t munin_log_t:file { read open };
allow crond_t ntp_drift_t:dir open;
allow crond_t ntp_drift_t:file getattr;
allow crond_t ntpd_exec_t:file getattr;
allow crond_t ntpd_log_t:file { read open };
allow crond_t postfix_data_t:dir { read getattr open };
allow crond_t postfix_data_t:file getattr;
allow crond_t postfix_map_exec_t:file getattr;
allow crond_t postfix_smtpd_exec_t:file getattr;
allow crond_t postfix_virtual_exec_t:file getattr;
allow crond_t restorecond_exec_t:file getattr;
allow crond_t run_init_exec_t:file getattr;
allow crond_t semanage_exec_t:file getattr;
allow crond_t sshd_exec_t:file getattr;
allow crond_t sshd_exec_t:file getattr;
allow crond_t sulogin_exec_t:file getattr;
allow crond_t syslogd_exec_t:file getattr;
allow crond_t uptimed_spool_t:file getattr;
auth_read_lastlog(crond_t)
files_list_isid_type_dirs(crond_t)
files_list_mnt(crond_t)
files_read_var_lib_symlinks(crond_t)
files_relabelfrom_boot_files(crond_t)
miscfiles_read_hwdata(crond_t)
munin_read_config(crond_t)
netutils_exec(crond_t)
seutil_exec_newrole(crond_t)
seutil_exec_restorecon(crond_t)
ssh_read_user_home_files(crond_t)
sysnet_read_dhcp_config(crond_t)
userdom_list_user_home_content(crond_t)
userdom_read_user_home_content_symlinks(crond_t)
--
Gerald Turner Email: gturner at unzane.com JID: gturner at unzane.com
GPG: 0xFA8CD6D5 21D9 B2E8 7FE7 F19E 5F7D 4D0C 3FA0 810F FA8C D6D5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-user/attachments/20130508/b2516b29/attachment.pgp>
More information about the Selinux-user
mailing list