[DSE-User] wheezy backups running as system_u:system_r:crond_t

Gerald Turner gturner at unzane.com
Wed May 8 17:29:01 UTC 2013 

Hello, I need some advice please.  I have a system which I've upgraded
From squeeze to wheezy, it runs a backup process from root's crontab,
prior to the upgrade I'm pretty sure the process was unconfined, but
since the upgrade it's running as system_u:system_r:crond_t.  There are
hundreds of denials and it doesn't feel right allowing crond_t to read
everything.

  # ls -Z /var/spool/cron/crontabs/root
  unconfined_u:object_r:user_cron_spool_t:SystemLow /var/spool/cron/crontabs/root

  # grep "avc:.*backup" /var/log/syslog.1 | head -n 1 | audit2why
  May  8 03:12:14 shub-niggurath kernel: [135752.161009] type=1400 audit(1368007934.988:3023): avc:  denied  { getattr } for  pid=7246 comm="rdiff-backup" path="/boot/config-3.2.0-4-amd64" dev=sda2 ino=393959 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boot_t:s0 tclass=file

  Was caused by:
    Missing type enforcement (TE) allow rule.

    You can use audit2allow to generate a loadable module to allow this access.

  # grep "avc:.*backup" /var/log/syslog.1 | audit2allow -R -M example ; cat example.te
  compilation failed:
  make: /usr/share/selinux/devel/Makefile: No such file or directory
  make: *** No rule to make target `/usr/share/selinux/devel/Makefile'.  Stop.

  policy_module(example, 1.0)

  require {
        type munin_log_t;
        type httpd_sys_script_exec_t;
        type uptimed_spool_t;
        type syslogd_exec_t;
        type postfix_virtual_exec_t;
        type ntpd_exec_t;
        type dhcp_state_t;
        type groupadd_exec_t;
        type fonts_cache_t;
        type getty_exec_t;
        type postfix_data_t;
        type postfix_map_exec_t;
        type admin_passwd_exec_t;
        type sulogin_exec_t;
        type modules_conf_t;
        type ldconfig_cache_t;
        type httpd_rotatelogs_exec_t;
        type sshd_exec_t;
        type fail2ban_exec_t;
        type ntp_drift_t;
        type semanage_exec_t;
        type crond_t;
        type ntpd_log_t;
        type run_init_exec_t;
        type restorecond_exec_t;
        type postfix_smtpd_exec_t;
        class dir { getattr read open };
        class file { read getattr open };
  }

  #============= crond_t ==============
  allow crond_t admin_passwd_exec_t:file getattr;
  allow crond_t dhcp_state_t:dir { read getattr };
  allow crond_t fail2ban_exec_t:file getattr;
  allow crond_t fonts_cache_t:dir { read getattr open };
  allow crond_t fonts_cache_t:file getattr;
  allow crond_t getty_exec_t:file getattr;
  allow crond_t groupadd_exec_t:file getattr;
  allow crond_t httpd_rotatelogs_exec_t:file getattr;
  allow crond_t httpd_sys_script_exec_t:dir { read getattr open };
  allow crond_t ldconfig_cache_t:dir { read getattr open };
  allow crond_t ldconfig_cache_t:file getattr;
  allow crond_t modules_conf_t:dir read;
  allow crond_t munin_log_t:file { read open };
  allow crond_t ntp_drift_t:dir open;
  allow crond_t ntp_drift_t:file getattr;
  allow crond_t ntpd_exec_t:file getattr;
  allow crond_t ntpd_log_t:file { read open };
  allow crond_t postfix_data_t:dir { read getattr open };
  allow crond_t postfix_data_t:file getattr;
  allow crond_t postfix_map_exec_t:file getattr;
  allow crond_t postfix_smtpd_exec_t:file getattr;
  allow crond_t postfix_virtual_exec_t:file getattr;
  allow crond_t restorecond_exec_t:file getattr;
  allow crond_t run_init_exec_t:file getattr;
  allow crond_t semanage_exec_t:file getattr;
  allow crond_t sshd_exec_t:file getattr;
  allow crond_t sshd_exec_t:file getattr;
  allow crond_t sulogin_exec_t:file getattr;
  allow crond_t syslogd_exec_t:file getattr;
  allow crond_t uptimed_spool_t:file getattr;
  auth_read_lastlog(crond_t)
  files_list_isid_type_dirs(crond_t)
  files_list_mnt(crond_t)
  files_read_var_lib_symlinks(crond_t)
  files_relabelfrom_boot_files(crond_t)
  miscfiles_read_hwdata(crond_t)
  munin_read_config(crond_t)
  netutils_exec(crond_t)
  seutil_exec_newrole(crond_t)
  seutil_exec_restorecon(crond_t)
  ssh_read_user_home_files(crond_t)
  sysnet_read_dhcp_config(crond_t)
  userdom_list_user_home_content(crond_t)
  userdom_read_user_home_content_symlinks(crond_t)

-- 
Gerald Turner   Email: gturner at unzane.com   JID: gturner at unzane.com
GPG: 0xFA8CD6D5  21D9 B2E8 7FE7 F19E 5F7D  4D0C 3FA0 810F FA8C D6D5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-user/attachments/20130508/b2516b29/attachment.pgp>

More information about the Selinux-user mailing list