Summary: | selinux-base-policy-2.20110726-r3 does not allow cron to access nfs | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Matthew Thode ( prometheanfire ) <prometheanfire> |
Component: | Hardened | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | prometheanfire, selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 384231 |
Description
Matthew Thode ( prometheanfire )
2011-08-30 08:46:24 UTC
Yup, there's no transition for glsa-check yet. I'll look into it. Okay, marking glsa-check as portage_exec_t does the trick functionality-wise. However, as you mentioned on IRC: 18:51 < prometheanfire> ya type=AVC msg=audit(1315075681.170:1071): avc: denied { write } for pid=25851 comm="glsa-check" path="pipe:[3876757]" dev=pipefs ino=3876757 scontext=system_u:system_r:portage_t tcontext=system_u:system_r:crond_t tclass=fifo_file This is for the output of glsa-check which is piped to the cron daemon which isn't allowed for now. set glsa-check as portage_exec_t module glsa 1.0; require { type portage_t; type crond_t; class netlink_route_socket { write getattr read bind create nlmsg_read }; class fifo_file write; } #============= portage_t ============== allow portage_t crond_t:fifo_file write; allow portage_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; The portage_t crond_t fifo_file stuff should be okay in -r4. The netlink_route_socket I still need to check why/when that's necessary, but I need to setup glsa-check -m for that first, which'll take a while. Can you check if you can send mails through "glsa-check -m all" when PORTAGE_ELOG_MAILURI is set to an IP address instead of hostname? I have the feeling that it (netlink_route_socket privileges as mentioned earlier) is needed to resolve DNS. As per our discussion on #gentoo-hardened, the netlink_route_socket issue doesn't occur anymore: 15:04 < prometheanfire> test with IP works 15:04 < prometheanfire> testing with dns (glsa-check not being labeled was probably my problem 15:06 <@SwifT> I think with dns you'll get that netlink_route_socket denial 15:07 < prometheanfire> nope 15:08 < prometheanfire> works fine now The glsa-check (portage_exec_t) will be part of r5. Change included in -r5, now in hardened-dev overlay. In main tree, ~arch'ed Stabilized. |