Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux prevents Apache from reading its crontab #2

Closed
bogdanghervan opened this issue Nov 30, 2014 · 2 comments
Closed

SELinux prevents Apache from reading its crontab #2

bogdanghervan opened this issue Nov 30, 2014 · 2 comments
Assignees
@bogdanghervan
Labels
bug
Milestone
v1.0.0-alpha

Comments

@bogdanghervan
Copy link
Member

Error that CronKeep reports:

'/var/spool/cron' is not a directory, bailing out

Somebody else encountered this error:
http://stackoverflow.com/questions/10706031/var-spool-cron-is-not-a-directory-bailing-out-when-trying-to-work-with-cron

We should better handle this situation (inform the user and present options).

Error originally found on CentOS 6.4, PHP 5.3.25.
@bogdanghervan bogdanghervan changed the title SELinux prevents Apache reading its crontab SELinux prevents Apache from reading its crontab Nov 30, 2014
@bogdanghervan bogdanghervan added this to the v.1.0.0-beta milestone Dec 6, 2014
@bogdanghervan
Copy link
Member Author

Here are all the relevant log entries collected from /var/log/audit/audit.log after 7 trial and error iterations, in an attempt to create a custom SELinux policy module to include all the requirements for crontab to be maneuvered by Apache:

type=AVC msg=audit(1419485252.886:595): avc:  denied  { getattr } for  pid=2756 comm="crontab" path="/var/spool/cron" dev=dm-0 ino=262482 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1419485252.886:595): arch=c000003e syscall=4 success=no exit=-13 a0=7f8f9752cadf a1=7fff579ef190 a2=7fff579ef190 a3=7f8f97730380 items=0 ppid=2516 pid=2756 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419485633.710:599): avc:  denied  { search } for  pid=2770 comm="crontab" name="cron" dev=dm-0 ino=262482 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1419485633.710:599): arch=c000003e syscall=2 success=no exit=-13 a0=7fff22d91f10 a1=0 a2=1b6 a3=0 items=0 ppid=2516 pid=2770 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419486215.372:632): avc:  denied  { write } for  pid=2831 comm="crontab" name="cron" dev=dm-0 ino=262482 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1419486215.372:632): arch=c000003e syscall=2 success=no exit=-13 a0=7ffdb7882480 a1=c2 a2=180 a3=8 items=0 ppid=2517 pid=2831 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419486512.405:668): avc:  denied  { add_name } for  pid=2887 comm="crontab" name="tmp.XXXXWYc50f" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1419486512.405:668): arch=c000003e syscall=2 success=no exit=-13 a0=7f5de4905480 a1=c2 a2=180 a3=8 items=0 ppid=2519 pid=2887 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419486970.266:694): avc:  denied  { create } for  pid=2927 comm="crontab" name="tmp.XXXXXljeH1" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1419486970.266:694): arch=c000003e syscall=2 success=no exit=-13 a0=7f8a504fa480 a1=c2 a2=180 a3=8 items=0 ppid=2522 pid=2927 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419487207.988:724): avc:  denied  { setattr } for  pid=2972 comm="crontab" name="tmp.XXXXI43XHG" dev=dm-0 ino=262254 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1419487207.988:724): arch=c000003e syscall=92 success=no exit=-13 a0=7f431bd1e480 a1=30 a2=ffffffff a3=1a items=0 ppid=2522 pid=2972 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419487207.988:725): avc:  denied  { remove_name } for  pid=2972 comm="crontab" name="tmp.XXXXI43XHG" dev=dm-0 ino=262254 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1419487207.988:725): arch=c000003e syscall=87 success=no exit=-13 a0=7f431bd1e480 a1=7fff23d3ca90 a2=0 a3=8 items=0 ppid=2522 pid=2972 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419487389.236:745): avc:  denied  { rename } for  pid=3013 comm="crontab" name="tmp.XXXXmOmAuj" dev=dm-0 ino=262308 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1419487389.236:745): arch=c000003e syscall=82 success=no exit=-13 a0=7fb3d00d8480 a1=7fff942d37b0 a2=0 a3=1a items=0 ppid=2520 pid=3013 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419487389.236:746): avc:  denied  { unlink } for  pid=3013 comm="crontab" name="tmp.XXXXmOmAuj" dev=dm-0 ino=262308 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1419487389.236:746): arch=c000003e syscall=87 success=no exit=-13 a0=7fb3d00d8480 a1=7fff942b35b0 a2=0 a3=8 items=0 ppid=2520 pid=3013 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

The same aggregated information, but in a more readable format, using audit2allow -w -a:

type=AVC msg=audit(1419485252.886:595): avc:  denied  { getattr } for  pid=2756 comm="crontab" path="/var/spool/cron" dev=dm-0 ino=262482 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1419485633.710:599): avc:  denied  { search } for  pid=2770 comm="crontab" name="cron" dev=dm-0 ino=262482 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1419486187.692:611): avc:  denied  { write } for  pid=2808 comm="crontab" name="cron" dev=dm-0 ino=262482 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1419486512.405:668): avc:  denied  { add_name } for  pid=2887 comm="crontab" name="tmp.XXXXWYc50f" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1419486970.266:694): avc:  denied  { create } for  pid=2927 comm="crontab" name="tmp.XXXXXljeH1" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1419487207.988:724): avc:  denied  { setattr } for  pid=2972 comm="crontab" name="tmp.XXXXI43XHG" dev=dm-0 ino=262254 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1419487207.988:725): avc:  denied  { remove_name } for  pid=2972 comm="crontab" name="tmp.XXXXI43XHG" dev=dm-0 ino=262254 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1419487389.236:745): avc:  denied  { rename } for  pid=3013 comm="crontab" name="tmp.XXXXmOmAuj" dev=dm-0 ino=262308 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1419487389.236:746): avc:  denied  { unlink } for  pid=3013 comm="crontab" name="tmp.XXXXmOmAuj" dev=dm-0 ino=262308 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

@bogdanghervan
Copy link
Member Author

To generate a SELinux policy module for all these rules:

$ grep cron /var/log/audit/audit.log | audit2allow -M httpd_crontab
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i httpd_crontab.pp

Resulting files:

To install the policy module:

$ semodule -i httpd_crontab.pp

(Please note that this can take some dozens of seconds.)

@bogdanghervan bogdanghervan modified the milestones: v1.0.0-alpha, v.1.0.0-beta Dec 25, 2014
@bogdanghervan bogdanghervan self-assigned this Dec 25, 2014
@ghost ghost mentioned this issue Aug 19, 2016
Closed
@shubham8agar shubham8agar mentioned this issue Oct 11, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bogdanghervan bogdanghervan

Labels
bug
Projects
None yet
Milestone
v1.0.0-alpha
Development

No branches or pull requests
1 participant
@bogdanghervan