• 1

disabling unconfined broke aide ran from cron

OS: RHEL6.3
I disabled the unconfined module: semodule -d unconfined
I have an /etc/crontab entry to execute: /usr/sbin/aide --check

The aide process is blocked from starting via cron. After running in permissive mode, audit2allow recommended something like this:

#============= system_cronjob_t ==============
allow system_cronjob_t admin_home_t:file { read open };
allow system_cronjob_t admin_home_t:lnk_file read;
allow system_cronjob_t aide_db_t:file { read lock ioctl write open };
allow system_cronjob_t aide_log_t:file { read write };
allow system_cronjob_t auditd_etc_t:file { read open };
allow system_cronjob_t boot_t:file { read open };
allow system_cronjob_t boot_t:lnk_file read;
allow system_cronjob_t crack_db_t:file { read open };
allow system_cronjob_t etc_aliases_t:file { read open };
allow system_cronjob_t fonts_t:file { read open };
allow system_cronjob_t hwdata_t:file { read open };
allow system_cronjob_t modules_dep_t:file { read open };
allow system_cronjob_t modules_object_t:file { read open };
allow system_cronjob_t modules_object_t:lnk_file read;
allow system_cronjob_t self:capability ipc_lock;
allow system_cronjob_t shadow_t:file { read open };
allow system_cronjob_t system_map_t:file { read open };
allow system_cronjob_t userhelper_conf_t:file { read open };

This seems like allowing system_cronjob_t a bit much. I did not have much luck creating a policy to do process transition with cron so it would run in the needed context. So, I had to keep unconfined enabled.

Re: disabling unconfined broke aide ran from cron

This looks like we need to add policy for running aide out of a cron job.

Something like

policy_module(myaide, 1.0)
gen_require(`
type aide_t;
')

cron_system_entry(aide_t, aide_exec_t)


Re: disabling unconfined broke aide ran from cron

I am adding this to Fedora 18 policy.

Re: disabling unconfined broke aide ran from cron

RHEL6.3 allow cron to run aide with selinux policy howto: add the following policy by creating the myaide.te and then make pp and install with semodule command.

# cat myaide.te

policy_module(myaide, 1.0)

gen_require(`
type aide_t;
type aide_exec_t;
')

cron_system_entry(aide_t, aide_exec_t)

# make -f /usr/share/selinux/devel/Makefile myaide.pp
# semodule -i myaide.pp

Re: disabling unconfined broke aide ran from cron

Yes we have made this change to RHEL7 policy and will back port it to RHEL6

  • 1
?

Log in