• 1

disabling unconfined broke aide ran from cron

OS: RHEL6.3
I disabled the unconfined module: semodule -d unconfined
I have an /etc/crontab entry to execute: /usr/sbin/aide --check

The aide process is blocked from starting via cron. After running in permissive mode, audit2allow recommended something like this:

#============= system_cronjob_t ==============
allow system_cronjob_t admin_home_t:file { read open };
allow system_cronjob_t admin_home_t:lnk_file read;
allow system_cronjob_t aide_db_t:file { read lock ioctl write open };
allow system_cronjob_t aide_log_t:file { read write };
allow system_cronjob_t auditd_etc_t:file { read open };
allow system_cronjob_t boot_t:file { read open };
allow system_cronjob_t boot_t:lnk_file read;
allow system_cronjob_t crack_db_t:file { read open };
allow system_cronjob_t etc_aliases_t:file { read open };
allow system_cronjob_t fonts_t:file { read open };
allow system_cronjob_t hwdata_t:file { read open };
allow system_cronjob_t modules_dep_t:file { read open };
allow system_cronjob_t modules_object_t:file { read open };
allow system_cronjob_t modules_object_t:lnk_file read;
allow system_cronjob_t self:capability ipc_lock;
allow system_cronjob_t shadow_t:file { read open };
allow system_cronjob_t system_map_t:file { read open };
allow system_cronjob_t userhelper_conf_t:file { read open };

This seems like allowing system_cronjob_t a bit much. I did not have much luck creating a policy to do process transition with cron so it would run in the needed context. So, I had to keep unconfined enabled.

Re: disabling unconfined broke aide ran from cron

This looks like we need to add policy for running aide out of a cron job.

Something like

policy_module(myaide, 1.0)
gen_require(`
type aide_t;
')

cron_system_entry(aide_t, aide_exec_t)


Re: disabling unconfined broke aide ran from cron

I am adding this to Fedora 18 policy.

Re: disabling unconfined broke aide ran from cron

RHEL6.3 allow cron to run aide with selinux policy howto: add the following policy by creating the myaide.te and then make pp and install with semodule command.

# cat myaide.te

policy_module(myaide, 1.0)

gen_require(`
type aide_t;
type aide_exec_t;
')

cron_system_entry(aide_t, aide_exec_t)

# make -f /usr/share/selinux/devel/Makefile myaide.pp
# semodule -i myaide.pp

Re: disabling unconfined broke aide ran from cron

Yes we have made this change to RHEL7 policy and will back port it to RHEL6

Trying to reduce the unconfined risk and found your journal

Great post, disabling unconfined is what i was looking for. Worked on fedora 20 core with some denials but didn't prevent system to boot and all major services are running.
Thanks Dan, I' m feeling my system is more secure now. I am gonna look at your other articles as well.

Dan,

Need ur assistant. Unable to use sesearch command.
[root@localhost ~]# which sesearch
/usr/bin/which: no sesearch in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)


yum install setools-console


  • 1
?

Log in