Comments (2)
bogdanghervan
commented on June 20, 2024
2
To generate a SELinux policy module for all these rules:
$ grep cron /var/log/audit/audit.log | audit2allow -M httpd_crontab
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i httpd_crontab.ppResulting files:
- a Type Enforcement file: httpd_crontab.te;
- a policy package file: httpd_crontab.pp.
To install the policy module:
$ semodule -i httpd_crontab.pp(Please note that this can take some dozens of seconds.)
from cronkeep.
bogdanghervan
commented on June 20, 2024
Here are all the relevant log entries collected from /var/log/audit/audit.log after 7 trial and error iterations, in an attempt to create a custom SELinux policy module to include all the requirements for crontab to be maneuvered by Apache:
type=AVC msg=audit(1419485252.886:595): avc: denied { getattr } for pid=2756 comm="crontab" path="/var/spool/cron" dev=dm-0 ino=262482 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1419485252.886:595): arch=c000003e syscall=4 success=no exit=-13 a0=7f8f9752cadf a1=7fff579ef190 a2=7fff579ef190 a3=7f8f97730380 items=0 ppid=2516 pid=2756 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419485633.710:599): avc: denied { search } for pid=2770 comm="crontab" name="cron" dev=dm-0 ino=262482 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1419485633.710:599): arch=c000003e syscall=2 success=no exit=-13 a0=7fff22d91f10 a1=0 a2=1b6 a3=0 items=0 ppid=2516 pid=2770 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419486215.372:632): avc: denied { write } for pid=2831 comm="crontab" name="cron" dev=dm-0 ino=262482 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1419486215.372:632): arch=c000003e syscall=2 success=no exit=-13 a0=7ffdb7882480 a1=c2 a2=180 a3=8 items=0 ppid=2517 pid=2831 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419486512.405:668): avc: denied { add_name } for pid=2887 comm="crontab" name="tmp.XXXXWYc50f" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1419486512.405:668): arch=c000003e syscall=2 success=no exit=-13 a0=7f5de4905480 a1=c2 a2=180 a3=8 items=0 ppid=2519 pid=2887 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419486970.266:694): avc: denied { create } for pid=2927 comm="crontab" name="tmp.XXXXXljeH1" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1419486970.266:694): arch=c000003e syscall=2 success=no exit=-13 a0=7f8a504fa480 a1=c2 a2=180 a3=8 items=0 ppid=2522 pid=2927 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419487207.988:724): avc: denied { setattr } for pid=2972 comm="crontab" name="tmp.XXXXI43XHG" dev=dm-0 ino=262254 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1419487207.988:724): arch=c000003e syscall=92 success=no exit=-13 a0=7f431bd1e480 a1=30 a2=ffffffff a3=1a items=0 ppid=2522 pid=2972 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419487207.988:725): avc: denied { remove_name } for pid=2972 comm="crontab" name="tmp.XXXXI43XHG" dev=dm-0 ino=262254 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1419487207.988:725): arch=c000003e syscall=87 success=no exit=-13 a0=7f431bd1e480 a1=7fff23d3ca90 a2=0 a3=8 items=0 ppid=2522 pid=2972 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419487389.236:745): avc: denied { rename } for pid=3013 comm="crontab" name="tmp.XXXXmOmAuj" dev=dm-0 ino=262308 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1419487389.236:745): arch=c000003e syscall=82 success=no exit=-13 a0=7fb3d00d8480 a1=7fff942d37b0 a2=0 a3=1a items=0 ppid=2520 pid=3013 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1419487389.236:746): avc: denied { unlink } for pid=3013 comm="crontab" name="tmp.XXXXmOmAuj" dev=dm-0 ino=262308 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1419487389.236:746): arch=c000003e syscall=87 success=no exit=-13 a0=7fb3d00d8480 a1=7fff942b35b0 a2=0 a3=8 items=0 ppid=2520 pid=3013 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
The same aggregated information, but in a more readable format, using audit2allow -w -a:
type=AVC msg=audit(1419485252.886:595): avc: denied { getattr } for pid=2756 comm="crontab" path="/var/spool/cron" dev=dm-0 ino=262482 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1419485633.710:599): avc: denied { search } for pid=2770 comm="crontab" name="cron" dev=dm-0 ino=262482 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1419486187.692:611): avc: denied { write } for pid=2808 comm="crontab" name="cron" dev=dm-0 ino=262482 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1419486512.405:668): avc: denied { add_name } for pid=2887 comm="crontab" name="tmp.XXXXWYc50f" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1419486970.266:694): avc: denied { create } for pid=2927 comm="crontab" name="tmp.XXXXXljeH1" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1419487207.988:724): avc: denied { setattr } for pid=2972 comm="crontab" name="tmp.XXXXI43XHG" dev=dm-0 ino=262254 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1419487207.988:725): avc: denied { remove_name } for pid=2972 comm="crontab" name="tmp.XXXXI43XHG" dev=dm-0 ino=262254 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1419487389.236:745): avc: denied { rename } for pid=3013 comm="crontab" name="tmp.XXXXmOmAuj" dev=dm-0 ino=262308 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1419487389.236:746): avc: denied { unlink } for pid=3013 comm="crontab" name="tmp.XXXXmOmAuj" dev=dm-0 ino=262308 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
from cronkeep.
Related Issues (20)
- it's can support php 5.2 & 5.1? HOT 2
- Clear state of toggled buttons in the Add Job dialog
- There is no parameter named $inputFilter. Did you maybe mean $pickerInputFilter?
- @return annotation for constructors not meaningful
- Make running cron jobs on demand more reliable HOT 3
- Make the base URL configurable HOT 6
- /src/jobs/* directory missing from installation HOT 5
- www-data is not allowed to use this program (crontab) HOT 4
- See crontab(1) for more information HOT 1
- sh: 1: at: not found HOT 2
- Jobs are not working HOT 6
- Error on editing and can't add new job HOT 6
- cronkeep on nginx HOT 1
- CronKeep HOT 2
- Cron does not execute HOT 4
- /provision/prevent-running-cron-jobs.patch is a difference file, is it correct
- http://cronkeep.ubuntu/: Fatal error: Class 'Slim\Slim' not found in /var/www/cronkeep/src/index.php on line 26
- Pause Job with ### instead of # tag
- Does cronkeep run with PHP 8.x ? HOT 1
- Cronjob footprint
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cronkeep.