LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 01-06-2013, 01:11 AM   #1
Biosko
LQ Newbie
 
Registered: Nov 2012
Posts: 8

Rep: Reputation: Disabled
Question Cronjob - logwatch failed, avc denied execstack


Hello,
I am running mailserver and I installed logwatch into it. Normally when I executed logwatch via console or cronscript with root user everything works fine. But planned cronjob not working properly.

I am receiving emails like:
Code:
/etc/cron.daily/0logwatch:
sendmail: error while loading shared libraries: libcrypto.so.1.0.0: cannot enable executable stack as shared object requires: Permission denied
So I started with investigation:

1. library with name libcrypto exist on system and there are 2 samples of it:
Code:
openssl-1.0.0-25.el6_3.1.x86_64 : A general purpose cryptography library with
                                : TLS implementation
Repo        : installed
Matched from:
Filename    : /usr/lib64/libcrypto.so.1.0.0



zimbra-core-7.2.1_GA_2790.RHEL6_64-20120815212147.x86_64 : Zimbra Core
Repo        : installed
Matched from:
Filename    : /opt/zimbra/openssl-1.0.0j/lib/libcrypto.so.1.0.0
2. I tried to find out what permissions they have, looks like lib in /usr dir have w for root, but it should not be cause of problem I think
Code:
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       /usr/lib64/libcrypto.so.1.0.0
-r-xr-xr-x. root root system_u:object_r:lib_t:s0       /opt/zimbra/openssl-1.0.0j/lib/libcrypto.so.1.0.0
3. Then I found out, its SELinux related and I found this in audit.log
Code:
type=AVC msg=audit(1357439119.411:13817): avc:  denied  { execstack } for  pid=22452 comm="sendmail" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1357439119.411:13817): arch=c000003e syscall=10 success=no exit=-13 a0=7fff604bf000 a1=1000 a2=1000007 a3=7fc0c2ffb000 items=0 ppid=22159 pid=22452 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=778 comm="sendmail" exe="/opt/zimbra/postfix-2.7.10.3z/sbin/sendmail" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
4. I found out that libraries have different GNU STACK
/usr/lib64/libcrypto.so.1.0.0
Code:
Elf file type is DYN (Shared object file)
Entry point 0x5ca00
There are 7 program headers, starting at offset 64

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000173324 0x0000000000173324  R E    200000
  LOAD           0x0000000000173cd0 0x0000000000373cd0 0x0000000000373cd0
                 0x0000000000021ad0 0x00000000000257b8  RW     200000
  DYNAMIC        0x000000000018b510 0x000000000038b510 0x000000000038b510
                 0x00000000000001c0 0x00000000000001c0  RW     8
  NOTE           0x00000000000001c8 0x00000000000001c8 0x00000000000001c8
                 0x0000000000000024 0x0000000000000024  R      4
  GNU_EH_FRAME   0x0000000000145654 0x0000000000145654 0x0000000000145654
                 0x00000000000085d4 0x00000000000085d4  R      4
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RW     8
  GNU_RELRO      0x0000000000173cd0 0x0000000000373cd0 0x0000000000373cd0
                 0x0000000000018330 0x0000000000018330  R      1

 Section to Segment mapping:
  Segment Sections...
   00     .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
   01     .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt .data .bss
   02     .dynamic
   03     .note.gnu.build-id
   04     .eh_frame_hdr
   05    
   06     .ctors .dtors .jcr .data.rel.ro .dynamic .got
/opt/zimbra/openssl-1.0.0j/lib/libcrypto.so.1.0.0
Code:
Elf file type is DYN (Shared object file)
Entry point 0x60a40
There are 6 program headers, starting at offset 64

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000189f24 0x0000000000189f24  R E    200000
  LOAD           0x000000000018a000 0x000000000038a000 0x000000000038a000
                 0x0000000000022170 0x0000000000025c20  RW     200000
  DYNAMIC        0x00000000001a2070 0x00000000003a2070 0x00000000003a2070
                 0x00000000000001c0 0x00000000000001c0  RW     8
  NOTE           0x0000000000000190 0x0000000000000190 0x0000000000000190
                 0x0000000000000024 0x0000000000000024  R      4
  GNU_EH_FRAME   0x000000000015b46c 0x000000000015b46c 0x000000000015b46c
                 0x0000000000008804 0x0000000000008804  R      4
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RWE    8

 Section to Segment mapping:
  Segment Sections...
   00     .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
   01     .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt .data .bss
   02     .dynamic
   03     .note.gnu.build-id
   04     .eh_frame_hdr
   05
Ok the questions are now:
a) why it doesnt work if I can run logwatch succesfuly via console w/o errors but with crontab it cannot work?
b) which library is used when the task is executed from crontab of these 2? its from usr or zimbra dir? how to find it out?
c) how to solve this problem? any suggestions?

Thank you very much for your time
 
Old 01-06-2013, 07:42 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by Biosko View Post
why it doesnt work if I can run logwatch succesfuly via console w/o errors but with crontab it cannot work?
Context of the executing user at the console (as in 'secon --self') vs crond (as in '\ps --no-headers -Ccrond -olabel')?


Quote:
Originally Posted by Biosko View Post
which library is used when the task is executed from crontab of these 2? its from usr or zimbra dir? how to find it out?
I'd say the Zimbra one as the other doesn't have execstack problems to begin with.


Quote:
Originally Posted by Biosko View Post
how to solve this problem?
As you noted the CentOS library doesn't require the executable stack flag to be set. That is good (see http://people.redhat.com/drepper/selinux-mem.html for the explanation). Before setting the Zimbra SSL library to unconfined_execmem_exec_t I'd make a backup, symlink it to the stock CentOS one and see if you can get away with that.


Quote:
Originally Posted by Biosko View Post
Thank you very much for your time
And thank you for a verbose post. It's always nice to see people post the details that should be listed to begin with.
 
Old 01-07-2013, 08:36 PM   #3
Biosko
LQ Newbie
 
Registered: Nov 2012
Posts: 8

Original Poster
Rep: Reputation: Disabled
Thank you for your reply unSpawn.

What I tested:

1. When the command logwatch was ran by anacron -> I am receiving permission denied error I mentioned in first post.

2. When the command logwatch was ran by root via console(manually) -> Everything is OK. I am receiving log.

3. When the command logwatch was ran by crontab(is defined in crontab, no anacron script) ->
Code:
Can't exec "sendmail": No such file or directory at /usr/sbin/logwatch line 1040, <TESTFILE> line 2.
Can't execute sendmail -t: No such file or directory
I thought that its problem that I have not linked alternatives, but I have. So acctually /usr/sbin/sendmail is link to /etc/alternatives/mta which is link to /opt/zimbra/postfix/sbin/sendmail.

Problem must be somewhere in execution.
So I opened logwatch.conf and changed sendmail -t into /opt/zimbra/postfix/sbin/sendmail -t.
Now I am receiving emails from logwatch by crontab.

I like anacron more but its also acceptable solution for me to receive this logs via crontab, because this server is always on and no interruptions.

In the end its working but I am still confused.

a) I dont understand why is crontab able to execute command logwatch which is in /usr/sbin directory but not able to execute sendmail command which is in the same directory.
b) I am facing like 3 different environments. 1. manually via console as root, 2. root crontab, 3. anacron
In every of these cases the situation is different. I thought that every of these use root environment but it looks like I was wrong. And I still dont know what is the difference between these 3 when executing command. In case 1 it works even it is only sendmail -t in logwatch.conf in case 2 it only works with absolute path in logwatch.conf in case 3 its not working at all.

Last edited by Biosko; 01-07-2013 at 08:40 PM.
 
Old 01-08-2013, 08:40 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by Biosko View Post
When the command logwatch was ran by crontab(is defined in crontab, no anacron script) ->
Code:
Can't exec "sendmail": No such file or directory at /usr/sbin/logwatch line 1040, <TESTFILE> line 2.
Can't execute sendmail -t: No such file or directory
Run a cron job just accessing '/usr/bin/env' to see if "/usr/sbin" is in its PATH. If not you could just prefix the path as /usr/sbin/sendmail already symlinks to /opt/zimbra/postfix/sbin/sendmail.


Quote:
Originally Posted by Biosko View Post
I dont understand why is crontab able to execute command logwatch which is in /usr/sbin directory but not able to execute sendmail command which is in the same directory.
If you would have posted /etc/cron.daily/*logwatch* it would have been easier to determine but generally speaking on installation Logwatch will either drop a symlink in /etc/cron.daily/ to the Perl scripts actual location or may create a cronjob file. The latter may include the full path to the Perl scripts actual location.


Quote:
Originally Posted by Biosko View Post
I am facing like 3 different environments. 1. manually via console as root, 2. root crontab, 3. anacron
In every of these cases the situation is different. I thought that every of these use root environment but it looks like I was wrong. And I still dont know what is the difference between these 3 when executing command. In case 1 it works even it is only sendmail -t in logwatch.conf in case 2 it only works with absolute path in logwatch.conf in case 3 its not working at all.
In addition to what I wrote above you can gather information from inside the actual process and see for yourself:
Code:
#!/bin/bash --
/usr/bin/env
secon --self
\ps --no-headers -C`basename $(readlink /proc/$$/exe)` -olabel
exit 0
 
Old 01-09-2013, 07:13 AM   #5
Biosko
LQ Newbie
 
Registered: Nov 2012
Posts: 8

Original Poster
Rep: Reputation: Disabled
Thank you for reply.

Here are outputs:
From user root
Code:
HOSTNAME=xxxx
SHELL=/bin/bash
TERM=linux
HISTSIZE=1000
USER=root
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
MAIL=/var/spool/mail/root
_=/usr/bin/env
PWD=/root
LANG=en_US.UTF-8
HISTCONTROL=ignoredups
HOME=/root
SHLVL=2
LOGNAME=root
LESSOPEN=|/usr/bin/lesspipe.sh %s
G_BROKEN_FILENAMES=1
user: unconfined_u
role: unconfined_r
type: unconfined_t
sensitivity: s0
clearance: s0:c0.c1023
mls-range: s0-s0:c0.c1023
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Crontab
Code:
SHELL=/bin/sh
USER=root
PATH=/usr/bin:/bin
_=/usr/bin/env
PWD=/root
HOME=/root
SHLVL=2
LOGNAME=root
user: unconfined_u
role: unconfined_r
type: unconfined_t
sensitivity: s0
clearance: s0:c0.c1023
mls-range: s0-s0:c0.c1023
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Anacron
Code:
SHELL=/bin/bash
MAILTO=xxxx
USER=root
PATH=/sbin:/bin:/usr/sbin:/usr/bin
_=/usr/bin/env
PWD=/
HOME=/
SHLVL=4
LOGNAME=root
user: system_u
role: system_r
type: system_cronjob_t
sensitivity: s0
clearance: s0:c0.c1023
mls-range: s0-s0:c0.c1023
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
So probably this explain, why I received command not found error from crontab.
Because it looks like there was no path defined to /usr/sbin.
Also it looks like on crontab vs anacron they have different user, role, type and maybe that is cause of that avc executable stack problem.
 
Old 01-09-2013, 09:13 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by Biosko View Post
So probably this explain, why I received command not found error from crontab.
Because it looks like there was no path defined to /usr/sbin.
Looks like it, yes.


Quote:
Originally Posted by Biosko View Post
Also it looks like on crontab vs anacron they have different user, role, type and maybe that is cause of that avc executable stack problem.
No, the execstack problem is specific to the binary or library not the user.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
With SELinux disabled, there are AVC denied records in the /var/log/messages hop321 Linux - Security 3 09-29-2011 01:39 AM
What are this audit avc: denied { read } etc....error! RMLinux Linux - Newbie 1 11-27-2008 02:02 AM
Why audit:avc:denied for jk-runtime-status? stonegu Linux - Newbie 2 04-13-2007 03:21 PM
audit avc : denied AlteRFirE Fedora 3 01-06-2007 09:32 AM
audit avc: denied messages ? dansawyer Linux - Software 1 09-04-2006 03:44 PM


All times are GMT -5. The time now is 02:47 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration