View Issue Details

IDProjectCategoryView StatusLast Update
0005179CentOS-6selinux-policypublic2011-10-09 07:47
Reporteramitay 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version6.0 
Target VersionFixed in Version 
Summary0005179: Error running external scripts from MRTG
DescriptionMRTG is configured to monitor latency using an external shell script. I am able to run the script and the mrtg command as it appears in /etc/cron.d/mrtg from the command line. When the mrtg command is executed from cron, I get following error.

Can't exec "/usr/local/bin/pingtest.sh": Permission denied at /usr/bin/mrtg line 2030.
2011-10-09 03:36:02: WARNING: Running '/usr/local/bin/pingtest.sh 172.20.93.7': Permission denied
2011-10-09 03:36:02: WARNING: Could not get any data from external command '/usr/local/bin/pingtest.sh 172.20.93.7'
Maybe the external command did not even start. (Permission denied)

Steps To ReproduceCopy attached sample.cfg to /etc/mrtg.
Copy attached pingtest.sh script to /usr/local/bin

Add following line in /etc/cron.d/mrtg

* * * * * root LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg/sample.cfg --lock-file /var/lock/mrtg/sample_l --confcache-file /var/lib/mrtg/sample.ok

Check the output from cron (emailed to root)
Additional InformationThere are no selinux problems (avc) reported in the log

Here is the output of /var/log/audit/audit.log

type=USER_ACCT msg=audit(1318092061.312:66557): user pid=19953 uid=0 auid=0 ses=12 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1318092061.313:66558): user pid=19953 uid=0 auid=0 ses=12 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1318092061.318:66559): login pid=19953 uid=0 old auid=0 new auid=0 old ses=12 new ses=7519
type=USER_START msg=audit(1318092061.319:66560): user pid=19953 uid=0 auid=0 ses=7519 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1318092061.854:66561): user pid=19953 uid=0 auid=0 ses=7519 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1318092061.854:66562): user pid=19953 uid=0 auid=0 ses=7519 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'


TagsNo tags attached.

Activities

amitay

amitay

2011-10-08 16:43

reporter  

files.tar.gz (625 bytes)
athmane

athmane

2011-10-08 17:38

developer   ~0013495

I reproduced the error with the config file (slightly modified) and the external command that you provided.

After fixing selinux contexts, the error stopped (from root's mailbox):

config file => system_u:object_r:mrtg_etc_t:s0
external command => system_u:object_r:bin_t:s0
amitay

amitay

2011-10-09 02:19

reporter   ~0013497

Thanks for your feedback. The only difference I think is that /usr/local is linked to /home/local on my system. The file contexts are set correctly.

# ls -Z /usr/local
lrwxrwxrwx. root root unconfined_u:object_r:usr_t:s0 /usr/local -> /home/local

# ls -Zd /home/local
drwxr-xr-x. root root system_u:object_r:usr_t:s0 /home/local

Is there any way to debug why selinux is preventing access? (Something equivalent to strace?)
athmane

athmane

2011-10-09 07:47

developer   ~0013498

By looking into audit.log or use sealert command:

sealert -a /var/log/audit/audit.log

Issue History

Date Modified Username Field Change
2011-10-08 16:43 amitay New Issue
2011-10-08 16:43 amitay File Added: files.tar.gz
2011-10-08 17:38 athmane Note Added: 0013495
2011-10-09 02:19 amitay Note Added: 0013497
2011-10-09 07:47 athmane Note Added: 0013498