crontab and selinux

Support for security such as Firewalls and securing linux
Post Reply
i15
Posts: 3
Joined: 2015/11/27 13:50:29

crontab and selinux

Post by i15 » 2015/11/27 13:52:39

Hi. I have Drupal 7 on RHEL 7 and it looks like SELinux blocks crontab.
aureport -a showes

Code: Select all

90. 11/27/2015 01:32:35 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10061
91. 11/27/2015 01:42:35 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10062
92. 11/27/2015 01:52:43 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10063
93. 11/27/2015 02:02:48 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10069
94. 11/27/2015 02:13:02 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10081
95. 11/27/2015 02:23:02 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10082
96. 11/27/2015 02:33:03 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10083
97. 11/27/2015 02:43:03 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10084
98. 11/27/2015 02:53:09 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10094
Looks like it is the same 10 minutes period when Ultimate cron try to start.
I am pretty sure the problem with SELinux, but I cant find any understandable solution.

User avatar
TrevorH
Forum Moderator
Posts: 27156
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: crontab and selinux

Post by TrevorH » 2015/11/27 14:37:46

Those don't look like crontab problems. Post the output from ausearch -a 10094 for example
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

i15
Posts: 3
Joined: 2015/11/27 13:50:29

Re: crontab and selinux

Post by i15 » 2015/11/27 17:34:04

TrevorH wrote:Those don't look like crontab problems. Post the output from ausearch -a 10094 for example
Like that?

Code: Select all

# ausearch -a 10094
----
time->Fri Nov 27 02:53:09 2015
type=SYSCALL msg=audit(1448592789.092:10094): arch=c000003e syscall=87 success=no exit=-13 a0=7fcb1b7dc118 a1=7fcb1b7dc118 a2=7fcb1b225da0 a3=5657c595 items=0 ppid=14948 pid=1485 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1448592789.092:10094): avc:  denied  { unlink } for  pid=1485 comm="httpd" name="stats_log_global" dev="sda1" ino=50528229 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file

User avatar
TrevorH
Forum Moderator
Posts: 27156
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: crontab and selinux

Post by TrevorH » 2015/11/27 18:09:31

type=AVC msg=audit(1448592789.092:10094): avc: denied { unlink } for pid=1485 comm="httpd" name="stats_log_global" dev="sda1" ino=50528229 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file
That says your apache httpd process tried to delete a file called stats_log_global from whatever filesystem is on /dev/sda1. The file is on inode number 50528229. It's not allowed to do that. Intentionally. The idea is to stop httpd from deleting log files that might contain information useful to track down someone attempting to hack your web server. Not cron at all, unless your cron job is making a request to http to do whatever it's meant to be trying to do.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

i15
Posts: 3
Joined: 2015/11/27 13:50:29

Re: crontab and selinux

Post by i15 » 2015/11/27 20:31:22

TrevorH wrote:
type=AVC msg=audit(1448592789.092:10094): avc: denied { unlink } for pid=1485 comm="httpd" name="stats_log_global" dev="sda1" ino=50528229 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file
That says your apache httpd process tried to delete a file called stats_log_global from whatever filesystem is on /dev/sda1. The file is on inode number 50528229. It's not allowed to do that. Intentionally. The idea is to stop httpd from deleting log files that might contain information useful to track down someone attempting to hack your web server. Not cron at all, unless your cron job is making a request to http to do whatever it's meant to be trying to do.
I found only one file lie that. And it is for mod_pagespeed.
Now I agree, it is not cron, especially because I changed the interval time from 10 to 15 minutes and logs did not change.
But we found one more problem :)
Attachments
Screen Shot 2015-11-27 at 3.30.34 PM.png
Screen Shot 2015-11-27 at 3.30.34 PM.png (118.41 KiB) Viewed 1605 times

Post Reply

Return to “CentOS 7 - Security Support”