Benjamin Schieder


2015 December 16

I hate SELinux. Hate hate hate hate it. Why? This is why.


tmp="$(mktemp -d)"
echo "Some content" > "${tmp}/file.txt"
echo "Please find the report attached." | /bin/mailx -s "Daily report" -a "${tmp}/file.txt" "user@domain.local"
rm "${tmp}/file.txt"
rmdir "${tmp}"

If you run this script on a terminal as any user (root or other) it works just fine. The mail gets delivered as expected. BUT if you run it from a crontab, no mail gets delivered. Not to the specified mailaddress and not even to the local MTA.

Of course, of the 18 machines that I run this script on from crontab, 16 send the mail just fine. Only 2 don’t. And of course, the admins swear heaven and hell that the machines were installed from the same kickstart file.

It took me hours of debugging to find out that mailx returned an error code (1) when this script got called from crontab. But no error message got delivered anywhere. Calling mailx from strace to see what’s going on revealed that mailx get a “permission denied” when opening “${tmp}/file.txt”. What? I just created that file in the same context! As the same user! Damn it, I can WRITE to the file! Why can’t I read it again?

Turns out that somehow, somewhere, SELinux decided that, no, I am not allowed to read files I just created. Of course, on the 16 servers that the script worked on, SELinux was disabled. Only the 2 that didn’t send a mail had SELinux enabled.

In conclusion, I hate SELinux.


Category: blog

Tags: selinux rant