http://www.politiker-stopp.de/gfx/politiker-stopp-print.png

Benjamin Schieder

I HATE SELINUX

2015 December 16 | 4 comments

I hate SELinux. Hate hate hate hate it. Why? This is why.

#!/bin/bash

tmp="$(mktemp -d)"
echo "Some content" > "${tmp}/file.txt"
echo "Please find the report attached." | /bin/mailx -s "Daily report" -a "${tmp}/file.txt" "user@domain.local"
rm "${tmp}/file.txt"
rmdir "${tmp}"

If you run this script on a terminal as any user (root or other) it works just fine. The mail gets delivered as expected. BUT if you run it from a crontab, no mail gets delivered. Not to the specified mailaddress and not even to the local MTA.

Of course, of the 18 machines that I run this script on from crontab, 16 send the mail just fine. Only 2 don’t. And of course, the admins swear heaven and hell that the machines were installed from the same kickstart file.

It took me hours of debugging to find out that mailx returned an error code (1) when this script got called from crontab. But no error message got delivered anywhere. Calling mailx from strace to see what’s going on revealed that mailx get a “permission denied” when opening “${tmp}/file.txt”. What? I just created that file in the same context! As the same user! Damn it, I can WRITE to the file! Why can’t I read it again?

Turns out that somehow, somewhere, SELinux decided that, no, I am not allowed to read files I just created. Of course, on the 16 servers that the script worked on, SELinux was disabled. Only the 2 that didn’t send a mail had SELinux enabled.

In conclusion, I hate SELinux.

EOF

Category: blog

Tags: selinux rant


4 Comments

From: Tobias Wolter
2015-12-16 10:59

And that's why audit.log needs to be reviewed when you've got SELinux enabled.
Don't hate SELinux because it does exactly what it's supposed to do.

From: Benjamin Schieder
2015-12-16 11:03

In theory, yes. Unfortunately, audit.log is sent to a central logging server here where I don't have access and the local file gets deleted immediately. Yes, the setup sucks :-(

From: dac.override
2015-12-16 13:02

You do not hate SELinux. You have the policy configuration that SELinux enforces.
SELinux is like your Linux police officer robot. It enforces whatever the policy maker tells it to enforce.
By using the SELinux security policy that is shipped by default with your distribution you are basically outsourcing the policy making.
Your distribution tries to strike a balance by providing you with a generic "one-size-fits-no-one" security policy configuration.

From: Benjamin Schieder
2015-12-16 13:07

Alright, I agree. In that case, I hate wherever that policy came from :-)

Post a comment

All comments are held for moderation; basic HTML formatting is accepted.

Name: (required)
E-mail: (required, not published)
Website: (optional)
Comment: