1 |
commit: a547a0055cd566d3766c7285bb24c0b050dd4932 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Sun May 1 20:24:07 2011 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Sun May 1 20:24:07 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a547a005 |
7 |
|
8 |
Update previews |
9 |
|
10 |
--- |
11 |
html/selinux-faq.html | 50 ++++++++++++++++++++++++++++++++++++++++++++++++- |
12 |
1 files changed, 49 insertions(+), 1 deletions(-) |
13 |
|
14 |
diff --git a/html/selinux-faq.html b/html/selinux-faq.html |
15 |
index 9dc1bfb..42ccef9 100644 |
16 |
--- a/html/selinux-faq.html |
17 |
+++ b/html/selinux-faq.html |
18 |
@@ -68,6 +68,10 @@ as well. |
19 |
LD_PRELOAD cannot be preloaded: ignored' |
20 |
</a></li> |
21 |
<li><a href="#emergefails">Emerge does not work, giving 'Permission denied: /etc/make.conf'</a></li> |
22 |
+<li><a href="#cronfails"> |
23 |
+ Cron fails to load in root's crontab with message '(root) ENTRYPOINT |
24 |
+ FAILED (crontabs/root)' |
25 |
+</a></li> |
26 |
</ul> |
27 |
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. |
28 |
</span>General SELinux Support Questions</p> |
29 |
@@ -337,11 +341,55 @@ This is also necessary if you logged on to your system as root but through SSH. |
30 |
The default behavior is that SSH sets the lowest role for the particular user |
31 |
when logged on. And you shouldn't allow remote root logins anyhow. |
32 |
</p> |
33 |
+<p class="secthead"><a name="cronfails"></a><a name="doc_chap5_sect6"> |
34 |
+ Cron fails to load in root's crontab with message '(root) ENTRYPOINT |
35 |
+ FAILED (crontabs/root)' |
36 |
+</a></p> |
37 |
+<p> |
38 |
+When you hit the mentioned error with a root crontab or an administrative |
39 |
+users' crontab, but not with a regular users' crontab, then check the context of |
40 |
+the crontab file: |
41 |
+</p> |
42 |
+<a name="doc_chap5_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
43 |
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.7: Check context of the crontab file</p></td></tr> |
44 |
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
45 |
+~# <span class="code-input">ls -Z /var/spool/cron/crontabs/root</span> |
46 |
+staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root |
47 |
+</pre></td></tr> |
48 |
+</table> |
49 |
+<p> |
50 |
+Next, check what the default context is for the given user (in this case, root) |
51 |
+when originating from the <span class="code" dir="ltr">crond_t</span> domain: |
52 |
+</p> |
53 |
+<a name="doc_chap5_pre8"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
54 |
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.8: Check default context for user root</p></td></tr> |
55 |
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
56 |
+~# <span class="code-input">getseuser root system_u:system_r:crond_t</span> |
57 |
+seuser: root, level (null) |
58 |
+Context 0 root:sysadm_r:cronjob_t |
59 |
+Context 1 root:staff_r:cronjob_t |
60 |
+</pre></td></tr> |
61 |
+</table> |
62 |
+<p> |
63 |
+As you can see, the default context is always for the <span class="code" dir="ltr">root</span> SELinux user. |
64 |
+However, the <span class="path" dir="ltr">/var/spool/cron/crontabs/root</span> file context in the |
65 |
+above example is for the SELinux user staff_u. Hence, cron will not be able to |
66 |
+read this file (the <span class="code" dir="ltr">user_cron_spool_t</span> type is a UBAC constrained one). |
67 |
+</p> |
68 |
+<p> |
69 |
+To fix this, change the user of the file to root: |
70 |
+</p> |
71 |
+<a name="doc_chap5_pre9"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
72 |
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.9: Change the SELinux user of the root crontab file</p></td></tr> |
73 |
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
74 |
+~# <span class="code-input">chcon -u root /var/spool/cron/crontabs/root</span> |
75 |
+</pre></td></tr> |
76 |
+</table> |
77 |
<br><br> |
78 |
</td> |
79 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
80 |
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr> |
81 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated April 30, 2011</p></td></tr> |
82 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 1, 2011</p></td></tr> |
83 |
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> |
84 |
Frequently Asked Questions on SELinux integration with Gentoo Hardened. |
85 |
The FAQ is a collection of solutions found on IRC, mailinglist, forums or |