[gentoo-commits] proj/hardened-docs:master commit in: html/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-docs:master commit in: html/
Date:	Sun, 01 May 2011 20:24:23
Message-Id:	`a547a0055cd566d3766c7285bb24c0b050dd4932.SwifT@gentoo`

1

commit:     a547a0055cd566d3766c7285bb24c0b050dd4932

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Sun May  1 20:24:07 2011 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Sun May  1 20:24:07 2011 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a547a005

7

8

Update previews

9

10

---

11

 html/selinux-faq.html |   50 ++++++++++++++++++++++++++++++++++++++++++++++++-

12

 1 files changed, 49 insertions(+), 1 deletions(-)

13

14

diff --git a/html/selinux-faq.html b/html/selinux-faq.html

15

index 9dc1bfb..42ccef9 100644

16

--- a/html/selinux-faq.html

17

+++ b/html/selinux-faq.html

18

@@ -68,6 +68,10 @@ as well.

19

   LD_PRELOAD cannot be preloaded: ignored'

20

 </a></li>

21

 <li><a href="#emergefails">Emerge does not work, giving 'Permission denied: /etc/make.conf'</a></li>

22

+<li><a href="#cronfails">

23

+  Cron fails to load in root's crontab with message '(root) ENTRYPOINT

24

+  FAILED (crontabs/root)'

25

+</a></li>

26

 </ul>

27

 <p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.

28

             </span>General SELinux Support Questions</p>

29

@@ -337,11 +341,55 @@ This is also necessary if you logged on to your system as root but through SSH.

30

 The default behavior is that SSH sets the lowest role for the particular user

31

 when logged on. And you shouldn't allow remote root logins anyhow.

32

 </p>

33

+<p class="secthead"><a name="cronfails"></a><a name="doc_chap5_sect6">

34

+  Cron fails to load in root's crontab with message '(root) ENTRYPOINT

35

+  FAILED (crontabs/root)'

36

+</a></p>

37

+<p>

38

+When you hit the mentioned error with a root crontab or an administrative

39

+users' crontab, but not with a regular users' crontab, then check the context of

40

+the crontab file:

41

+</p>

42

+<a name="doc_chap5_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">

43

+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.7: Check context of the crontab file</p></td></tr>

44

+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>

45

+~# <span class="code-input">ls -Z /var/spool/cron/crontabs/root</span>

46

+staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root

47

+</pre></td></tr>

48

+</table>

49

+<p>

50

+Next, check what the default context is for the given user (in this case, root)

51

+when originating from the <span class="code" dir="ltr">crond_t</span> domain:

52

+</p>

53

+<a name="doc_chap5_pre8"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">

54

+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.8: Check default context for user root</p></td></tr>

55

+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>

56

+~# <span class="code-input">getseuser root system_u:system_r:crond_t</span>

57

+seuser:  root, level (null)

58

+Context 0       root:sysadm_r:cronjob_t

59

+Context 1       root:staff_r:cronjob_t

60

+</pre></td></tr>

61

+</table>

62

+<p>

63

+As you can see, the default context is always for the <span class="code" dir="ltr">root</span> SELinux user.

64

+However, the <span class="path" dir="ltr">/var/spool/cron/crontabs/root</span> file context in the

65

+above example is for the SELinux user staff_u. Hence, cron will not be able to

66

+read this file (the <span class="code" dir="ltr">user_cron_spool_t</span> type is a UBAC constrained one).

67

+</p>

68

+<p>

69

+To fix this, change the user of the file to root:

70

+</p>

71

+<a name="doc_chap5_pre9"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">

72

+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.9: Change the SELinux user of the root crontab file</p></td></tr>

73

+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>

74

+~# <span class="code-input">chcon -u root /var/spool/cron/crontabs/root</span>

75

+</pre></td></tr>

76

+</table>

77

 <br><br>

78

 </td>

79

 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">

80

 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>

81

-<tr><td class="topsep" align="center"><p class="alttext">Updated April 30, 2011</p></td></tr>

82

+<tr><td class="topsep" align="center"><p class="alttext">Updated May 1, 2011</p></td></tr>

83

 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>

84

 Frequently Asked Questions on SELinux integration with Gentoo Hardened.

85

 The FAQ is a collection of solutions found on IRC, mailinglist, forums or

1	commit: a547a0055cd566d3766c7285bb24c0b050dd4932
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Sun May 1 20:24:07 2011 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Sun May 1 20:24:07 2011 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a547a005
7
8	Update previews
9
10	---
11	html/selinux-faq.html \| 50 ++++++++++++++++++++++++++++++++++++++++++++++++-
12	1 files changed, 49 insertions(+), 1 deletions(-)
13
14	diff --git a/html/selinux-faq.html b/html/selinux-faq.html
15	index 9dc1bfb..42ccef9 100644
16	--- a/html/selinux-faq.html
17	+++ b/html/selinux-faq.html
18	@@ -68,6 +68,10 @@ as well.
19	LD_PRELOAD cannot be preloaded: ignored'
20	</a></li>
21	<li><a href="#emergefails">Emerge does not work, giving 'Permission denied: /etc/make.conf'</a></li>
22	+<li><a href="#cronfails">
23	+ Cron fails to load in root's crontab with message '(root) ENTRYPOINT
24	+ FAILED (crontabs/root)'
25	+</a></li>
26	</ul>
27	<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
28	</span>General SELinux Support Questions</p>
29	@@ -337,11 +341,55 @@ This is also necessary if you logged on to your system as root but through SSH.
30	The default behavior is that SSH sets the lowest role for the particular user
31	when logged on. And you shouldn't allow remote root logins anyhow.
32	</p>
33	+<p class="secthead"><a name="cronfails"></a><a name="doc_chap5_sect6">
34	+ Cron fails to load in root's crontab with message '(root) ENTRYPOINT
35	+ FAILED (crontabs/root)'
36	+</a></p>
37	+<p>
38	+When you hit the mentioned error with a root crontab or an administrative
39	+users' crontab, but not with a regular users' crontab, then check the context of
40	+the crontab file:
41	+</p>
42	+<a name="doc_chap5_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
43	+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.7: Check context of the crontab file</p></td></tr>
44	+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
45	+~# <span class="code-input">ls -Z /var/spool/cron/crontabs/root</span>
46	+staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root
47	+</pre></td></tr>
48	+</table>
49	+<p>
50	+Next, check what the default context is for the given user (in this case, root)
51	+when originating from the <span class="code" dir="ltr">crond_t</span> domain:
52	+</p>
53	+<a name="doc_chap5_pre8"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
54	+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.8: Check default context for user root</p></td></tr>
55	+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
56	+~# <span class="code-input">getseuser root system_u:system_r:crond_t</span>
57	+seuser: root, level (null)
58	+Context 0 root:sysadm_r:cronjob_t
59	+Context 1 root:staff_r:cronjob_t
60	+</pre></td></tr>
61	+</table>
62	+<p>
63	+As you can see, the default context is always for the <span class="code" dir="ltr">root</span> SELinux user.
64	+However, the <span class="path" dir="ltr">/var/spool/cron/crontabs/root</span> file context in the
65	+above example is for the SELinux user staff_u. Hence, cron will not be able to
66	+read this file (the <span class="code" dir="ltr">user_cron_spool_t</span> type is a UBAC constrained one).
67	+</p>
68	+<p>
69	+To fix this, change the user of the file to root:
70	+</p>
71	+<a name="doc_chap5_pre9"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
72	+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.9: Change the SELinux user of the root crontab file</p></td></tr>
73	+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
74	+~# <span class="code-input">chcon -u root /var/spool/cron/crontabs/root</span>
75	+</pre></td></tr>
76	+</table>
77	<br><br>
78	</td>
79	<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
80	<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
81	-<tr><td class="topsep" align="center"><p class="alttext">Updated April 30, 2011</p></td></tr>
82	+<tr><td class="topsep" align="center"><p class="alttext">Updated May 1, 2011</p></td></tr>
83	<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
84	Frequently Asked Questions on SELinux integration with Gentoo Hardened.
85	The FAQ is a collection of solutions found on IRC, mailinglist, forums or

Gentoo Archives: gentoo-commits