Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/
Date: Sun, 01 May 2011 20:21:45
Message-Id: ae56f62162c95b724fb5f2f749b94255dee913bb.SwifT@gentoo
1 commit: ae56f62162c95b724fb5f2f749b94255dee913bb
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Sun May 1 20:21:26 2011 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Sun May 1 20:21:26 2011 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ae56f621
7
8 Add cron failure information
9
10 ---
11 xml/selinux-faq.xml | 51 +++++++++++++++++++++++++++++++++++++++++++++++++--
12 1 files changed, 49 insertions(+), 2 deletions(-)
13
14 diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
15 index d042d2c..3922c94 100644
16 --- a/xml/selinux-faq.xml
17 +++ b/xml/selinux-faq.xml
18 @@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
19 elsewhere
20 </abstract>
21
22 -<version>5</version>
23 -<date>2011-04-30</date>
24 +<version>6</version>
25 +<date>2011-05-01</date>
26
27 <faqindex>
28 <title>Questions</title>
29 @@ -415,5 +415,52 @@ when logged on. And you shouldn't allow remote root logins anyhow.
30
31 </body>
32 </section>
33 +<section id="cronfails">
34 +<title>
35 + Cron fails to load in root's crontab with message '(root) ENTRYPOINT
36 + FAILED (crontabs/root)'
37 +</title>
38 +<body>
39 +
40 +<p>
41 +When you hit the mentioned error with a root crontab or an administrative
42 +users' crontab, but not with a regular users' crontab, then check the context of
43 +the crontab file:
44 +</p>
45 +
46 +<pre caption="Check context of the crontab file">
47 +~# <i>ls -Z /var/spool/cron/crontabs/root</i>
48 +staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root
49 +</pre>
50 +
51 +<p>
52 +Next, check what the default context is for the given user (in this case, root)
53 +when originating from the <c>crond_t</c> domain:
54 +</p>
55 +
56 +<pre caption="Check default context for user root">
57 +~# <i>getseuser root system_u:system_r:crond_t</i>
58 +seuser: root, level (null)
59 +Context 0 root:sysadm_r:cronjob_t
60 +Context 1 root:staff_r:cronjob_t
61 +</pre>
62 +
63 +<p>
64 +As you can see, the default context is always for the <c>root</c> SELinux user.
65 +However, the <path>/var/spool/cron/crontabs/root</path> file context in the
66 +above example is for the SELinux user staff_u. Hence, cron will not be able to
67 +read this file (the <c>user_cron_spool_t</c> type is a UBAC constrained one).
68 +</p>
69 +
70 +<p>
71 +To fix this, change the user of the file to root:
72 +</p>
73 +
74 +<pre caption="Change the SELinux user of the root crontab file">
75 +~# <i>chcon -u root /var/spool/cron/crontabs/root</i>
76 +</pre>
77 +
78 +</body>
79 +</section>
80 </chapter>
81 </guide>
Report Message
Find on MARC Find on Google Groups