1 |
Hello |
2 |
|
3 |
Thanks for help, I solved my problem with user_r and sysadm_r it's |
4 |
working ok now, but I have still problem with my cron, |
5 |
Everything (probably) usefull I can find in logs is. |
6 |
|
7 |
Could please someone help me or show me the right way i should go. |
8 |
|
9 |
Thank you |
10 |
|
11 |
Sep 25 05:23:01 gentoo64 cron[24435]: (root) ENTRYPOINT FAILED |
12 |
(crontabs/root) |
13 |
|
14 |
Sep 25 05:21:53 gentoo64 audit(1159154513.832:8048): avc: denied { |
15 |
search } for pid=21140 comm="crontab" name="/" dev=dm-3 ino=2 |
16 |
ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t |
17 |
tcontext=system_u:object_r:unlabeled_t tclass=dir |
18 |
Sep 25 05:21:53 gentoo64 audit(1159154513.832:8049): avc: denied { |
19 |
write } for pid=21140 comm="crontab" name="/" dev=dm-3 ino=2 |
20 |
ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t |
21 |
tcontext=system_u:object_r:unlabeled_t tclass=dir |
22 |
Sep 25 05:21:53 gentoo64 audit(1159154513.832:8050): avc: denied { |
23 |
add_name } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" |
24 |
ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t |
25 |
tcontext=system_u:object_r:unlabeled_t tclass=dir |
26 |
Sep 25 05:21:53 gentoo64 audit(1159154513.832:8051): avc: denied { |
27 |
create } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" |
28 |
ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t |
29 |
tcontext=tester:object_r:unlabeled_t tclass=file |
30 |
Sep 25 05:21:53 gentoo64 audit(1159154513.832:8052): avc: denied { |
31 |
associate } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" |
32 |
ipaddr=16.14.42.166 scontext=tester:object_r:unlabeled_t |
33 |
tcontext=system_u:object_r:unlabeled_t tclass=filesystem |
34 |
Sep 25 05:21:53 gentoo64 audit(1159154513.832:8053): avc: denied { |
35 |
setattr } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" |
36 |
dev=dm-3 ino=58 ipaddr=16.14.42.166 |
37 |
scontext=tester:sysadm_r:sysadm_crontab_t |
38 |
tcontext=system_u:object_r:unlabeled_t tclass=file |
39 |
Sep 25 05:21:53 gentoo64 audit(1159154513.832:8054): avc: denied { |
40 |
getattr } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" |
41 |
dev=dm-3 ino=58 ipaddr=16.14.42.166 |
42 |
scontext=tester:sysadm_r:sysadm_crontab_t |
43 |
tcontext=system_u:object_r:unlabeled_t tclass=file |
44 |
Sep 25 05:21:53 gentoo64 audit(1159154513.844:8055): avc: denied { |
45 |
write } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" dev=dm-3 |
46 |
ino=58 ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t |
47 |
tcontext=system_u:object_r:unlabeled_t tclass=file |
48 |
Sep 25 05:22:02 gentoo64 audit(1159154522.949:8056): avc: denied { |
49 |
read } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" dev=dm-3 |
50 |
ino=58 ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t |
51 |
tcontext=system_u:object_r:unlabeled_t tclass=file |
52 |
Sep 25 05:22:02 gentoo64 audit(1159154522.949:8057): avc: denied { |
53 |
remove_name } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" |
54 |
dev=dm-3 ino=58 ipaddr=16.14.42.166 |
55 |
scontext=tester:sysadm_r:sysadm_crontab_t |
56 |
tcontext=system_u:object_r:unlabeled_t tclass=dir |
57 |
Sep 25 05:22:02 gentoo64 audit(1159154522.949:8058): avc: denied { |
58 |
unlink } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" |
59 |
dev=dm-3 ino=58 ipaddr=16.14.42.166 |
60 |
scontext=tester:sysadm_r:sysadm_crontab_t |
61 |
tcontext=system_u:object_r:unlabeled_t tclass=file |
62 |
|
63 |
|
64 |
|
65 |
|
66 |
Antoine Martin wrote / napísal(a): |
67 |
>>>> The policy does not allow a role transition from user_r to sysadm_r. |
68 |
>>>> So thats why su can't work. |
69 |
>>>> |
70 |
>>>> |
71 |
>>> The solution in this case is to make sure that when you login as root |
72 |
>>> you get into sysadm_u:sysadm_r:sysadm_t or another context which does |
73 |
>>> allow the transition to sysadm. Setting the default for ssh is fairly |
74 |
>>> well documented. |
75 |
>>> |
76 |
>> Thanks for help could you please send me some link for manuals, i google |
77 |
>> it (probably wrong) but i didn't found nothing usefull. |
78 |
>> |
79 |
> /etc/security/default_contexts |
80 |
> is what you're looking for. |
81 |
> |
82 |
> Antoine |
83 |
> |
84 |
> |
85 |
|
86 |
-- |
87 |
gentoo-hardened@g.o mailing list |