1 |
The only logged error from vixie-cron: |
2 |
Aug 20 19:01:01 tux cron[9304]: (arguseyes) ENTRYPOINT FAILED (crontabs/arguseyes) |
3 |
|
4 |
The avc.log: |
5 |
Aug 20 19:00:32 tux type=1400 audit(1219284032.151:2574): avc: denied { read } for pid=28854 |
6 |
comm="crontab" name="arguseyes" dev=dm-3 ino=1261578 |
7 |
scontext=unconfined_u:unconfined_r:unconfined_crontab_t tcontext=unconfined_u:object_r:user_cron_spool_t |
8 |
tclass=file |
9 |
Aug 20 19:00:32 tux type=1400 audit(1219284032.151:2575): avc: denied { getattr } for pid=28854 |
10 |
comm="crontab" path="/var/spool/cron/crontabs/arguseyes" dev=dm-3 ino=1261578 |
11 |
scontext=unconfined_u:unconfined_r:unconfined_crontab_t tcontext=unconfined_u:object_r:user_cron_spool_t |
12 |
tclass=file |
13 |
Aug 20 19:00:45 tux type=1400 audit(1219284045.115:2576): avc: denied { unlink } for pid=28854 |
14 |
comm="crontab" name="arguseyes" dev=dm-3 ino=1261578 |
15 |
scontext=unconfined_u:unconfined_r:unconfined_crontab_t tcontext=unconfined_u:object_r:user_cron_spool_t |
16 |
tclass=file |
17 |
|
18 |
The actual context of the user crontab (/var/spool/cron/crontab/arguseyes) |
19 |
unconfined_u:object_r:unconfined_cron_spool_t |
20 |
|
21 |
I user ID from id -Z: |
22 |
unconfined_u:unconfined_r:unconfined_t |
23 |
|
24 |
Hope this helps. |
25 |
---------------------------------------- |
26 |
> Subject: Re: [gentoo-hardened] SELinux: ENTRYPOINT FAILED for vixie-cron using policy modules 20080525 |
27 |
> From: pebenito@g.o |
28 |
> To: gentoo-hardened@l.g.o |
29 |
> Date: Mon, 18 Aug 2008 09:10:56 -0400 |
30 |
> |
31 |
> On Sun, 2008-08-17 at 17:58 -0400, Randy Tupas wrote: |
32 |
>> I am using selinux on a gentoo desktop, targeted policy (version 22) |
33 |
>> with unstable policy modules 20080525. Policycoreutils ebuild version |
34 |
>> 1.34.15. |
35 |
>> |
36 |
>> Since "upgrading", I have been receiving "ENTRYPOINT FAILED" from |
37 |
>> vixie-cron. |
38 |
>> |
39 |
>> Re-emerging vixie-cron does not resolve the problem. |
40 |
>> |
41 |
>> Changing the type-context of "/var/spool/cron/crontab/username" from |
42 |
>> "unconfined_cron_spool_t" to "user_cron_spool_t" allows vixie-cron to |
43 |
>> run the crontab. The same applies to root crontabs by changing |
44 |
>> "unconfined_cron_spool_t" to "sysadm_cron_spool_t". |
45 |
>> |
46 |
>> Unfortunately, I receive a lot of avc denials (below): |
47 |
>> |
48 |
>> Aug 17 14:30:01 tux type=1400 audit(1219008601.354:1507): avc: denied |
49 |
>> { read } for pid=23035 comm="sh" name="reports" dev=dm-1 ino=360670 |
50 |
>> scontext=user_u:user_r:user_crond_t |
51 |
>> tcontext=unconfined_u:object_r:unconfined_home_t tclass=dir |
52 |
>> |
53 |
>> I didn't have this problem when the old default user was "user_u" or |
54 |
>> "root", vice "unconfined_u". |
55 |
> |
56 |
> What are the full cron error messages? |
57 |
> |
58 |
> -- |
59 |
> Chris PeBenito |
60 |
> |
61 |
> Developer, |
62 |
> Hardened Gentoo Linux |
63 |
> |
64 |
> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
65 |
> Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
66 |
|
67 |
_________________________________________________________________ |
68 |
Talk to your Yahoo! Friends via Windows Live Messenger. Find out how. |
69 |
http://www.windowslive.com/explore/messenger?ocid=TXT_TAGLM_WL_messenger_yahoo_082008 |