| 1 |
The only logged error from vixie-cron: |
| 2 |
Aug 20 19:01:01 tux cron[9304]: (arguseyes) ENTRYPOINT FAILED (crontabs/arguseyes) |
| 3 |
|
| 4 |
The avc.log: |
| 5 |
Aug 20 19:00:32 tux type=1400 audit(1219284032.151:2574): avc: denied { read } for pid=28854 |
| 6 |
comm="crontab" name="arguseyes" dev=dm-3 ino=1261578 |
| 7 |
scontext=unconfined_u:unconfined_r:unconfined_crontab_t tcontext=unconfined_u:object_r:user_cron_spool_t |
| 8 |
tclass=file |
| 9 |
Aug 20 19:00:32 tux type=1400 audit(1219284032.151:2575): avc: denied { getattr } for pid=28854 |
| 10 |
comm="crontab" path="/var/spool/cron/crontabs/arguseyes" dev=dm-3 ino=1261578 |
| 11 |
scontext=unconfined_u:unconfined_r:unconfined_crontab_t tcontext=unconfined_u:object_r:user_cron_spool_t |
| 12 |
tclass=file |
| 13 |
Aug 20 19:00:45 tux type=1400 audit(1219284045.115:2576): avc: denied { unlink } for pid=28854 |
| 14 |
comm="crontab" name="arguseyes" dev=dm-3 ino=1261578 |
| 15 |
scontext=unconfined_u:unconfined_r:unconfined_crontab_t tcontext=unconfined_u:object_r:user_cron_spool_t |
| 16 |
tclass=file |
| 17 |
|
| 18 |
The actual context of the user crontab (/var/spool/cron/crontab/arguseyes) |
| 19 |
unconfined_u:object_r:unconfined_cron_spool_t |
| 20 |
|
| 21 |
I user ID from id -Z: |
| 22 |
unconfined_u:unconfined_r:unconfined_t |
| 23 |
|
| 24 |
Hope this helps. |
| 25 |
---------------------------------------- |
| 26 |
> Subject: Re: [gentoo-hardened] SELinux: ENTRYPOINT FAILED for vixie-cron using policy modules 20080525 |
| 27 |
> From: pebenito@g.o |
| 28 |
> To: gentoo-hardened@l.g.o |
| 29 |
> Date: Mon, 18 Aug 2008 09:10:56 -0400 |
| 30 |
> |
| 31 |
> On Sun, 2008-08-17 at 17:58 -0400, Randy Tupas wrote: |
| 32 |
>> I am using selinux on a gentoo desktop, targeted policy (version 22) |
| 33 |
>> with unstable policy modules 20080525. Policycoreutils ebuild version |
| 34 |
>> 1.34.15. |
| 35 |
>> |
| 36 |
>> Since "upgrading", I have been receiving "ENTRYPOINT FAILED" from |
| 37 |
>> vixie-cron. |
| 38 |
>> |
| 39 |
>> Re-emerging vixie-cron does not resolve the problem. |
| 40 |
>> |
| 41 |
>> Changing the type-context of "/var/spool/cron/crontab/username" from |
| 42 |
>> "unconfined_cron_spool_t" to "user_cron_spool_t" allows vixie-cron to |
| 43 |
>> run the crontab. The same applies to root crontabs by changing |
| 44 |
>> "unconfined_cron_spool_t" to "sysadm_cron_spool_t". |
| 45 |
>> |
| 46 |
>> Unfortunately, I receive a lot of avc denials (below): |
| 47 |
>> |
| 48 |
>> Aug 17 14:30:01 tux type=1400 audit(1219008601.354:1507): avc: denied |
| 49 |
>> { read } for pid=23035 comm="sh" name="reports" dev=dm-1 ino=360670 |
| 50 |
>> scontext=user_u:user_r:user_crond_t |
| 51 |
>> tcontext=unconfined_u:object_r:unconfined_home_t tclass=dir |
| 52 |
>> |
| 53 |
>> I didn't have this problem when the old default user was "user_u" or |
| 54 |
>> "root", vice "unconfined_u". |
| 55 |
> |
| 56 |
> What are the full cron error messages? |
| 57 |
> |
| 58 |
> -- |
| 59 |
> Chris PeBenito |
| 60 |
> |
| 61 |
> Developer, |
| 62 |
> Hardened Gentoo Linux |
| 63 |
> |
| 64 |
> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 65 |
> Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
| 66 |
|
| 67 |
_________________________________________________________________ |
| 68 |
Talk to your Yahoo! Friends via Windows Live Messenger. Find out how. |
| 69 |
http://www.windowslive.com/explore/messenger?ocid=TXT_TAGLM_WL_messenger_yahoo_082008 |
Archives