1 |
On Wed, 2008-08-20 at 22:06 -0400, Randy Tupas wrote: |
2 |
> The only logged error from vixie-cron: |
3 |
> Aug 20 19:01:01 tux cron[9304]: (arguseyes) ENTRYPOINT FAILED (crontabs/arguseyes) |
4 |
> |
5 |
> The avc.log: |
6 |
> Aug 20 19:00:32 tux type=1400 audit(1219284032.151:2574): avc: denied { read } for pid=28854 |
7 |
> comm="crontab" name="arguseyes" dev=dm-3 ino=1261578 |
8 |
> scontext=unconfined_u:unconfined_r:unconfined_crontab_t tcontext=unconfined_u:object_r:user_cron_spool_t |
9 |
> tclass=file |
10 |
> Aug 20 19:00:32 tux type=1400 audit(1219284032.151:2575): avc: denied { getattr } for pid=28854 |
11 |
> comm="crontab" path="/var/spool/cron/crontabs/arguseyes" dev=dm-3 ino=1261578 |
12 |
> scontext=unconfined_u:unconfined_r:unconfined_crontab_t tcontext=unconfined_u:object_r:user_cron_spool_t |
13 |
> tclass=file |
14 |
> Aug 20 19:00:45 tux type=1400 audit(1219284045.115:2576): avc: denied { unlink } for pid=28854 |
15 |
> comm="crontab" name="arguseyes" dev=dm-3 ino=1261578 |
16 |
> scontext=unconfined_u:unconfined_r:unconfined_crontab_t tcontext=unconfined_u:object_r:user_cron_spool_t |
17 |
> tclass=file |
18 |
> |
19 |
> The actual context of the user crontab (/var/spool/cron/crontab/arguseyes) |
20 |
> unconfined_u:object_r:unconfined_cron_spool_t |
21 |
> |
22 |
> I user ID from id -Z: |
23 |
> unconfined_u:unconfined_r:unconfined_t |
24 |
|
25 |
Looks like the vixie-cron patch needs to be updated to use |
26 |
getseuserbyname(), which is the function which handles user login |
27 |
mappings (the ones set by "semanage login"). |
28 |
|
29 |
> Hope this helps. |
30 |
> ---------------------------------------- |
31 |
> > Subject: Re: [gentoo-hardened] SELinux: ENTRYPOINT FAILED for vixie-cron using policy modules 20080525 |
32 |
> > From: pebenito@g.o |
33 |
> > To: gentoo-hardened@l.g.o |
34 |
> > Date: Mon, 18 Aug 2008 09:10:56 -0400 |
35 |
> > |
36 |
> > On Sun, 2008-08-17 at 17:58 -0400, Randy Tupas wrote: |
37 |
> >> I am using selinux on a gentoo desktop, targeted policy (version 22) |
38 |
> >> with unstable policy modules 20080525. Policycoreutils ebuild version |
39 |
> >> 1.34.15. |
40 |
> >> |
41 |
> >> Since "upgrading", I have been receiving "ENTRYPOINT FAILED" from |
42 |
> >> vixie-cron. |
43 |
> >> |
44 |
> >> Re-emerging vixie-cron does not resolve the problem. |
45 |
> >> |
46 |
> >> Changing the type-context of "/var/spool/cron/crontab/username" from |
47 |
> >> "unconfined_cron_spool_t" to "user_cron_spool_t" allows vixie-cron to |
48 |
> >> run the crontab. The same applies to root crontabs by changing |
49 |
> >> "unconfined_cron_spool_t" to "sysadm_cron_spool_t". |
50 |
> >> |
51 |
> >> Unfortunately, I receive a lot of avc denials (below): |
52 |
> >> |
53 |
> >> Aug 17 14:30:01 tux type=1400 audit(1219008601.354:1507): avc: denied |
54 |
> >> { read } for pid=23035 comm="sh" name="reports" dev=dm-1 ino=360670 |
55 |
> >> scontext=user_u:user_r:user_crond_t |
56 |
> >> tcontext=unconfined_u:object_r:unconfined_home_t tclass=dir |
57 |
> >> |
58 |
> >> I didn't have this problem when the old default user was "user_u" or |
59 |
> >> "root", vice "unconfined_u". |
60 |
> > |
61 |
> > What are the full cron error messages? |
62 |
|
63 |
-- |
64 |
Chris PeBenito |
65 |
<pebenito@g.o> |
66 |
Developer, |
67 |
Hardened Gentoo Linux |
68 |
|
69 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
70 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |