| 1 |
On Wed, 2008-08-20 at 22:06 -0400, Randy Tupas wrote: |
| 2 |
> The only logged error from vixie-cron: |
| 3 |
> Aug 20 19:01:01 tux cron[9304]: (arguseyes) ENTRYPOINT FAILED (crontabs/arguseyes) |
| 4 |
> |
| 5 |
> The avc.log: |
| 6 |
> Aug 20 19:00:32 tux type=1400 audit(1219284032.151:2574): avc: denied { read } for pid=28854 |
| 7 |
> comm="crontab" name="arguseyes" dev=dm-3 ino=1261578 |
| 8 |
> scontext=unconfined_u:unconfined_r:unconfined_crontab_t tcontext=unconfined_u:object_r:user_cron_spool_t |
| 9 |
> tclass=file |
| 10 |
> Aug 20 19:00:32 tux type=1400 audit(1219284032.151:2575): avc: denied { getattr } for pid=28854 |
| 11 |
> comm="crontab" path="/var/spool/cron/crontabs/arguseyes" dev=dm-3 ino=1261578 |
| 12 |
> scontext=unconfined_u:unconfined_r:unconfined_crontab_t tcontext=unconfined_u:object_r:user_cron_spool_t |
| 13 |
> tclass=file |
| 14 |
> Aug 20 19:00:45 tux type=1400 audit(1219284045.115:2576): avc: denied { unlink } for pid=28854 |
| 15 |
> comm="crontab" name="arguseyes" dev=dm-3 ino=1261578 |
| 16 |
> scontext=unconfined_u:unconfined_r:unconfined_crontab_t tcontext=unconfined_u:object_r:user_cron_spool_t |
| 17 |
> tclass=file |
| 18 |
> |
| 19 |
> The actual context of the user crontab (/var/spool/cron/crontab/arguseyes) |
| 20 |
> unconfined_u:object_r:unconfined_cron_spool_t |
| 21 |
> |
| 22 |
> I user ID from id -Z: |
| 23 |
> unconfined_u:unconfined_r:unconfined_t |
| 24 |
|
| 25 |
Looks like the vixie-cron patch needs to be updated to use |
| 26 |
getseuserbyname(), which is the function which handles user login |
| 27 |
mappings (the ones set by "semanage login"). |
| 28 |
|
| 29 |
> Hope this helps. |
| 30 |
> ---------------------------------------- |
| 31 |
> > Subject: Re: [gentoo-hardened] SELinux: ENTRYPOINT FAILED for vixie-cron using policy modules 20080525 |
| 32 |
> > From: pebenito@g.o |
| 33 |
> > To: gentoo-hardened@l.g.o |
| 34 |
> > Date: Mon, 18 Aug 2008 09:10:56 -0400 |
| 35 |
> > |
| 36 |
> > On Sun, 2008-08-17 at 17:58 -0400, Randy Tupas wrote: |
| 37 |
> >> I am using selinux on a gentoo desktop, targeted policy (version 22) |
| 38 |
> >> with unstable policy modules 20080525. Policycoreutils ebuild version |
| 39 |
> >> 1.34.15. |
| 40 |
> >> |
| 41 |
> >> Since "upgrading", I have been receiving "ENTRYPOINT FAILED" from |
| 42 |
> >> vixie-cron. |
| 43 |
> >> |
| 44 |
> >> Re-emerging vixie-cron does not resolve the problem. |
| 45 |
> >> |
| 46 |
> >> Changing the type-context of "/var/spool/cron/crontab/username" from |
| 47 |
> >> "unconfined_cron_spool_t" to "user_cron_spool_t" allows vixie-cron to |
| 48 |
> >> run the crontab. The same applies to root crontabs by changing |
| 49 |
> >> "unconfined_cron_spool_t" to "sysadm_cron_spool_t". |
| 50 |
> >> |
| 51 |
> >> Unfortunately, I receive a lot of avc denials (below): |
| 52 |
> >> |
| 53 |
> >> Aug 17 14:30:01 tux type=1400 audit(1219008601.354:1507): avc: denied |
| 54 |
> >> { read } for pid=23035 comm="sh" name="reports" dev=dm-1 ino=360670 |
| 55 |
> >> scontext=user_u:user_r:user_crond_t |
| 56 |
> >> tcontext=unconfined_u:object_r:unconfined_home_t tclass=dir |
| 57 |
> >> |
| 58 |
> >> I didn't have this problem when the old default user was "user_u" or |
| 59 |
> >> "root", vice "unconfined_u". |
| 60 |
> > |
| 61 |
> > What are the full cron error messages? |
| 62 |
|
| 63 |
-- |
| 64 |
Chris PeBenito |
| 65 |
<pebenito@g.o> |
| 66 |
Developer, |
| 67 |
Hardened Gentoo Linux |
| 68 |
|
| 69 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 70 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives