1 |
It appears that several of your cron related files are not labeled. |
2 |
Furthermore, the temp files cron is creating are not being labeled when |
3 |
they are generated. Check to see that you have |
4 |
sec-policy/selinux-vixie-cron installed and try doing 'make relabel'. |
5 |
|
6 |
stanke wrote: |
7 |
> Hello |
8 |
> |
9 |
> Thanks for help, I solved my problem with user_r and sysadm_r it's |
10 |
> working ok now, but I have still problem with my cron, |
11 |
> Everything (probably) usefull I can find in logs is. |
12 |
> |
13 |
> Could please someone help me or show me the right way i should go. |
14 |
> |
15 |
> Thank you |
16 |
> |
17 |
> Sep 25 05:23:01 gentoo64 cron[24435]: (root) ENTRYPOINT FAILED |
18 |
> (crontabs/root) |
19 |
> |
20 |
> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8048): avc: denied { |
21 |
> search } for pid=21140 comm="crontab" name="/" dev=dm-3 ino=2 |
22 |
> ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t |
23 |
> tcontext=system_u:object_r:unlabeled_t tclass=dir |
24 |
> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8049): avc: denied { |
25 |
> write } for pid=21140 comm="crontab" name="/" dev=dm-3 ino=2 |
26 |
> ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t |
27 |
> tcontext=system_u:object_r:unlabeled_t tclass=dir |
28 |
> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8050): avc: denied { |
29 |
> add_name } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" |
30 |
> ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t |
31 |
> tcontext=system_u:object_r:unlabeled_t tclass=dir |
32 |
> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8051): avc: denied { |
33 |
> create } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" |
34 |
> ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t |
35 |
> tcontext=tester:object_r:unlabeled_t tclass=file |
36 |
> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8052): avc: denied { |
37 |
> associate } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" |
38 |
> ipaddr=16.14.42.166 scontext=tester:object_r:unlabeled_t |
39 |
> tcontext=system_u:object_r:unlabeled_t tclass=filesystem |
40 |
> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8053): avc: denied { |
41 |
> setattr } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" |
42 |
> dev=dm-3 ino=58 ipaddr=16.14.42.166 |
43 |
> scontext=tester:sysadm_r:sysadm_crontab_t |
44 |
> tcontext=system_u:object_r:unlabeled_t tclass=file |
45 |
> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8054): avc: denied { |
46 |
> getattr } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" |
47 |
> dev=dm-3 ino=58 ipaddr=16.14.42.166 |
48 |
> scontext=tester:sysadm_r:sysadm_crontab_t |
49 |
> tcontext=system_u:object_r:unlabeled_t tclass=file |
50 |
> Sep 25 05:21:53 gentoo64 audit(1159154513.844:8055): avc: denied { |
51 |
> write } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" dev=dm-3 |
52 |
> ino=58 ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t |
53 |
> tcontext=system_u:object_r:unlabeled_t tclass=file |
54 |
> Sep 25 05:22:02 gentoo64 audit(1159154522.949:8056): avc: denied { |
55 |
> read } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" dev=dm-3 |
56 |
> ino=58 ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t |
57 |
> tcontext=system_u:object_r:unlabeled_t tclass=file |
58 |
> Sep 25 05:22:02 gentoo64 audit(1159154522.949:8057): avc: denied { |
59 |
> remove_name } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" |
60 |
> dev=dm-3 ino=58 ipaddr=16.14.42.166 |
61 |
> scontext=tester:sysadm_r:sysadm_crontab_t |
62 |
> tcontext=system_u:object_r:unlabeled_t tclass=dir |
63 |
> Sep 25 05:22:02 gentoo64 audit(1159154522.949:8058): avc: denied { |
64 |
> unlink } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" |
65 |
> dev=dm-3 ino=58 ipaddr=16.14.42.166 |
66 |
> scontext=tester:sysadm_r:sysadm_crontab_t |
67 |
> tcontext=system_u:object_r:unlabeled_t tclass=file |
68 |
> |
69 |
> |
70 |
> |
71 |
> |
72 |
> Antoine Martin wrote / napísal(a): |
73 |
>>>>> The policy does not allow a role transition from user_r to sysadm_r. |
74 |
>>>>> So thats why su can't work. |
75 |
>>>>> |
76 |
>>>>> |
77 |
>>>> The solution in this case is to make sure that when you login as root |
78 |
>>>> you get into sysadm_u:sysadm_r:sysadm_t or another context which does |
79 |
>>>> allow the transition to sysadm. Setting the default for ssh is fairly |
80 |
>>>> well documented. |
81 |
>>>> |
82 |
>>> Thanks for help could you please send me some link for manuals, i google |
83 |
>>> it (probably wrong) but i didn't found nothing usefull. |
84 |
>>> |
85 |
>> /etc/security/default_contexts |
86 |
>> is what you're looking for. |
87 |
>> |
88 |
>> Antoine |
89 |
>> |
90 |
>> |
91 |
> |
92 |
|
93 |
|
94 |
-- |
95 |
lunaslide * GPG key->lunapark.org/~luna/key.asc |
96 |
* * * * * * * |
97 |
...you shall now pay me in full for the grief you have caused me |
98 |
on account of my comrades whom you have killed in battle. * |
99 |
* - Achilles, The Iliad * |
100 |
* * * * * * |
101 |
* * * * |
102 |
-- |
103 |
gentoo-hardened@g.o mailing list |