-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/18/2011 05:46 PM, Luciano Furtado wrote:
Hi group,
Why does the context of the crontab spool directory is set to <<none>>
on /etc/selinux/default/contexts/files/file_contexts
i suspect that may be related to some historical issues. Maybe we used
to prefix the cron spool files with a role prefix, and since all users
crontabs would go in the same directory there would be no way to tell
the system what the file context should be reset to.
I think currently these files should all be labelled user_cron_spool_t.
/var/spool/cron/crontabs/.* -- <<none>>
I am getting the following avc messages :
Not sure how these files got the file_t type. Can you reproduce that?
[ 17.600000] type=1400 audit(1295191072.769:6): avc: denied { read }
for pid=1847 comm="cron" name="root" dev=xvda ino=106585
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=file
[ 17.600000] type=1400 audit(1295191072.769:7): avc: denied {
getattr } for pid=1847 comm="cron"
path="/var/spool/cron/crontabs/root"
dev=xvda ino=106585 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=file
Is cron_spool_t the right context for this file ?
Best Regards.
Luciano
- --
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEUEARECAAYFAk01xQ8ACgkQMlxVo39jgT/gmACgw6ZcEwPM/m8WI5BygqrxI9AF
eh0AmLQO16mCKZ90H83oplwx0vJJrio=
=3mgc
-----END PGP SIGNATURE-----