/usr/bin/run-parts has context system_u:object_r:bin_t under selinux-policy-strict-1.13.4-6 (and earlier).
crond_t.te has entries to search bin_t dirs, but not to read/getattr/execute bin_t files.
Here is the AVC for run-parts: audit(1087423260.368:0): avc: denied { getattr } for pid=4135 exe=/bin/bash path=/usr/bin/run-parts dev=hdb3 ino=1006312 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file
thanks. tom
On Thu, 17 Jun 2004 08:54, Tom London selinux@comcast.net wrote:
/usr/bin/run-parts has context system_u:object_r:bin_t under selinux-policy-strict-1.13.4-6 (and earlier).
crond_t.te has entries to search bin_t dirs, but not to read/getattr/execute bin_t files.
Here is the AVC for run-parts: audit(1087423260.368:0): avc: denied { getattr } for pid=4135 exe=/bin/bash path=/usr/bin/run-parts dev=hdb3 ino=1006312 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file
This appears to be a bug in crond, it should not be executing that program in crond_t.
Is it possible that the 'mrtg_exec_t' issue is the same? crond seems to want to execute /usr/bin/mrtg (system_u:object:r:mrtg_exec_t) as crond_t as well.....
tom
Russell Coker wrote:
On Thu, 17 Jun 2004 08:54, Tom London selinux@comcast.net wrote:
/usr/bin/run-parts has context system_u:object_r:bin_t under selinux-policy-strict-1.13.4-6 (and earlier).
crond_t.te has entries to search bin_t dirs, but not to read/getattr/execute bin_t files.
Here is the AVC for run-parts: audit(1087423260.368:0): avc: denied { getattr } for pid=4135 exe=/bin/bash path=/usr/bin/run-parts dev=hdb3 ino=1006312 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file
This appears to be a bug in crond, it should not be executing that program in crond_t.
On Thu, 17 Jun 2004 11:10, Tom London selinux@comcast.net wrote:
Is it possible that the 'mrtg_exec_t' issue is the same? crond seems to want to execute /usr/bin/mrtg (system_u:object:r:mrtg_exec_t) as crond_t as well.....
Yes.
On Wed, 2004-06-16 at 20:43, Russell Coker wrote:
This appears to be a bug in crond, it should not be executing that program in crond_t.
Yes, the current vixie-cron in rawhide is broken; fails to set its exec context before executing cron jobs due to a logic error. Dan already knows.
selinux@lists.fedoraproject.org