5:54 p.m.
/usr/bin/run-parts has context system_u:object_r:bin_t under
selinux-policy-strict-1.13.4-6 (and earlier).
crond_t.te has entries to search bin_t dirs, but not to
read/getattr/execute bin_t files.
Here is the AVC for run-parts:
audit(1087423260.368:0): avc: denied { getattr } for pid=4135
exe=/bin/bash path=/usr/bin/run-parts dev=hdb3 ino=1006312
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file
thanks.
tom
7:43 p.m.
On Thu, 17 Jun 2004 08:54, Tom London <selinux(a)comcast.net> wrote:
/usr/bin/run-parts has context system_u:object_r:bin_t under
selinux-policy-strict-1.13.4-6 (and earlier).
crond_t.te has entries to search bin_t dirs, but not to
read/getattr/execute bin_t files.
Here is the AVC for run-parts:
audit(1087423260.368:0): avc: denied { getattr } for pid=4135
exe=/bin/bash path=/usr/bin/run-parts dev=hdb3 ino=1006312
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file
This appears to be a bug in crond, it should not be executing that program in
crond_t.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
8:10 p.m.
Is it possible that the 'mrtg_exec_t' issue is the same? crond seems to
want to execute /usr/bin/mrtg (system_u:object:r:mrtg_exec_t) as crond_t
as well.....
tom
Russell Coker wrote:
On Thu, 17 Jun 2004 08:54, Tom London <selinux(a)comcast.net>
wrote:
>/usr/bin/run-parts has context system_u:object_r:bin_t under
>selinux-policy-strict-1.13.4-6 (and earlier).
>
>crond_t.te has entries to search bin_t dirs, but not to
>read/getattr/execute bin_t files.
>
>Here is the AVC for run-parts:
>audit(1087423260.368:0): avc: denied { getattr } for pid=4135
>exe=/bin/bash path=/usr/bin/run-parts dev=hdb3 ino=1006312
>scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
>tclass=file
>
>
This appears to be a bug in crond, it should not be executing that program in
crond_t.
10:58 p.m.
On Thu, 17 Jun 2004 11:10, Tom London <selinux(a)comcast.net> wrote:
Is it possible that the 'mrtg_exec_t' issue is the same?
crond seems to
want to execute /usr/bin/mrtg (system_u:object:r:mrtg_exec_t) as crond_t
as well.....
Yes.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
6:46 a.m.
On Wed, 2004-06-16 at 20:43, Russell Coker wrote:
This appears to be a bug in crond, it should not be executing that
program in
crond_t.
Yes, the current vixie-cron in rawhide is broken; fails to set its exec
context before executing cron jobs due to a logic error. Dan already
knows.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
7301
days inactive
7302
days old
selinux@lists.fedoraproject.org
4 comments
3 participants
participants (3)
-
Russell Coker -
Stephen Smalley -
Tom London