rawhide strict & crond
Holger Burde
hburde at t-online.de
Tue Apr 26 12:05:50 UTC 2005
Hi;
It looked that way :
[root at dragon bin]# ls -lZ /var/spool/cron/
-rw------- root root root:object_r:sysadm_cron_spool_t apache
I created the cron entry as root/sysadm_r with the -u flag for user
apache.
After i changed it to root:object_r:user_cron_spool_t it worked !
THX
hb
Am Dienstag, den 26.04.2005, 07:35 -0400 schrieb Stephen Smalley:
> On Tue, 2005-04-26 at 10:05 +0200, Holger Burde wrote:
> > I tried to run a cron job from the apache account but nothing happends
> > beside a entry in /var/log/cron :
> >
> > Apr 26 10:51:49 dragon crond[4284]: (CRON) STARTUP (V5.0)
> > Apr 26 10:51:49 dragon crond[4284]: (apache) ENTRYPOINT FAILED
> > (cron/apache)
> >
> > (wrong context? )
>
> Yes; crond applies an entrypoint permission check of its own between the
> security context for the cron job process and the security context on
> the crontab file to prevent tricking a more trusted cron job process
> (e.g. root's cron jobs) from running untrustworthy input. What does ls
> -Z /var/spool/cron/ show? In the absence of an explicit user identity
> for apache in the SELinux policy, I'd expect the apache crontab to be
> labeled <user>:object_r:user_cron_spool_t (the <user> doesn't matter;
> could be system_u or user_u or root).
>
> > audit2allow -i /var/log/messages -l
> > nothing ...
>
> Yes, it isn't a kernel denial; it is a check by crond.
>
--
Holger Burde <hburde at t-online.de>
More information about the selinux
mailing list