FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-20-2009, 11:36 AM
Dominick Grift
 
Default Rawhide Cant' update crontab using gnome-schedule.

On Fri, 2009-02-20 at 11:15 +0000, Frank Murphy wrote:
> Gnome-Schedule opens, but cannot update any tasks.
> ~/audit/.log
> doesn't show any specific denials.
> Hpappens as pure root, (sudo, su) user
>
> sudo gnome-schedule
> Access denied by SELinux, must be privileged to use -u

Have the same issue. After semodule -DB, got these:

#============= chkpwd_t ==============
selinux_getattr_fs(chkpwd_t)
selinux_search_fs(chkpwd_t)
selinux_set_generic_booleans(chkpwd_t)

#============= crontab_t ==============
allow crontab_t chkpwd_trocess { siginh noatsecure rlimitinh };
allow crontab_t security_t:security compute_av;
selinux_getattr_fs(crontab_t)
selinux_set_generic_booleans(crontab_t)

#============= dgrift_sudo_t ==============
allow dgrift_sudo_t unconfined_trocess { siginh noatsecure
rlimitinh };
userdom_search_admin_dir(dgrift_sudo_t)

#============= dgrift_t ==============
allow dgrift_t dgrift_sudo_trocess { siginh noatsecure rlimitinh };

#============= semanage_t ==============
allow semanage_t setfiles_trocess { siginh noatsecure rlimitinh };

Will try to figure out which of these solves this issue.

> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-20-2009, 11:54 AM
Dominick Grift
 
Default Rawhide Cant' update crontab using gnome-schedule.

On Fri, 2009-02-20 at 11:15 +0000, Frank Murphy wrote:
> Gnome-Schedule opens, but cannot update any tasks.
> ~/audit/.log
> doesn't show any specific denials.
> Hpappens as pure root, (sudo, su) user
>
> sudo gnome-schedule
> Access denied by SELinux, must be privileged to use -u
It wants this:

time->Fri Feb 20 13:32:32 2009
type=SYSCALL msg=audit(1235133152.394:41): arch=c000003e syscall=137
success=yes exit=0 a0=860060 a1=7fffe9f391f0 a2=1000 a3=7fffe9f38f90
items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab"
exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1235133152.394:41): avc: denied { getattr } for
pid=3741 comm="crontab" name="/" dev=selinuxfs ino=1
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_ubject_r:security_t:s0 tclass=filesystem
----
time->Fri Feb 20 13:32:32 2009
type=SYSCALL msg=audit(1235133152.394:42): arch=c000003e syscall=4
success=no exit=1427685336 a0=7fffe9f381c0 a1=7fffe9f38130
a2=7fffe9f38130
a3=7fffe9f37ee0 items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab"
exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1235133152.394:42): avc: denied { getattr } for
pid=3741 comm="crontab" path="/selinux/class" dev=selinuxfs ino=26
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_ubject_r:security_t:s0 tclass=dir
type=AVC msg=audit(1235133152.394:42): avc: denied { search } for
pid=3741 comm="crontab" name="/" dev=selinuxfs ino=1
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_ubject_r:security_t:s0 tclass=dir
----
time->Fri Feb 20 13:32:32 2009
type=SYSCALL msg=audit(1235133152.395:43): arch=c000003e syscall=2
success=no exit=1427685336 a0=7fffe9f38190 a1=0 a2=7fffe9f3819c
a3=7fffe9f37f40 items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab"
exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1235133152.395:43): avc: denied { open } for
pid=3741 comm="crontab" name="mls" dev=selinuxfs ino=12
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_ubject_r:security_t:s0 tclass=file
type=AVC msg=audit(1235133152.395:43): avc: denied { read } for
pid=3741 comm="crontab" name="mls" dev=selinuxfs ino=12
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_ubject_r:security_t:s0 tclass=file
----
time->Fri Feb 20 13:32:32 2009
type=SYSCALL msg=audit(1235133152.397:44): arch=c000003e syscall=2
success=yes exit=3 a0=7fffe9f381c0 a1=90800 a2=7fffe9f381db
a3=7fffe9f37e90
items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab"
exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1235133152.397:44): avc: denied { open } for
pid=3741 comm="crontab" name="perms" dev=selinuxfs ino=67111432
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_ubject_r:security_t:s0 tclass=dir
type=AVC msg=audit(1235133152.397:44): avc: denied { read } for
pid=3741 comm="crontab" name="perms" dev=selinuxfs ino=67111432
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_ubject_r:security_t:s0 tclass=dir
----
time->Fri Feb 20 13:32:32 2009
type=SYSCALL msg=audit(1235133152.398:45): arch=c000003e syscall=4
success=yes exit=0 a0=7fffe9f381c0 a1=7fffe9f38120 a2=7fffe9f38120
a3=fffffff9 items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab"
exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1235133152.398:45): avc: denied { getattr } for
pid=3741 comm="crontab" path="/selinux/class/passwd/perms/crontab"
dev=selinuxfs ino=67109859
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_ubject_r:security_t:s0 tclass=file
----
time->Fri Feb 20 13:32:32 2009
type=SYSCALL msg=audit(1235133152.398:46): arch=c000003e syscall=2
success=yes exit=3 a0=7fffe9f38200 a1=2 a2=7fffe9f3820f
a3=8101010101010100
items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab"
exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1235133152.398:46): avc: denied { write } for
pid=3741 comm="crontab" name="access" dev=selinuxfs ino=6
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_ubject_r:security_t:s0 tclass=file
----
time->Fri Feb 20 13:32:32 2009
type=SYSCALL msg=audit(1235133152.398:47): arch=c000003e syscall=1
success=no exit=1427685336 a0=3 a1=1070300 a2=65 a3=7fffe9f37f70
items=0
ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab" exe="/usr/bin/crontab"
subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1235133152.398:47): avc: denied { compute_av } for
pid=3741 comm="crontab"
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_ubject_r:security_t:s0 tclass=security

This module will allow it:

policy_module(myschedule, 0.0.1)

require { type crontab_t, security_t; }

allow crontab_t security_t:security compute_av;
selinux_set_generic_booleans(crontab_t)


> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 12:20 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org