Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   cron/anacron discrepancy in Centos 5? (http://www.linux-archive.org/fedora-selinux-support/356688-cron-anacron-discrepancy-centos-5-a.html)

"Moray Henderson (ICT)" 04-14-2010 10:53 AM

cron/anacron discrepancy in Centos 5?
 
After I do a fresh install of a (slightly customised) CentOS 5, a
logwatch run is kicked off by anacron. It tries to run a directory size
scan, which generates a whole list of errors:

du: cannot read directory `/var/log/audit': Permission denied
du: cannot read directory `/var/log/pm': Permission denied
...
du: cannot access `/usr/lib/sa/sa2': Permission denied
du: cannot read directory `/usr/lib/httpd': Permission denied

with corresponding AVCs:

type=AVC msg=audit(1271158392.750:101): avc: denied { read } for
pid=3429 comm="du" name="audit" dev=dm-4 ino=418914
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
type=AVC msg=audit(1271158392.845:102): avc: denied { read } for
pid=3429 comm="du" name="pm" dev=dm-4 ino=418940
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hald_log_t:s0 tclass=dir
...
type=AVC msg=audit(1271158414.619:266): avc: denied { getattr } for
pid=3432 comm="du" path="/usr/lib/sa/sa2" dev=dm-1 ino=457413
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysstat_exec_t:s0 tclass=file
type=AVC msg=audit(1271158414.648:267): avc: denied { read } for
pid=3432 comm="du" name="httpd" dev=dm-1 ino=422750
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:httpd_modules_t:s0 tclass=dir

However, once the system has settled down and logwatch is being run by
cron, the errors no longer appear. Both cron and anacron have the same
type:

-rwxr-xr-x root root system_u:object_r:crond_exec_t /usr/sbin/anacron
-rwxr-xr-x root root system_u:object_r:crond_exec_t /usr/sbin/crond

-rwxr-xr-x root root system_u:object_r:logwatch_exec_t
/usr/share/logwatch/scripts/logwatch.pl

So why does it fail from one and work from the other?


Moray.
"To err is human.* To purr, feline"



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 09:02 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.