FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-14-2010, 10:53 AM
"Moray Henderson (ICT)"
 
Default cron/anacron discrepancy in Centos 5?

After I do a fresh install of a (slightly customised) CentOS 5, a
logwatch run is kicked off by anacron. It tries to run a directory size
scan, which generates a whole list of errors:

du: cannot read directory `/var/log/audit': Permission denied
du: cannot read directory `/var/log/pm': Permission denied
...
du: cannot access `/usr/lib/sa/sa2': Permission denied
du: cannot read directory `/usr/lib/httpd': Permission denied

with corresponding AVCs:

type=AVC msg=audit(1271158392.750:101): avc: denied { read } for
pid=3429 comm="du" name="audit" dev=dm-4 ino=418914
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_ubject_r:auditd_log_t:s0 tclass=dir
type=AVC msg=audit(1271158392.845:102): avc: denied { read } for
pid=3429 comm="du" name="pm" dev=dm-4 ino=418940
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_ubject_r:hald_log_t:s0 tclass=dir
...
type=AVC msg=audit(1271158414.619:266): avc: denied { getattr } for
pid=3432 comm="du" path="/usr/lib/sa/sa2" dev=dm-1 ino=457413
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_ubject_r:sysstat_exec_t:s0 tclass=file
type=AVC msg=audit(1271158414.648:267): avc: denied { read } for
pid=3432 comm="du" name="httpd" dev=dm-1 ino=422750
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_ubject_r:httpd_modules_t:s0 tclass=dir

However, once the system has settled down and logwatch is being run by
cron, the errors no longer appear. Both cron and anacron have the same
type:

-rwxr-xr-x root root system_ubject_r:crond_exec_t /usr/sbin/anacron
-rwxr-xr-x root root system_ubject_r:crond_exec_t /usr/sbin/crond

-rwxr-xr-x root root system_ubject_r:logwatch_exec_t
/usr/share/logwatch/scripts/logwatch.pl

So why does it fail from one and work from the other?


Moray.
"To err is human.* To purr, feline"



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 04:09 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org