FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 11-19-2007, 05:41 PM
Jouni Viikari
 
Default Cron after upgrade (FC6 -> FC8)

Is it possible to run crontab job as a root any more on FC8? I get this
in /var/log/cron and job is not run:

... crond[2511]: (root) Unauthorized SELinux context (cron/root)


Thanks,

Jouni


# ls -lZ /var/spool/cron/
-rw------- root root system_ubject_r:unconfined_cron_spool_t root

# rpm -qa | grep selinux-policy-targeted
selinux-policy-targeted-3.0.8-53.fc8

I just tried my luck (just guessing):

# chcon -t sysadm_crond_t /var/spool/cron/root
chcon: failed to change context of /var/spool/cron/root to
system_ubject_r:sysadm_crond_t: Permission denied

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-19-2007, 07:23 PM
Daniel J Walsh
 
Default Cron after upgrade (FC6 -> FC8)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jouni Viikari wrote:
> Is it possible to run crontab job as a root any more on FC8? I get this
> in /var/log/cron and job is not run:
>
> ... crond[2511]: (root) Unauthorized SELinux context (cron/root)
>
>
> Thanks,
>
> Jouni
>
>
> # ls -lZ /var/spool/cron/
> -rw------- root root system_ubject_r:unconfined_cron_spool_t root
>
> # rpm -qa | grep selinux-policy-targeted
> selinux-policy-targeted-3.0.8-53.fc8
>
> I just tried my luck (just guessing):
>
> # chcon -t sysadm_crond_t /var/spool/cron/root
> chcon: failed to change context of /var/spool/cron/root to
> system_ubject_r:sysadm_crond_t: Permission denied
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Fixed in selinux-policy-3.0.8-56
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHQfC/rlYvE4MpobMRAvhpAKDr0zq4SZZnj65fLZFm4bjjW8Gc5QCfe4 wb
dw+hq1FLw0IafEJkBtH1afU=
=+yEf
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-21-2007, 09:53 AM
Jouni Viikari
 
Default Cron after upgrade (FC6 -> FC8)

On Mon, 19 Nov 2007, Daniel J Walsh wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jouni Viikari wrote:

Is it possible to run crontab job as a root any more on FC8? I get this
in /var/log/cron and job is not run:

... crond[2511]: (root) Unauthorized SELinux context (cron/root)


Thanks,

Jouni


# ls -lZ /var/spool/cron/
-rw------- root root system_ubject_r:unconfined_cron_spool_t root

# rpm -qa | grep selinux-policy-targeted
selinux-policy-targeted-3.0.8-53.fc8

I just tried my luck (just guessing):

# chcon -t sysadm_crond_t /var/spool/cron/root
chcon: failed to change context of /var/spool/cron/root to
system_ubject_r:sysadm_crond_t: Permission denied

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Fixed in selinux-policy-3.0.8-56


Did not solve it:

crond[2511]: (root) Unauthorized SELinux context(cron/root).

# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.0.8-56.fc8
selinux-policy-3.0.8-56.fc8


BTW, I wonder how to fix this message which is continuously popping up in
the right way? Which version is correct:


/etc/selinux/targeted/contexts/files/file_contexts: Multiple different
specifications for /var/lib/awstats(/.*)?
(system_ubject_r:httpd_sys_script_rw_t:s0 and
system_ubject_r:awstats_var_lib_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different
specifications for /usr/share/awstats/wwwroot/cgi-bin(/.*)?
(system_ubject_r:httpd_sys_script_exec_t:s0 and
system_ubject_r:httpd_awstats_script_exec_t:s0).


Just noticed that it looks like also my SquirrelMail is broken:

avc: denied { search } for comm=sendmail dev=dm-0 egid=51 euid=48
exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0
name=mail pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0
sgid=51

subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=dir
tcontext=system_ubject_r:etc_mail_t:s0 tty=(none) uid=48

avc: denied { getattr } for comm=sendmail dev=dm-0 egid=51 euid=48
exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0
path=/etc/mail pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0
sgid=51

subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=dir
tcontext=system_ubject_r:etc_mail_t:s0 tty=(none) uid=48

avc: denied { create } for comm=sendmail egid=51 euid=48
exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0
pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
tclass=unix_dgram_socket

tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-21-2007, 02:53 PM
Daniel J Walsh
 
Default Cron after upgrade (FC6 -> FC8)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jouni Viikari wrote:
> On Mon, 19 Nov 2007, Daniel J Walsh wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Jouni Viikari wrote:
>>> Is it possible to run crontab job as a root any more on FC8? I get this
>>> in /var/log/cron and job is not run:
>>>
>>> ... crond[2511]: (root) Unauthorized SELinux context (cron/root)
>>>
>>>
>>> Thanks,
>>>
>>> Jouni
>>>
>>>
>>> # ls -lZ /var/spool/cron/
>>> -rw------- root root system_ubject_r:unconfined_cron_spool_t root
>>>
>>> # rpm -qa | grep selinux-policy-targeted
>>> selinux-policy-targeted-3.0.8-53.fc8
>>>
>>> I just tried my luck (just guessing):
>>>
>>> # chcon -t sysadm_crond_t /var/spool/cron/root
>>> chcon: failed to change context of /var/spool/cron/root to
>>> system_ubject_r:sysadm_crond_t: Permission denied
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Fixed in selinux-policy-3.0.8-56
>
> Did not solve it:
>
> crond[2511]: (root) Unauthorized SELinux context(cron/root).
>
> # rpm -qa | grep selinux-policy
> selinux-policy-targeted-3.0.8-56.fc8
> selinux-policy-3.0.8-56.fc8
>
>
> BTW, I wonder how to fix this message which is continuously popping up
> in the right way? Which version is correct:
>
> /etc/selinux/targeted/contexts/files/file_contexts: Multiple different
> specifications for /var/lib/awstats(/.*)?
> (system_ubject_r:httpd_sys_script_rw_t:s0 and
> system_ubject_r:awstats_var_lib_t:s0).
> /etc/selinux/targeted/contexts/files/file_contexts: Multiple different
> specifications for /usr/share/awstats/wwwroot/cgi-bin(/.*)?
> (system_ubject_r:httpd_sys_script_exec_t:s0 and
> system_ubject_r:httpd_awstats_script_exec_t:s0).
These looks like you did some local customization of these directrories.

I would remove your local mods.

semanage fcontext -d '/usr/share/awstats/wwwroot/cgi-bin(/.*)?'
semanage fcontext -d '/var/lib/awstats(/.*)?'

I would almost always go with the more specific. :^)
>
>
> Just noticed that it looks like also my SquirrelMail is broken:
>
> avc: denied { search } for comm=sendmail dev=dm-0 egid=51 euid=48
> exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0
> name=mail pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=dir
> tcontext=system_ubject_r:etc_mail_t:s0 tty=(none) uid=48
>
> avc: denied { getattr } for comm=sendmail dev=dm-0 egid=51 euid=48
> exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0
> path=/etc/mail pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0
> sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=dir
> tcontext=system_ubject_r:etc_mail_t:s0 tty=(none) uid=48
>
> avc: denied { create } for comm=sendmail egid=51 euid=48
> exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0
> pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
> tclass=unix_dgram_socket
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48
>

setsebool -P http_can_sendmail 1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHRFSWrlYvE4MpobMRAtUOAJ9vqkqyDyJyiRLoJlbhvG vvfTgB9gCfUKgA
N7vFvYgvjAgAkDjk88qst9s=
=uIyS
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:22 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org