RHEL5 + strict policy: Unprivileged user cron - "Unauthorized SELinux context"

Stephen Smalley sds at tycho.nsa.gov
Wed Nov 28 20:37:14 UTC 2007 

On Wed, 2007-11-28 at 21:16 +0100, Aleksander Adamowski wrote:
> Hi!
> 
> I'm using selinux-policy-strict-2.4.6-30.el5.
> 
> I've added a job to apache's crontab (crontab -e -u apache).
> 
> Now I can see those errors in /var/log/cron:
> 
> crond[27249]: (apache) Unauthorized SELinux context, but SELinux in 
> permissive mode, continuing (cron/apache)
> crond[29358]: (apache) NULL security context for user, but SELinux in 
> permissive mode, continuing ()
> 
> 
> Google search found a suggestion that FC6 cron policy is broken, 
> resulting in similar symptoms (but for root instead of apache user), but 
> what about RHEL5?
> 
> I've also added a simple apache cronjob that simply writes output from 
> "id -Z" to a file in /tmp and it has written the following context data:
> 
> root:system_r:crond_t:SystemLow-SystemHigh
> 
> Why is the user root? Shouldn't it be user_u or system_u or something 
> like that?

Sounds like it just stayed in crond's context since it failed the check
and the system was permissive.  Naturally, in enforcing mode, it would
have not executed the job at all.

crond computes a context for the user's cron job in the usual manner,
then applies a entrypoint permission check between that context and the
file context on the crontab file (which gets picked up from a
combination of its creator and the parent directory).  If that check
fails, then crond refuses to execute the crontab commands in that
process context.  The check is intended to prevent injection of commands
from one context into another via crontab, unless authorized by policy
of course.

I'd have expected it to try to run the cron job in user_u:user_r:
user_crond_t:s0 since apache wouldn't have a specific entry in seusers.
So it would have wanted the crontab file to have user_cron_spool_t on
it, which would have happened if a user_t process created it.  If
instead an admin created it and it got sysadm_cron_spool_t or
staff_cron_spool_t, that might explain it.  So you could relabel it or
allow that permission.  First though check the current label on the
crontab file.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list