/usr/bin/run-parts->system_u:object_r:bin_t (?!)
Russell Coker
russell at coker.com.au
Thu Jun 17 00:43:01 UTC 2004
On Thu, 17 Jun 2004 08:54, Tom London <selinux at comcast.net> wrote:
> /usr/bin/run-parts has context system_u:object_r:bin_t under
> selinux-policy-strict-1.13.4-6 (and earlier).
>
> crond_t.te has entries to search bin_t dirs, but not to
> read/getattr/execute bin_t files.
>
> Here is the AVC for run-parts:
> audit(1087423260.368:0): avc: denied { getattr } for pid=4135
> exe=/bin/bash path=/usr/bin/run-parts dev=hdb3 ino=1006312
> scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
> tclass=file
This appears to be a bug in crond, it should not be executing that program in
crond_t.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list