Should cron jobs be allowed to access the user's X session?

Aleksey Nogin aleksey at nogin.org
Sat Mar 20 07:54:37 UTC 2004


I have a cron job that pops up a "reminder" message in my X session 
(provided I have one at that time). Should this be allowed? I am getting:

audit(1079766600.874:0): avc:  denied  { getattr } for  pid=5767 
exe=/usr/bin/python path=/home dev=hda2 ino=3777313 
scontext=aleksey:staff_r:staff_crond_t 
tcontext=system_u:object_r:home_root_t tclass=dir
audit(1079766600.915:0): avc:  denied  { getsched } for  pid=5767 
exe=/usr/bin/python scontext=aleksey:staff_r:staff_crond_t 
tcontext=aleksey:staff_r:staff_crond_t tclass=process
audit(1079766601.549:0): avc:  denied  { search } for  pid=5767 
exe=/usr/bin/python name=.X11-unix dev=hda2 ino=229366 
scontext=aleksey:staff_r:staff_crond_t 
tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=dir
audit(1079766601.550:0): avc:  denied  { write } for  pid=5767 
exe=/usr/bin/python name=X0 dev=hda2 ino=229060 
scontext=aleksey:staff_r:staff_crond_t 
tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=sock_file
audit(1079766601.576:0): avc:  denied  { connectto } for  pid=5767 
exe=/usr/bin/python path=/tmp/.X11-unix/X0 
scontext=aleksey:staff_r:staff_crond_t 
tcontext=system_u:system_r:xdm_xserver_t tclass=unix_stream_socket
audit(1079766601.576:0): avc:  denied  { read } for  pid=5767 
exe=/usr/bin/python name=.Xauthority dev=hda2 ino=311184 
scontext=aleksey:staff_r:staff_crond_t 
tcontext=system_u:object_r:staff_home_xauth_t tclass=file
audit(1079766601.577:0): avc:  denied  { getattr } for  pid=5767 
exe=/usr/bin/python path=/home/aleksey/.Xauthority dev=hda2 ino=311184 
scontext=aleksey:staff_r:staff_crond_t 
tcontext=system_u:object_r:staff_home_xauth_t tclass=file
audit(1079766602.836:0): avc:  denied  { search } for  pid=5767 
exe=/usr/bin/python name=fonts dev=hda2 ino=114501 
scontext=aleksey:staff_r:staff_crond_t 
tcontext=system_u:object_r:fonts_t tclass=dir
audit(1079766602.883:0): avc:  denied  { read } for  pid=5767 
exe=/usr/bin/python name=fonts.cache-1 dev=hda2 ino=114575 
scontext=aleksey:staff_r:staff_crond_t 
tcontext=system_u:object_r:fonts_t tclass=file
audit(1079766602.885:0): avc:  denied  { getattr } for  pid=5767 
exe=/usr/bin/python path=/usr/share/fonts dev=hda2 ino=114501 
scontext=aleksey:staff_r:staff_crond_t 
tcontext=system_u:object_r:fonts_t tclass=dir
audit(1079766602.885:0): avc:  denied  { getattr } for  pid=5767 
exe=/usr/bin/python path=/usr/share/fonts/fonts.cache-1 dev=hda2 
ino=114575 scontext=aleksey:staff_r:staff_crond_t 
tcontext=system_u:object_r:fonts_t tclass=file
audit(1079766603.005:0): avc:  denied  { read } for  pid=5767 
exe=/usr/bin/python name=OTF dev=hda2 ino=4366585 
scontext=aleksey:staff_r:staff_crond_t 
tcontext=system_u:object_r:fonts_t tclass=dir
audit(1079767201.115:0): avc:  denied  { search } for  pid=5794 
exe=/usr/bin/python name=.X11-unix dev=hda2 ino=229366 
scontext=aleksey:staff_r:staff_crond_t 
tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=dir
audit(1079767201.115:0): avc:  denied  { write } for  pid=5794 
exe=/usr/bin/python name=X0 dev=hda2 ino=229060 
scontext=aleksey:staff_r:staff_crond_t 
tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=sock_file
audit(1079767201.116:0): avc:  denied  { read } for  pid=5794 
exe=/usr/bin/python name=.Xauthority dev=hda2 ino=311184 
scontext=aleksey:staff_r:staff_crond_t 
tcontext=system_u:object_r:staff_home_xauth_t tclass=file
audit(1079767201.116:0): avc:  denied  { getattr } for  pid=5794 
exe=/usr/bin/python path=/home/aleksey/.Xauthority dev=hda2 ino=311184 
scontext=aleksey:staff_r:staff_crond_t 
tcontext=system_u:object_r:staff_home_xauth_t tclass=file

-- 
Aleksey Nogin

Home Page: http://nogin.org/
E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907



More information about the fedora-selinux-list mailing list