crond and /usr/bin/run-parts

[Fritz Elfert]

Hi,

On FC2, the system housekeeping is executed as root via a shell script 
/usr/bin/run-parts which in turn executes scripts in 
/etc/cron.{hourly,daily,monthly}. This does not work in enforcing mode. 
Instead i get the following error:

audit(1085671860.593:0): avc:  denied  { transition } for  pid=17894 
exe=/usr/sbin/crond path=/bin/bash dev=hda2 ino=883049 
scontext=root:system_r:crond_t tcontext=user_u:sysadm_r:sysadm_t 
tclass=process

If i interpret this correctly, crond is unable to change the execution 
context to root when trying to run /usr/bin/run-parts. I already submitted 
a bug-report for that 
(http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124533) but until it 
is fixed, i wanted to make my own workaround. I tried the following:

In /etc/security/selinux/src/policy/file_contexts/misc/local.fc i have:

/usr/bin/run-parts              --      system_u:object_r:runparts_exec_t

In /etc/security/selinux/src/policy/domains/misc/local.te i have:

type runparts_exec_t, file_type, sysadmfile, exec_type;
domain_trans(crond_t, shell_exec_t, sysadm_t)
domain_trans(crond_t, runparts_exec_t, sysadm_t)

I tried also adding:
system_crond_entry(runparts_exec_t, sysadm_t)

After relabeling and make reload, i still get this error. At least the 
script seems to be labeled ok:

-rwxr-xr-x+ root     root     system_u:object_r:runparts_exec_t /usr/bin/run-parts

What am i doing wrong?

Thanks
 -Fritz
-- 
Fritz Elfert <fritz.elfert at millenux.com>                     Millenux GmbH
Lilienthalstr. 2                                  Phone: +49 711 88770 400
70825 Stuttgart                                     FAX: +49 711 88770 449
--------------------------------------------------------------------------