rawhide strict & crond
Stephen Smalley
sds at tycho.nsa.gov
Tue Apr 26 11:35:21 UTC 2005
On Tue, 2005-04-26 at 10:05 +0200, Holger Burde wrote:
> I tried to run a cron job from the apache account but nothing happends
> beside a entry in /var/log/cron :
>
> Apr 26 10:51:49 dragon crond[4284]: (CRON) STARTUP (V5.0)
> Apr 26 10:51:49 dragon crond[4284]: (apache) ENTRYPOINT FAILED
> (cron/apache)
>
> (wrong context? )
Yes; crond applies an entrypoint permission check of its own between the
security context for the cron job process and the security context on
the crontab file to prevent tricking a more trusted cron job process
(e.g. root's cron jobs) from running untrustworthy input. What does ls
-Z /var/spool/cron/ show? In the absence of an explicit user identity
for apache in the SELinux policy, I'd expect the apache crontab to be
labeled <user>:object_r:user_cron_spool_t (the <user> doesn't matter;
could be system_u or user_u or root).
> audit2allow -i /var/log/messages -l
> nothing ...
Yes, it isn't a kernel denial; it is a check by crond.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the fedora-selinux-list
mailing list