targeted policy: crond_t now invalid for initrc_t ?
Daniel J Walsh
dwalsh at redhat.com
Tue Jan 25 17:10:52 UTC 2005
Tom London wrote:
>On Mon, 24 Jan 2005 15:02:22 -0500, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>
>>Can you try a
>>make -C /etc/selinux/targeted/src/policy load
>>
>>
>>
>Sorry, no soap. :-(
>
>Here's a log:
>[root at tlondon ~]# cd /etc/selinux/targeted
>[root at tlondon targeted]# cd src/policy
>[root at tlondon policy]# make -C /etc/selinux/targeted/src/policy load
>make: Entering directory `/etc/selinux/targeted/src/policy'
>/usr/sbin/load_policy /etc/selinux/targeted/policy/policy.18
>touch tmp/load
>make: Leaving directory `/etc/selinux/targeted/src/policy'
>[root at tlondon ~]# cd /etc/init.d
>[root at tlondon init.d]# ./crond status
>crond is stopped
>[root at tlondon init.d]# ./crond start
>Starting crond: /etc/init.d/functions: line 148: /usr/sbin/crond:
>Permission denied
> [FAILED]
>[root at tlondon init.d]#
>
>Here's the AVC:
>Jan 25 07:38:17 localhost kernel: audit(1106667497.815:0):
>security_compute_sid: invalid context root:system_r:crond_t for
>scontext=root:system_r:initrc_t
>tcontext=system_u:object_r:crond_exec_t tclass=process
>
>tom
>
>
>
>
Ok, you need to change the policy for crond.te
--- crond.te~ 2005-01-21 16:16:11.000000000 -0500
+++ crond.te 2005-01-25 12:04:52.000000000 -0500
@@ -19,5 +19,5 @@
type sysadm_cron_spool_t, file_type, sysadmfile;
type crond_log_t, file_type, sysadmfile;
type crond_var_run_t, file_type, sysadmfile;
-domain_auto_trans(initrc_t, crond_exec_t, crond_t)
-domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
+domain_auto_trans(initrc_t, crond_exec_t, unconfined_t)
+domain_auto_trans(initrc_t, anacron_exec_t, unconfined_t)
I will update policy and throw it out on people.
selinux-policy-targeted-1.21.3-2
More information about the fedora-selinux-list
mailing list