Cron after upgrade (FC6 -> FC8)
Daniel J Walsh
dwalsh at redhat.com
Wed Nov 21 15:53:59 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jouni Viikari wrote:
> On Mon, 19 Nov 2007, Daniel J Walsh wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Jouni Viikari wrote:
>>> Is it possible to run crontab job as a root any more on FC8? I get this
>>> in /var/log/cron and job is not run:
>>>
>>> ... crond[2511]: (root) Unauthorized SELinux context (cron/root)
>>>
>>>
>>> Thanks,
>>>
>>> Jouni
>>>
>>>
>>> # ls -lZ /var/spool/cron/
>>> -rw------- root root system_u:object_r:unconfined_cron_spool_t root
>>>
>>> # rpm -qa | grep selinux-policy-targeted
>>> selinux-policy-targeted-3.0.8-53.fc8
>>>
>>> I just tried my luck (just guessing):
>>>
>>> # chcon -t sysadm_crond_t /var/spool/cron/root
>>> chcon: failed to change context of /var/spool/cron/root to
>>> system_u:object_r:sysadm_crond_t: Permission denied
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Fixed in selinux-policy-3.0.8-56
>
> Did not solve it:
>
> crond[2511]: (root) Unauthorized SELinux context(cron/root).
>
> # rpm -qa | grep selinux-policy
> selinux-policy-targeted-3.0.8-56.fc8
> selinux-policy-3.0.8-56.fc8
>
>
> BTW, I wonder how to fix this message which is continuously popping up
> in the right way? Which version is correct:
>
> /etc/selinux/targeted/contexts/files/file_contexts: Multiple different
> specifications for /var/lib/awstats(/.*)?
> (system_u:object_r:httpd_sys_script_rw_t:s0 and
> system_u:object_r:awstats_var_lib_t:s0).
> /etc/selinux/targeted/contexts/files/file_contexts: Multiple different
> specifications for /usr/share/awstats/wwwroot/cgi-bin(/.*)?
> (system_u:object_r:httpd_sys_script_exec_t:s0 and
> system_u:object_r:httpd_awstats_script_exec_t:s0).
These looks like you did some local customization of these directrories.
I would remove your local mods.
semanage fcontext -d '/usr/share/awstats/wwwroot/cgi-bin(/.*)?'
semanage fcontext -d '/var/lib/awstats(/.*)?'
I would almost always go with the more specific. :^)
>
>
> Just noticed that it looks like also my SquirrelMail is broken:
>
> avc: denied { search } for comm=sendmail dev=dm-0 egid=51 euid=48
> exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0
> name=mail pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=dir
> tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48
>
> avc: denied { getattr } for comm=sendmail dev=dm-0 egid=51 euid=48
> exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0
> path=/etc/mail pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0
> sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=dir
> tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48
>
> avc: denied { create } for comm=sendmail egid=51 euid=48
> exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0
> pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
> tclass=unix_dgram_socket
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48
>
setsebool -P http_can_sendmail 1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHRFSWrlYvE4MpobMRAtUOAJ9vqkqyDyJyiRLoJlbhvGvvfTgB9gCfUKgA
N7vFvYgvjAgAkDjk88qst9s=
=uIyS
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list