selinux and crontab one-more-time
Daniel J Walsh
dwalsh at redhat.com
Wed Apr 15 12:20:33 UTC 2009
On 04/14/2009 04:11 PM, Antonio Olivares wrote:
> Dear fellow Selinux experts,
>
> I have encountered this before, apparently it has not gone away. Running Fedora 11 Beta. I have a small crontab file that will shutdown the machine at 4:15 pm :
>
> [students at antonio-fedora-x86-64 ~]$ crontab -l
> # min hour day-of-month month day-of-week command
> 15 16 * * 1-5 /usr/bin/poweroff>/dev/null 2>&1
>
> Seatroubleshooter comes up and gives me the following:
>
> In the other machine running rawhide I can't even access crontab -l, it tells me that I cannot do anything I have no authorizations :(
>
> Summary:
>
> SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t.
>
> Detailed Description:
>
> SELinux denied access requested by crontab. It is not expected that this access
> is required by crontab and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0
> .c1023
> Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Objects socket [ unix_stream_socket ]
> Source crontab
> Source Path /usr/bin/crontab
> Port<Unknown>
> Host antonio-fedora-x86-64
> Source RPM Packages cronie-1.2-7.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.12-3.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name antonio-fedora-x86-64
> Platform Linux antonio-fedora-x86-64
> 2.6.29.1-68.fc11.x86_64 #1 SMP Sat Apr 11 02:20:46
> EDT 2009 x86_64 x86_64
> Alert Count 53
> First Seen Tue 14 Apr 2009 03:58:24 PM CDT
> Last Seen Tue 14 Apr 2009 04:06:56 PM CDT
> Local ID 5b712474-909f-4775-a5d6-bf5a78404916
> Line Numbers
>
> Raw Audit Messages
>
> node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12989]" dev=sockfs ino=12989 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=antonio-fedora-x86-64 type=SYSCALL msg=audit(1239743216.390:74): arch=c000003e syscall=59 success=yes exit=0 a0=acb200 a1=ac0d10 a2=adeda0 a3=7fff2149c340 items=0 ppid=19528 pid=19560 auid=501 uid=501 gid=501 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
> Thank you in Advance,
>
> Antonio
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I tried everything you described and it worked fine. THe
unconfined_t:unix_stream_socket is coming from the leaked file
descriptor in Konsole, I believe.
More information about the fedora-selinux-list
mailing list