selinux does not like crontab :(, default_t, kde

Antonio Olivares olivares14031 at yahoo.com
Wed Mar 25 23:03:48 UTC 2009


Dear all,

I have resolved one problem(Not getting internet at startup by default), but have not fixed the crontab one and other(s):

This one does not go away :(


Summary:

SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t.

Detailed Description:

SELinux denied access requested by crontab. It is not expected that this access
is required by crontab and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0
                              .c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                socket [ unix_stream_socket ]
Source                        crontab
Source Path                   /usr/bin/crontab
Port                          <Unknown>
Host                          riohigh
Source RPM Packages           cronie-1.2-7.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.8-3.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     riohigh
Platform                      Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586
                              #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon
Alert Count                   177
First Seen                    Mon 02 Mar 2009 07:11:37 PM CST
Last Seen                     Wed 25 Mar 2009 04:57:03 PM CST
Local ID                      3883b140-4d39-40f5-9262-ce2c4c4e2e16
Line Numbers                  

Raw Audit Messages            

node=riohigh type=AVC msg=audit(1238021823.376:68): avc:  denied  { read write } for  pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1238021823.376:68): avc:  denied  { read write } for  pid=4331 comm="crontab" path="socket:[53528]" dev=sockfs ino=53528 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1238021823.376:68): avc:  denied  { read write } for  pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1238021823.376:68): avc:  denied  { read write } for  pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1238021823.376:68): avc:  denied  { read write } for  pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1238021823.376:68): avc:  denied  { read write } for  pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1238021823.376:68): avc:  denied  { read write } for  pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1238021823.376:68): avc:  denied  { read write } for  pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1238021823.376:68): avc:  denied  { read write } for  pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1238021823.376:68): avc:  denied  { read write } for  pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1238021823.376:68): avc:  denied  { read write } for  pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1238021823.376:68): avc:  denied  { read write } for  pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=SYSCALL msg=audit(1238021823.376:68): arch=40000003 syscall=11 success=yes exit=0 a0=9fcb5c8 a1=9fcbd10 a2=9fb5ae0 a3=9fcbd10 items=0 ppid=4295 pid=4331 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null)


I can't modify my crontab file:

[olivares at riohigh ~]$ crontab -l

Authentication service cannot retrieve authentication info
You (olivares) are not allowed to access to (crontab) because of pam configuration.
[olivares at riohigh ~]$

if I disable selinux, I can modify it and view it, but not with selinux enabled.  

I got greeted with the following:


Summary:

SELinux is preventing access to files with the default label, default_t.

Detailed Description:

SELinux permission checks on files labeled default_t are being denied. These
files/directories have the default label on them. This can indicate a labeling
problem, especially if the files being referred to are not top level
directories. Any files/directories under standard system directories, /usr,
/var. /dev, /tmp, ..., should not be labeled with the default label. The default
label is for files/directories which do not have a label on a parent directory.
So if you create a new directory in / you might legitimately get this label.

Allowing Access:

If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: "touch /.autorelabel; reboot"

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:default_t:s0
Target Objects                /.kde [ dir ]
Source                        kde4-config
Source Path                   /usr/bin/kde4-config
Port                          <Unknown>
Host                          riohigh
Source RPM Packages           kdelibs-4.2.1-4.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.8-3.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   default
Host Name                     riohigh
Platform                      Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586
                              #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon
Alert Count                   7
First Seen                    Wed 25 Mar 2009 04:38:14 PM CST
Last Seen                     Wed 25 Mar 2009 04:38:14 PM CST
Local ID                      d3d42e40-6a28-48cf-8717-b85579c55bad
Line Numbers                  

Raw Audit Messages            

node=riohigh type=AVC msg=audit(1238020694.487:40): avc:  denied  { getattr } for  pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir

node=riohigh type=SYSCALL msg=audit(1238020694.487:40): arch=40000003 syscall=196 success=no exit=-13 a0=bfc3730b a1=bfc37258 a2=a12ff4 a3=a036c59 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


Summary:

SELinux is preventing access to files with the default label, default_t.

Detailed Description:

SELinux permission checks on files labeled default_t are being denied. These
files/directories have the default label on them. This can indicate a labeling
problem, especially if the files being referred to are not top level
directories. Any files/directories under standard system directories, /usr,
/var. /dev, /tmp, ..., should not be labeled with the default label. The default
label is for files/directories which do not have a label on a parent directory.
So if you create a new directory in / you might legitimately get this label.

Allowing Access:

If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: "touch /.autorelabel; reboot"

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:default_t:s0
Target Objects                .kde [ dir ]
Source                        kde4-config
Source Path                   /usr/bin/kde4-config
Port                          <Unknown>
Host                          riohigh
Source RPM Packages           kdelibs-4.2.1-4.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.8-3.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   default
Host Name                     riohigh
Platform                      Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586
                              #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon
Alert Count                   23
First Seen                    Wed 25 Mar 2009 04:38:14 PM CST
Last Seen                     Wed 25 Mar 2009 04:38:14 PM CST
Local ID                      711eec22-2695-4e57-91ad-622e9c5f3b53
Line Numbers                  

Raw Audit Messages            

node=riohigh type=AVC msg=audit(1238020694.489:42): avc:  denied  { search } for  pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir

node=riohigh type=SYSCALL msg=audit(1238020694.489:42): arch=40000003 syscall=196 success=no exit=-13 a0=a036c58 a1=bfc37230 a2=a12ff4 a3=a031250 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Startup did not take the 20 seconds, it took like 8 to 10 minutes with the relabeling and still see the same things.  Is there an update that will fix this or do I have to disable selinux or boot in permissive in order to have a working machine.  

Please help this is no longer fun as it once was.

Regards,

Antonio 






      




More information about the fedora-selinux-list mailing list