selinux does not like crontab :(, default_t, kde

Robert Nichols rnicholsNOSPAM at comcast.net
Thu Mar 26 15:43:25 UTC 2009 

Antonio Olivares wrote:
> 
>> The kde read/writing to /.kde is a kde bug/  kdm should
>> have a home 
>> directory that we could give access to, not /.  I have this
>> setup and 
>> although it genetates AVC's  I am able to login fine. 
>> Although gdm 
>> works better.
>>
>> If you want to get rid of these avc's you could
>> execute.
>>
>> # semanage fcontext -a -t xdm_var_run_t
>> '/\.kde(/.*)?'
>> # restorecon -R -v /.kde
>>
>> Running crontab -e as root, problem is also a
>> kdebase/konsole problem of 
>> leaked file descriptors.  If you do an ls /proc/self/fd in
>> the konsole 
>> you will see a whole bunch of file descriptors that have
>> been leaked to 
>> the konsole.  When you start a confined domain from the
>> console SELinux 
>> reports these leaked file descriptors and closes them.
>>
>> ls -l /proc/self/fd
>>
>> should show something like
>>
>> # ls -l /proc/self/fd
>> total 0
>> lr-x------. 1 root root 64 2009-03-26 08:31 0 ->
>> /dev/pts/4
>> lrwx------. 1 root root 64 2009-03-26 08:31 1 ->
>> /dev/pts/4
>> lrwx------. 1 root root 64 2009-03-26 08:31 2 ->
>> /dev/pts/4
>> lr-x------. 1 root root 64 2009-03-26 08:31 3 ->
>> /proc/32759/fd
>>
>> Which are three fd's to the terminal and one to the
>> directory you are 
>> listing.
>>
>> I see no avc that would break crontab -e?
> The avc denies crontab to display it and therefore the error.  This happens on two machines running rawhide since the third one broke down :(.  I can't test it there :(
>>
>> [olivares at riohigh ~]$ crontab -l
>>
>> Authentication service cannot retrieve authentication info
>> You (olivares) are not allowed to access to (crontab)
>> because of pam 
>> configuration.
>>
>> Looks like you are running this as a normal user?  Or are
>> you running as 
>> root?
> Normal user, even root can't edit crontab because the authority is denied :(, yes pam configuration :)
>>
>> I can not get this to happen on my machine, so I think it
>> might be 
>> something about the way you have pam setup?  Do you have
>> anything 
>> special setup in pam?
> No, just regular default setup as it comes.  Nothing special set aside.

I can confirm the same behavior when trying to run "crontab -l" or "crontab -e"
both as non-root and root user.

   Authentication service cannot retrieve authentication info
   You (rnichols) are not allowed to access to (crontab) because of pam configuration.

OR

   Authentication service cannot retrieve authentication info
   You (root) are not allowed to access to (crontab) because of pam configuration.

The problem goes away when running in permissive mode.  Regardless of permissive
vs. enforcing mode, no AVCs are logged.  No changes have been made to the
rawhide SELinux or PAM configurations.  I do see this message logged in
/var/log/secure for each unsuccessful attempt:

   crontab: pam_unix(crond:account): helper binary execve failed: Permission denied

selinux-policy-3.6.8-3.fc11.noarch
selinux-policy-targeted-3.6.8-3.fc11.noarch
authconfig-5.4.7-2.fc11.i586

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

More information about the fedora-selinux-list mailing list