selinux does not like crontab :(, default_t, kde
Daniel J Walsh
dwalsh at redhat.com
Fri Mar 27 11:54:57 UTC 2009
On 03/26/2009 11:43 AM, Robert Nichols wrote:
> Antonio Olivares wrote:
>>
>>> The kde read/writing to /.kde is a kde bug/ kdm should
>>> have a home directory that we could give access to, not /. I have this
>>> setup and although it genetates AVC's I am able to login fine.
>>> Although gdm works better.
>>>
>>> If you want to get rid of these avc's you could
>>> execute.
>>>
>>> # semanage fcontext -a -t xdm_var_run_t
>>> '/\.kde(/.*)?'
>>> # restorecon -R -v /.kde
>>>
>>> Running crontab -e as root, problem is also a
>>> kdebase/konsole problem of leaked file descriptors. If you do an ls
>>> /proc/self/fd in
>>> the konsole you will see a whole bunch of file descriptors that have
>>> been leaked to the konsole. When you start a confined domain from the
>>> console SELinux reports these leaked file descriptors and closes them.
>>>
>>> ls -l /proc/self/fd
>>>
>>> should show something like
>>>
>>> # ls -l /proc/self/fd
>>> total 0
>>> lr-x------. 1 root root 64 2009-03-26 08:31 0 ->
>>> /dev/pts/4
>>> lrwx------. 1 root root 64 2009-03-26 08:31 1 ->
>>> /dev/pts/4
>>> lrwx------. 1 root root 64 2009-03-26 08:31 2 ->
>>> /dev/pts/4
>>> lr-x------. 1 root root 64 2009-03-26 08:31 3 ->
>>> /proc/32759/fd
>>>
>>> Which are three fd's to the terminal and one to the
>>> directory you are listing.
>>>
>>> I see no avc that would break crontab -e?
>> The avc denies crontab to display it and therefore the error. This
>> happens on two machines running rawhide since the third one broke down
>> :(. I can't test it there :(
>>>
>>> [olivares at riohigh ~]$ crontab -l
>>>
>>> Authentication service cannot retrieve authentication info
>>> You (olivares) are not allowed to access to (crontab)
>>> because of pam configuration.
>>>
>>> Looks like you are running this as a normal user? Or are
>>> you running as root?
>> Normal user, even root can't edit crontab because the authority is
>> denied :(, yes pam configuration :)
>>>
>>> I can not get this to happen on my machine, so I think it
>>> might be something about the way you have pam setup? Do you have
>>> anything special setup in pam?
>> No, just regular default setup as it comes. Nothing special set aside.
>
> I can confirm the same behavior when trying to run "crontab -l" or
> "crontab -e"
> both as non-root and root user.
>
> Authentication service cannot retrieve authentication info
> You (rnichols) are not allowed to access to (crontab) because of pam
> configuration.
>
> OR
>
> Authentication service cannot retrieve authentication info
> You (root) are not allowed to access to (crontab) because of pam
> configuration.
>
> The problem goes away when running in permissive mode. Regardless of
> permissive
> vs. enforcing mode, no AVCs are logged. No changes have been made to the
> rawhide SELinux or PAM configurations. I do see this message logged in
> /var/log/secure for each unsuccessful attempt:
>
> crontab: pam_unix(crond:account): helper binary execve failed:
> Permission denied
>
> selinux-policy-3.6.8-3.fc11.noarch
> selinux-policy-targeted-3.6.8-3.fc11.noarch
> authconfig-5.4.7-2.fc11.i586
>
Do you see an SELINUX_ERR in /var/log/audit/audit.log?
WHat does id -Z show?
Could you try
# semodule -DB
Then look for avcs about cron.
More information about the fedora-selinux-list
mailing list