selinux does not like crontab :(, default_t, kde
Robert Nichols
rnicholsNOSPAM at comcast.net
Fri Mar 27 15:50:04 UTC 2009
Daniel J Walsh wrote:
> On 03/26/2009 11:43 AM, Robert Nichols wrote:
>> I can confirm the same behavior when trying to run "crontab -l" or
>> "crontab -e"
>> both as non-root and root user.
>>
>> Authentication service cannot retrieve authentication info
>> You (rnichols) are not allowed to access to (crontab) because of pam
>> configuration.
>>
>> OR
>>
>> Authentication service cannot retrieve authentication info
>> You (root) are not allowed to access to (crontab) because of pam
>> configuration.
>>
>> The problem goes away when running in permissive mode. Regardless of
>> permissive
>> vs. enforcing mode, no AVCs are logged. No changes have been made to the
>> rawhide SELinux or PAM configurations. I do see this message logged in
>> /var/log/secure for each unsuccessful attempt:
>>
>> crontab: pam_unix(crond:account): helper binary execve failed:
>> Permission denied
>>
>> selinux-policy-3.6.8-3.fc11.noarch
>> selinux-policy-targeted-3.6.8-3.fc11.noarch
>> authconfig-5.4.7-2.fc11.i586
>>
> Do you see an SELINUX_ERR in /var/log/audit/audit.log?
>
> WHat does id -Z show?
>
> Could you try
>
> # semodule -DB
>
> Then look for avcs about cron.
I see this SELINUX_ERR in audit.log for each attempt:
type=SELINUX_ERR msg=audit(1238166172.444:23): security_compute_sid: invalid context
unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023
tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=process
After "semodule -DB", I still don't see any AVCs from cron. With or
without the dontaudits removed, running "grep cron audit.log" shows
these 3 lines for each attempt:
type=SELINUX_ERR msg=audit(1238167945.826:1307): security_compute_sid: invalid context
unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023
tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1238167945.826:1307): arch=40000003 syscall=11 success=no exit=-13 a0=119d98 a1=bffd1030
a2=11c8e8 a3=119db4 items=0 ppid=3890 pid=3891 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023
key=(null)
type=USER_ACCT msg=audit(1238167945.829:1308): user pid=3890 uid=500 auid=500 ses=1
subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="rnichols"
exe="/usr/bin/crontab" (hostname=?, addr=?, terminal=cron res=failed)'
(Now running "semodule -B" to restore peace to my system!)
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
More information about the fedora-selinux-list
mailing list