selinux does not like crontab :(, default_t, kde

Robert Nichols rnicholsNOSPAM at comcast.net
Fri Mar 27 15:50:04 UTC 2009 

Daniel J Walsh wrote:
> On 03/26/2009 11:43 AM, Robert Nichols wrote:
>> I can confirm the same behavior when trying to run "crontab -l" or
>> "crontab -e"
>> both as non-root and root user.
>>
>> Authentication service cannot retrieve authentication info
>> You (rnichols) are not allowed to access to (crontab) because of pam
>> configuration.
>>
>> OR
>>
>> Authentication service cannot retrieve authentication info
>> You (root) are not allowed to access to (crontab) because of pam
>> configuration.
>>
>> The problem goes away when running in permissive mode. Regardless of
>> permissive
>> vs. enforcing mode, no AVCs are logged. No changes have been made to the
>> rawhide SELinux or PAM configurations. I do see this message logged in
>> /var/log/secure for each unsuccessful attempt:
>>
>> crontab: pam_unix(crond:account): helper binary execve failed:
>> Permission denied
>>
>> selinux-policy-3.6.8-3.fc11.noarch
>> selinux-policy-targeted-3.6.8-3.fc11.noarch
>> authconfig-5.4.7-2.fc11.i586
>>
> Do you see an SELINUX_ERR in /var/log/audit/audit.log?
> 
> WHat does id -Z show?
> 
> Could you try
> 
> # semodule -DB
> 
> Then look for avcs about cron.

I see this SELINUX_ERR in audit.log for each attempt:

type=SELINUX_ERR msg=audit(1238166172.444:23): security_compute_sid:  invalid context 
unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=process

After "semodule -DB", I still don't see any AVCs from cron.  With or
without the dontaudits removed, running "grep cron audit.log" shows
these 3 lines for each attempt:

   type=SELINUX_ERR msg=audit(1238167945.826:1307): security_compute_sid:  invalid context 
unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=process

   type=SYSCALL msg=audit(1238167945.826:1307): arch=40000003 syscall=11 success=no exit=-13 a0=119d98 a1=bffd1030 
a2=11c8e8 a3=119db4 items=0 ppid=3890 pid=3891 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts1 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 
key=(null)

   type=USER_ACCT msg=audit(1238167945.829:1308): user pid=3890 uid=500 auid=500 ses=1 
subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="rnichols" 
exe="/usr/bin/crontab" (hostname=?, addr=?, terminal=cron res=failed)'

(Now running "semodule -B" to restore peace to my system!)

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

More information about the fedora-selinux-list mailing list