selinux and crontab one-more-time
Daniel J Walsh
dwalsh at redhat.com
Thu Apr 16 13:27:23 UTC 2009
On 04/15/2009 06:28 PM, Antonio Olivares wrote:
>
>
>
> --- On Wed, 4/15/09, Daniel J Walsh<dwalsh at redhat.com> wrote:
>
>> From: Daniel J Walsh<dwalsh at redhat.com>
>> Subject: Re: selinux and crontab one-more-time
>> To: olivares14031 at yahoo.com
>> Cc: fedora-selinux-list at redhat.com
>> Date: Wednesday, April 15, 2009, 6:09 AM
>> On 04/15/2009 08:38 AM, Antonio Olivares wrote:
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>> I tried everything you described and it worked
>> fine. THe
>>>> unconfined_t:unix_stream_socket is coming from the
>> leaked
>>>> file
>>>> descriptor in Konsole, I believe.
>>> It is working, but on the other machine I can't
>> edit crontab. Only on this one. But why do I see this
>> message?
>>> Thanks,
>>>
>>> Antonio
>>>
>>>
>>>
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>>
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Is the other machine fully upgraded to the latest policy?
>> Make sure the
>> policy installed successfully.
>>
>> yum reinstall selinux-policy-targeted
>>
>> The message is caused by leaks in file descriptors within
>> Konsole.
>
>
> [olivares at riohigh ~]$ whoami
> olivares
> [olivares at riohigh ~]$ crontab -l
> cron/olivares: Permission denied
> [olivares at riohigh ~]$ crontab -e
> cron/olivares: Permission denied
> [olivares at riohigh ~]$ dmesg | grep 'avc'
> [olivares at riohigh ~]$ rpm -qa selinux-policy-targeted
> selinux-policy-targeted-3.6.12-4.fc11.noarch
>
> Doing the steps you outlined.
>
> [root at riohigh ~]# yum reinstall selinux-policy-targeted
> Setting up Reinstall Process
> Resolving Dependencies
> --> Running transaction check
> ---> Package selinux-policy-targeted.noarch 0:3.6.12-4.fc11 set to be erased
> ---> Package selinux-policy-targeted.noarch 0:3.6.12-4.fc11 set to be updated
> --> Finished Dependency Resolution
>
> Dependencies Resolved
>
> ================================================================================
> Package Arch Version Repository Size
> ================================================================================
> Installing:
> selinux-policy-targeted noarch 3.6.12-4.fc11 rawhide 2.1 M
> Removing:
> selinux-policy-targeted noarch 3.6.12-4.fc11 installed 2.3 M
>
> Transaction Summary
> ================================================================================
> Install 1 Package(s)
> Update 0 Package(s)
> Remove 1 Package(s)
>
> Total download size: 2.1 M
> Is this ok [y/N]: y
> Downloading Packages:
> selinux-policy-targeted-3.6.12-4.fc11.noarch.rpm | 2.1 MB 00:02
> Running rpm_check_debug
> Running Transaction Test
> Finished Transaction Test
> Transaction Test Succeeded
> Running Transaction
> Erasing : selinux-policy-targeted 1/2
> Installing : selinux-policy-targeted 1/2
>
> Removed:
> selinux-policy-targeted.noarch 0:3.6.12-4.fc11
>
> Installed:
> selinux-policy-targeted.noarch 0:3.6.12-4.fc11
>
> Complete!
>
>
> makes no difference :(, Can't modify my crontab to change certain things.
>
> [olivares at riohigh ~]$ crontab -l
> cron/olivares: Permission denied
> [olivares at riohigh ~]$ crontab -e
> cron/olivares: Permission denied
>
>
> Regards,
>
> Antonio
>
>
>
>
Putting the machine in permssive mode you are able to execute these
commands?
No avc messages about crontab, other then the leaked file descritptor?
# ls -lZ /var/spool/cron
Could you try to add a custom policy to allow the avc's about
unconfined_t and see if the crontab command works.
# grep crontab /var/log/audit/audit.log | audit2allow -m mycrontab
# semodule -i mycrontab.pp
More information about the fedora-test-list
mailing list