After getting informed on the gentoo-hardened mailing-list for adding selinux-base-policy-2.20101213-r21 ("Portage support to allow emerge, emerge-webrsync, layman etc. to be called from unattended domains like cron") I removed my policy generated by audit2allow in order to run cron jobs on SELINUX=enforcing and SELINUXTYPE=strict. But I've had to install my own policy again to get vixie-cron work for running a cron job ("eix-sync") (Attachment). So this might not a bug. But it's hard for me to argue regarding the improvement of selinux-base-policy-2.20101213-r21 when I've had to activate my own policy again. Reproducible: Always Steps to Reproduce: 1. running cron jobs in /etc/crontabs 2. SELINUX=enforcing and SELINUXTYPE=strict 3. Actual Results: Running cron job ("eix-sync") fails. Expected Results: cron job for "eix-sync" working properly with SELINUX=enforcing and SELINUXTYPE=strict.
Created attachment 280871 [details] policy SELinux cron
should have been /etc/crontab
Hi Dave Would it be possible to tell us what the errors were that you got (either through cron or indirectly) and which denials were triggered? System cronjobs (system_cronjob_t) shouldn't call user scripts, that's what the user cronjobs are for (cronjob_t). Otoh, we know our policy will not handle all possible cases, so having your own updates on the policy locally is not something unexpected.
