Bug 306393

Summary:	Problems with crontabs and selinux users
Product:	Gentoo Linux	Reporter:	Chris PeBenito (RETIRED) <pebenito>
Component:	Hardened	Assignee:	SE Linux Bugs <selinux>
Status:	VERIFIED FIXED
Severity:	major
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Chris PeBenito (RETIRED) gentoo-dev

2010-02-22 16:48:42 UTC

Update the vixie-cron patch to handle labeling of the crontab files.  Example problem:

1. login as unconfined_u non-root user
2. su to root
3. crontab -e
4. if creating the crontab, the crontab gets unconfined_u user, when it really should be root, assuming the root:root login mapping.

Possibly may have to require users to log in as the actual user rather than using su, since a code fix may be denied by policy constraints.

Comment 1 Chris PeBenito (RETIRED) gentoo-dev

2010-02-22 16:59:47 UTC

Example error log message:

cron[20642]: (root) ENTRYPOINT FAILED (crontabs/root)

If you are trying to fix up your cron on v2refpolicy, make sure your crontab file has the right context:

ls -Z /var/spool/cron/crontabs/[username]

it should have the context: [seuser]:object_r:user_cron_spool_t

where the seuser is the one that is mapped to the linux user (see 'semanage login -l' for mappings).  So for example, the root crontab should have the root seuser on the crontab file, for the default SELinux user mapping.