| Summary: | vixie-cron fails with SELINUX=enforcing and SELINUXTYPE=strict | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Dave <mailintern> |
| Component: | Hardened | Assignee: | SE Linux Bugs <selinux> |
| Status: | RESOLVED NEEDINFO | ||
| Severity: | minor | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | AMD64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | policy SELinux cron | ||
Created attachment 280871 [details]
policy SELinux cron
should have been /etc/crontab Hi Dave Would it be possible to tell us what the errors were that you got (either through cron or indirectly) and which denials were triggered? System cronjobs (system_cronjob_t) shouldn't call user scripts, that's what the user cronjobs are for (cronjob_t). Otoh, we know our policy will not handle all possible cases, so having your own updates on the policy locally is not something unexpected. |
After getting informed on the gentoo-hardened mailing-list for adding selinux-base-policy-2.20101213-r21 ("Portage support to allow emerge, emerge-webrsync, layman etc. to be called from unattended domains like cron") I removed my policy generated by audit2allow in order to run cron jobs on SELINUX=enforcing and SELINUXTYPE=strict. But I've had to install my own policy again to get vixie-cron work for running a cron job ("eix-sync") (Attachment). So this might not a bug. But it's hard for me to argue regarding the improvement of selinux-base-policy-2.20101213-r21 when I've had to activate my own policy again. Reproducible: Always Steps to Reproduce: 1. running cron jobs in /etc/crontabs 2. SELINUX=enforcing and SELINUXTYPE=strict 3. Actual Results: Running cron job ("eix-sync") fails. Expected Results: cron job for "eix-sync" working properly with SELINUX=enforcing and SELINUXTYPE=strict.