89879 – vixie-cron can't run crontab jobs when built with hardened and selinux USE flags if selinux is running in permissive mode

Bug 89879 - vixie-cron can't run crontab jobs when built with hardened and selinux USE flags if selinux is running in permissive mode

Summary: vixie-cron can't run crontab jobs when built with hardened and selinux USE fl...

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	x86 Linux

Importance:	High minor
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-04-20 18:43 UTC by Andrew Yates
Modified:	2005-04-22 20:48 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Yates 2005-04-20 18:43:42 UTC

vixie-cron, when built with the hardened and selinux use flags, will not execute jobs listed in a user's crontab if SELinux is running in permissive mode.

Workaround:
emerge vixie-cron without those USE flags if you are planning to use SELinux in permissive mode for a long period of time. emerge it again with those USE flags once you are ready to go back to enforcing mode.

Reproducible: Always
Steps to Reproduce:
1. emerge vixie-cron with USE="hardened selinux"
2. Add a job to your crontab
3. Notice that the job didn't execute and view the following line in /var/log/messages:
(<username>) ENTRYPOINT FAILED (crontabs/<username>)
Actual Results:  
A line with "(<username>) ENTRYPOINT FAILED (crontabs/<username>)" was added to
/var/log/messages, and the command listed in the crontab was not executed.

Expected Results:  
The command in the crontab should have been executed.

Portage 2.0.51.19 (selinux/2004.1/x86, gcc-3.3.5-20050130,
glibc-2.3.4.20041102-r1, 2.6.11-hardened-r1 i686)
=================================================================
System uname: 2.6.11-hardened-r1 i686 AMD Athlon(tm) Processor
Gentoo Base System version 1.6.10
Python:              dev-lang/python-2.3.4-r1 [2.3.4 (#1, Feb 13 2005, 14:23:20)]
dev-lang/python:     2.3.4-r1
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.5, 1.7.9-r1, 1.6.3, 1.4_p6, 1.9.4, 1.8.5-r3
sys-devel/binutils:  2.15.92.0.2-r7
sys-devel/libtool:   1.5.14
virtual/os-headers:  2.6.8.1-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-Os -march=athlon-xp -mcpu=athlon-xp -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-Os -march=athlon-xp -mcpu=athlon-xp -fomit-frame-pointer -pipe"
DISTDIR="/var/tmp/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks loadpolicy sandbox selinux
sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="alsa apache2 apm avi berkdb bitmap-fonts clearpasswd crypt cups emboss
encode foomaticdb fortran gd gdbm gif gpm gtk2 hardened hub imagemagick imap
imlib ipv6 jpeg libg++ libwww mad mbox md5sum mikmod motif mp3 mpeg mysql
ncurses net nls nptl nptlonly oggvorbis opengl openssl oss pam pcap perl php pic
png python quicktime readline samba sasl sdl selinux slang spell ssl svga tcpd
tiff truetype-fonts type1-fonts x86 xml2 xmms xv zlib"
Unset:  ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS

Comment 1 Chris PeBenito (RETIRED) gentoo-dev

2005-04-22 20:48:42 UTC

Your crontabs are mislabeled.  root's should be system_u:object_r:sysadm_cron_spool_t.  staff users should be system_u:object_r:staff_cron_spool_t, and all other users should be system_u:object_r:user_cron_spool_t