Hi,
On FC2, the system housekeeping is executed as root via a shell script
/usr/bin/run-parts which in turn executes scripts in
/etc/cron.{hourly,daily,monthly}. This does not work in enforcing mode.
Instead i get the following error:
audit(1085671860.593:0): avc: denied { transition } for pid=17894
exe=/usr/sbin/crond path=/bin/bash dev=hda2 ino=883049
scontext=root:system_r:crond_t tcontext=user_u:sysadm_r:sysadm_t
tclass=process
If i interpret this correctly, crond is unable to change the execution
context to root when trying to run /usr/bin/run-parts. I already submitted
a bug-report for that
(http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124533) but until it
is fixed, i wanted to make my own workaround. I tried the following:
In /etc/security/selinux/src/policy/file_contexts/misc/local.fc i have:
/usr/bin/run-parts -- system_u:object_r:runparts_exec_t
In /etc/security/selinux/src/policy/domains/misc/local.te i have:
type runparts_exec_t, file_type, sysadmfile, exec_type;
domain_trans(crond_t, shell_exec_t, sysadm_t)
domain_trans(crond_t, runparts_exec_t, sysadm_t)
I tried also adding:
system_crond_entry(runparts_exec_t, sysadm_t)
After relabeling and make reload, i still get this error. At least the
script seems to be labeled ok:
-rwxr-xr-x+ root root system_u:object_r:runparts_exec_t /usr/bin/run-parts
What am i doing wrong?
Thanks
-Fritz
--
Fritz Elfert <fritz.elfert@xxxxxxxxxxxx> Millenux GmbH
Lilienthalstr. 2 Phone: +49 711 88770 400
70825 Stuttgart FAX: +49 711 88770 449
--------------------------------------------------------------------------
