Tom London wrote:
On Mon, 24 Jan 2005 15:02:22 -0500, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
Can you try a make -C /etc/selinux/targeted/src/policy load
Sorry, no soap. :-(
Here's a log: [root@tlondon ~]# cd /etc/selinux/targeted [root@tlondon targeted]# cd src/policy [root@tlondon policy]# make -C /etc/selinux/targeted/src/policy load make: Entering directory `/etc/selinux/targeted/src/policy' /usr/sbin/load_policy /etc/selinux/targeted/policy/policy.18 touch tmp/load make: Leaving directory `/etc/selinux/targeted/src/policy' [root@tlondon ~]# cd /etc/init.d [root@tlondon init.d]# ./crond status crond is stopped [root@tlondon init.d]# ./crond start Starting crond: /etc/init.d/functions: line 148: /usr/sbin/crond: Permission denied [FAILED] [root@tlondon init.d]#
Here's the AVC: Jan 25 07:38:17 localhost kernel: audit(1106667497.815:0): security_compute_sid: invalid context root:system_r:crond_t for scontext=root:system_r:initrc_t tcontext=system_u:object_r:crond_exec_t tclass=process
tom
Ok, you need to change the policy for crond.te
--- crond.te~ 2005-01-21 16:16:11.000000000 -0500 +++ crond.te 2005-01-25 12:04:52.000000000 -0500 @@ -19,5 +19,5 @@ type sysadm_cron_spool_t, file_type, sysadmfile; type crond_log_t, file_type, sysadmfile; type crond_var_run_t, file_type, sysadmfile; -domain_auto_trans(initrc_t, crond_exec_t, crond_t) -domain_auto_trans(initrc_t, anacron_exec_t, crond_t) +domain_auto_trans(initrc_t, crond_exec_t, unconfined_t) +domain_auto_trans(initrc_t, anacron_exec_t, unconfined_t)
I will update policy and throw it out on people.
selinux-policy-targeted-1.21.3-2
