Hi; It looked that way : [root@dragon bin]# ls -lZ /var/spool/cron/ -rw------- root root root:object_r:sysadm_cron_spool_t apache I created the cron entry as root/sysadm_r with the -u flag for user apache. After i changed it to root:object_r:user_cron_spool_t it worked ! THX hb Am Dienstag, den 26.04.2005, 07:35 -0400 schrieb Stephen Smalley: > On Tue, 2005-04-26 at 10:05 +0200, Holger Burde wrote: > > I tried to run a cron job from the apache account but nothing happends > > beside a entry in /var/log/cron : > > > > Apr 26 10:51:49 dragon crond[4284]: (CRON) STARTUP (V5.0) > > Apr 26 10:51:49 dragon crond[4284]: (apache) ENTRYPOINT FAILED > > (cron/apache) > > > > (wrong context? ) > > Yes; crond applies an entrypoint permission check of its own between the > security context for the cron job process and the security context on > the crontab file to prevent tricking a more trusted cron job process > (e.g. root's cron jobs) from running untrustworthy input. What does ls > -Z /var/spool/cron/ show? In the absence of an explicit user identity > for apache in the SELinux policy, I'd expect the apache crontab to be > labeled <user>:object_r:user_cron_spool_t (the <user> doesn't matter; > could be system_u or user_u or root). > > > audit2allow -i /var/log/messages -l > > nothing ... > > Yes, it isn't a kernel denial; it is a check by crond. > -- Holger Burde <hburde@xxxxxxxxxxx> -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list