Re: Cron after upgrade (FC6 -> FC8)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jouni Viikari wrote:
> On Mon, 19 Nov 2007, Daniel J Walsh wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Jouni Viikari wrote:
>>> Is it possible to run crontab job as a root any more on FC8?  I get this
>>> in /var/log/cron and job is not run:
>>>
>>>  ... crond[2511]: (root) Unauthorized SELinux context (cron/root)
>>>
>>>
>>> Thanks,
>>>
>>> Jouni
>>>
>>>
>>> # ls -lZ /var/spool/cron/
>>> -rw-------  root root system_u:object_r:unconfined_cron_spool_t root
>>>
>>> # rpm -qa | grep selinux-policy-targeted
>>> selinux-policy-targeted-3.0.8-53.fc8
>>>
>>> I just tried my luck (just guessing):
>>>
>>> # chcon -t sysadm_crond_t /var/spool/cron/root
>>> chcon: failed to change context of /var/spool/cron/root to
>>> system_u:object_r:sysadm_crond_t: Permission denied
>>>
>>> -- 
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@xxxxxxxxxx
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Fixed in selinux-policy-3.0.8-56
> 
> Did not solve it:
> 
> crond[2511]: (root) Unauthorized SELinux context(cron/root).
> 
> # rpm -qa | grep selinux-policy
> selinux-policy-targeted-3.0.8-56.fc8
> selinux-policy-3.0.8-56.fc8
> 
> 
> BTW, I wonder how to fix this message which is continuously popping up
> in the right way?  Which version is correct:
> 
> /etc/selinux/targeted/contexts/files/file_contexts: Multiple different
> specifications for /var/lib/awstats(/.*)?
> (system_u:object_r:httpd_sys_script_rw_t:s0 and
> system_u:object_r:awstats_var_lib_t:s0).
> /etc/selinux/targeted/contexts/files/file_contexts: Multiple different
> specifications for /usr/share/awstats/wwwroot/cgi-bin(/.*)?
> (system_u:object_r:httpd_sys_script_exec_t:s0 and
> system_u:object_r:httpd_awstats_script_exec_t:s0).
These looks like you did some local customization of these directrories.

I would remove your local mods.

semanage fcontext -d '/usr/share/awstats/wwwroot/cgi-bin(/.*)?'
semanage fcontext -d '/var/lib/awstats(/.*)?'

I would almost always go with the more specific.  :^)
> 
> 
> Just noticed that it looks like also my SquirrelMail is broken:
> 
> avc: denied { search } for comm=sendmail dev=dm-0 egid=51 euid=48
> exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0
> name=mail pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=dir
> tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48
> 
> avc: denied { getattr } for comm=sendmail dev=dm-0 egid=51 euid=48
> exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0
> path=/etc/mail pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0
> sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=dir
> tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48
> 
> avc: denied { create } for comm=sendmail egid=51 euid=48
> exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0
> pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
> tclass=unix_dgram_socket
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48
> 

setsebool -P http_can_sendmail 1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHRFSWrlYvE4MpobMRAtUOAJ9vqkqyDyJyiRLoJlbhvGvvfTgB9gCfUKgA
N7vFvYgvjAgAkDjk88qst9s=
=uIyS
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux