On Wed, 2007-11-28 at 21:16 +0100, Aleksander Adamowski wrote: > Hi! > > I'm using selinux-policy-strict-2.4.6-30.el5. > > I've added a job to apache's crontab (crontab -e -u apache). > > Now I can see those errors in /var/log/cron: > > crond[27249]: (apache) Unauthorized SELinux context, but SELinux in > permissive mode, continuing (cron/apache) > crond[29358]: (apache) NULL security context for user, but SELinux in > permissive mode, continuing () > > > Google search found a suggestion that FC6 cron policy is broken, > resulting in similar symptoms (but for root instead of apache user), but > what about RHEL5? > > I've also added a simple apache cronjob that simply writes output from > "id -Z" to a file in /tmp and it has written the following context data: > > root:system_r:crond_t:SystemLow-SystemHigh > > Why is the user root? Shouldn't it be user_u or system_u or something > like that? Sounds like it just stayed in crond's context since it failed the check and the system was permissive. Naturally, in enforcing mode, it would have not executed the job at all. crond computes a context for the user's cron job in the usual manner, then applies a entrypoint permission check between that context and the file context on the crontab file (which gets picked up from a combination of its creator and the parent directory). If that check fails, then crond refuses to execute the crontab commands in that process context. The check is intended to prevent injection of commands from one context into another via crontab, unless authorized by policy of course. I'd have expected it to try to run the cron job in user_u:user_r: user_crond_t:s0 since apache wouldn't have a specific entry in seusers. So it would have wanted the crontab file to have user_cron_spool_t on it, which would have happened if a user_t process created it. If instead an admin created it and it got sysadm_cron_spool_t or staff_cron_spool_t, that might explain it. So you could relabel it or allow that permission. First though check the current label on the crontab file. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
