Hi On Fedora 9, we've got a symlink in /etc/cron.daily/ to /usr/local/bin/checkmailspool which ultimately tries to run /usr/sbin/postqueue -p It works if you call it via the root user's crontab, but not when you put the script in /etc/cron.daily/. (I've included the sealert output below). When called by the "system" cron (in which the denial occurs) id -Z output is system_u:system_r:system_crond_t:s0-s0:c0.c1023 OTOH, the root cron (which works) shows root:unconfined_r:unconfined_t:s0-s0:c0.c1023 I've just read crontab(5) which mentions setting MLS_LEVEL on the first line of the crontab, but it seems to suggest that this would apply (perhaps unnecessarily) to all the jobs run in that crontab. What's the recommended method to get this one script working from within /etc/cron.daily/ ? Regards, Nik Lam Summary: SELinux is preventing postqueue (postfix_postqueue_t) "connectto" to /var/spool/postfix/public/showq (unconfined_t). Detailed Description: SELinux denied access requested by postqueue. It is not expected that this access is required by postqueue and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:postfix_postqueue_t:s0-s0:c0.c10 23 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects /var/spool/postfix/public/showq [ unix_stream_socket ] Source postqueue Source Path /usr/sbin/postqueue Port <Unknown> Host replaced.example.com Source RPM Packages postfix-2.5.5-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-107.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name replaced.example.com Platform Linux replaced.example.com 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug 4 14:08:11 EDT 2008 i686 i686 Alert Count 38 First Seen Tue Nov 4 05:04:42 2008 Last Seen Thu Nov 20 05:04:42 2008 Local ID f5f4066b-d167-44ca-9c00-afd71f485225 Line Numbers Raw Audit Messages host=replaced.example.com type=AVC msg=audit(1227117882.675:17773): avc: denied { connectto } for pid=15651 comm="postqueue" path="/var/spool/postfix/public/showq" scontext=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket host=replaced.example.com type=SYSCALL msg=audit(1227117882.675:17773): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa89e00 a2=b808eff4 a3=bfa89e6a items=0 ppid=15647 pid=15651 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=90 sgid=90 fsgid=90 tty=(none) ses=2419 comm="postqueue" exe="/usr/sbin/postqueue" subj=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023 key=(null) -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
