Re: Rawhide Cant' update crontab using gnome-schedule.

Dominick Grift <domg472@xxxxxxxxx> · Fri, 20 Feb 2009 13:54:53 +0100

On Fri, 2009-02-20 at 11:15 +0000, Frank Murphy wrote:
> Gnome-Schedule opens, but cannot update any tasks.
> ~/audit/.log
> doesn't show any specific denials.
> Hpappens as pure root, (sudo, su) user
> 
> sudo gnome-schedule
> Access denied by SELinux, must be privileged to use -u
It wants this:

time->Fri Feb 20 13:32:32 2009
type=SYSCALL msg=audit(1235133152.394:41): arch=c000003e syscall=137
success=yes exit=0 a0=860060 a1=7fffe9f391f0 a2=1000 a3=7fffe9f38f90 
items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab" 
exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1235133152.394:41): avc:  denied  { getattr } for
pid=3741 comm="crontab" name="/" dev=selinuxfs ino=1 
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
----
time->Fri Feb 20 13:32:32 2009
type=SYSCALL msg=audit(1235133152.394:42): arch=c000003e syscall=4
success=no exit=1427685336 a0=7fffe9f381c0 a1=7fffe9f38130
a2=7fffe9f38130 
a3=7fffe9f37ee0 items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab" 
exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1235133152.394:42): avc:  denied  { getattr } for
pid=3741 comm="crontab" path="/selinux/class" dev=selinuxfs ino=26 
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=dir
type=AVC msg=audit(1235133152.394:42): avc:  denied  { search } for
pid=3741 comm="crontab" name="/" dev=selinuxfs ino=1 
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=dir
----
time->Fri Feb 20 13:32:32 2009
type=SYSCALL msg=audit(1235133152.395:43): arch=c000003e syscall=2
success=no exit=1427685336 a0=7fffe9f38190 a1=0 a2=7fffe9f3819c 
a3=7fffe9f37f40 items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab" 
exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1235133152.395:43): avc:  denied  { open } for
pid=3741 comm="crontab" name="mls" dev=selinuxfs ino=12 
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1235133152.395:43): avc:  denied  { read } for
pid=3741 comm="crontab" name="mls" dev=selinuxfs ino=12 
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=file
----
time->Fri Feb 20 13:32:32 2009
type=SYSCALL msg=audit(1235133152.397:44): arch=c000003e syscall=2
success=yes exit=3 a0=7fffe9f381c0 a1=90800 a2=7fffe9f381db
a3=7fffe9f37e90 
items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab" 
exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1235133152.397:44): avc:  denied  { open } for
pid=3741 comm="crontab" name="perms" dev=selinuxfs ino=67111432 
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=dir
type=AVC msg=audit(1235133152.397:44): avc:  denied  { read } for
pid=3741 comm="crontab" name="perms" dev=selinuxfs ino=67111432 
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=dir
----
time->Fri Feb 20 13:32:32 2009
type=SYSCALL msg=audit(1235133152.398:45): arch=c000003e syscall=4
success=yes exit=0 a0=7fffe9f381c0 a1=7fffe9f38120 a2=7fffe9f38120 
a3=fffffff9 items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab" 
exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1235133152.398:45): avc:  denied  { getattr } for
pid=3741 comm="crontab" path="/selinux/class/passwd/perms/crontab" 
dev=selinuxfs ino=67109859
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=file
----
time->Fri Feb 20 13:32:32 2009
type=SYSCALL msg=audit(1235133152.398:46): arch=c000003e syscall=2
success=yes exit=3 a0=7fffe9f38200 a1=2 a2=7fffe9f3820f
a3=8101010101010100 
items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab" 
exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1235133152.398:46): avc:  denied  { write } for
pid=3741 comm="crontab" name="access" dev=selinuxfs ino=6 
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=file
----
time->Fri Feb 20 13:32:32 2009
type=SYSCALL msg=audit(1235133152.398:47): arch=c000003e syscall=1
success=no exit=1427685336 a0=3 a1=1070300 a2=65 a3=7fffe9f37f70
items=0 
ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab" exe="/usr/bin/crontab" 
subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1235133152.398:47): avc:  denied  { compute_av } for
pid=3741 comm="crontab" 
scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=security

This module will allow it:

policy_module(myschedule, 0.0.1)

require { type crontab_t, security_t; }

allow crontab_t security_t:security compute_av;
selinux_set_generic_booleans(crontab_t)

> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list