Re: selinux does not like crontab :(, default_t, kde

Robert Nichols <rnicholsNOSPAM@xxxxxxxxxxx> · Fri, 27 Mar 2009 10:50:04 -0500

Daniel J Walsh wrote:
On 03/26/2009 11:43 AM, Robert Nichols wrote:
I can confirm the same behavior when trying to run "crontab -l" or
"crontab -e"
both as non-root and root user.

Authentication service cannot retrieve authentication info
You (rnichols) are not allowed to access to (crontab) because of pam
configuration.

OR

Authentication service cannot retrieve authentication info
You (root) are not allowed to access to (crontab) because of pam
configuration.

The problem goes away when running in permissive mode. Regardless of
permissive
vs. enforcing mode, no AVCs are logged. No changes have been made to the
rawhide SELinux or PAM configurations. I do see this message logged in
/var/log/secure for each unsuccessful attempt:

crontab: pam_unix(crond:account): helper binary execve failed:
Permission denied

selinux-policy-3.6.8-3.fc11.noarch
selinux-policy-targeted-3.6.8-3.fc11.noarch
authconfig-5.4.7-2.fc11.i586

Do you see an SELINUX_ERR in /var/log/audit/audit.log?

WHat does id -Z show?

Could you try

# semodule -DB

Then look for avcs about cron.

I see this SELINUX_ERR in audit.log for each attempt:

type=SELINUX_ERR msg=audit(1238166172.444:23): security_compute_sid:  invalid context 
unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=process

After "semodule -DB", I still don't see any AVCs from cron.  With or
without the dontaudits removed, running "grep cron audit.log" shows
these 3 lines for each attempt:

  type=SELINUX_ERR msg=audit(1238167945.826:1307): security_compute_sid:  invalid context 
unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=process

  type=SYSCALL msg=audit(1238167945.826:1307): arch=40000003 syscall=11 success=no exit=-13 a0=119d98 a1=bffd1030 
a2=11c8e8 a3=119db4 items=0 ppid=3890 pid=3891 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts1 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 
key=(null)

  type=USER_ACCT msg=audit(1238167945.829:1308): user pid=3890 uid=500 auid=500 ses=1 
subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="rnichols" 
exe="/usr/bin/crontab" (hostname=?, addr=?, terminal=cron res=failed)'

(Now running "semodule -B" to restore peace to my system!)

--
Bob Nichols     "NOSPAM" is really part of my email address.
                Do NOT delete it.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list