On 04/14/2009 04:11 PM, Antonio Olivares wrote:
Dear fellow Selinux experts,
I have encountered this before, apparently it has not gone away. Running Fedora 11 Beta. I have a small crontab file that will shutdown the machine at 4:15 pm :
[students@antonio-fedora-x86-64 ~]$ crontab -l
# min hour day-of-month month day-of-week command
15 16 * * 1-5 /usr/bin/poweroff>/dev/null 2>&1
Seatroubleshooter comes up and gives me the following:
In the other machine running rawhide I can't even access crontab -l, it tells me that I cannot do anything I have no authorizations :(
Summary:
SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by crontab. It is not expected that this access
is required by crontab and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0
.c1023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source crontab
Source Path /usr/bin/crontab
Port<Unknown>
Host antonio-fedora-x86-64
Source RPM Packages cronie-1.2-7.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.12-3.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name antonio-fedora-x86-64
Platform Linux antonio-fedora-x86-64
2.6.29.1-68.fc11.x86_64 #1 SMP Sat Apr 11 02:20:46
EDT 2009 x86_64 x86_64
Alert Count 53
First Seen Tue 14 Apr 2009 03:58:24 PM CDT
Last Seen Tue 14 Apr 2009 04:06:56 PM CDT
Local ID 5b712474-909f-4775-a5d6-bf5a78404916
Line Numbers
Raw Audit Messages
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12989]" dev=sockfs ino=12989 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=SYSCALL msg=audit(1239743216.390:74): arch=c000003e syscall=59 success=yes exit=0 a0=acb200 a1=ac0d10 a2=adeda0 a3=7fff2149c340 items=0 ppid=19528 pid=19560 auid=501 uid=501 gid=501 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null)
Thank you in Advance,
Antonio
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I tried everything you described and it worked fine. THe
unconfined_t:unix_stream_socket is coming from the leaked file
descriptor in Konsole, I believe.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list