-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/18/2011 05:46 PM, Luciano Furtado wrote:
> Hi group,
>
> Why does the context of the crontab spool directory is set to <<none>>
> on /etc/selinux/default/contexts/files/file_contexts
i suspect that may be related to some historical issues. Maybe we used
to prefix the cron spool files with a role prefix, and since all users
crontabs would go in the same directory there would be no way to tell
the system what the file context should be reset to.
I think currently these files should all be labelled user_cron_spool_t.
> /var/spool/cron/crontabs/.* -- <<none>>
>
> I am getting the following avc messages :
Not sure how these files got the file_t type. Can you reproduce that?
>
> [ 17.600000] type=1400 audit(1295191072.769:6): avc: denied { read }
> for pid=1847 comm="cron" name="root" dev=xvda ino=106585
> scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:file_t:s0 tclass=file
> [ 17.600000] type=1400 audit(1295191072.769:7): avc: denied {
> getattr } for pid=1847 comm="cron" path="/var/spool/cron/crontabs/root"
> dev=xvda ino=106585 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:file_t:s0 tclass=file
>
>
> Is cron_spool_t the right context for this file ?
>
>
>
> Best Regards.
> Luciano
- --
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEUEARECAAYFAk01xQ8ACgkQMlxVo39jgT/gmACgw6ZcEwPM/m8WI5BygqrxI9AF
eh0AmLQO16mCKZ90H83oplwx0vJJrio=
=3mgc
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
