From c1b9938e96d67d996c9baa91620f20df84c1adea Mon Sep 17 00:00:00 2001 From: Harry Ciao Date: Mon, 31 Jan 2011 17:10:24 +0800 Subject: [PATCH] Fix cron job process' domain during system booting up. When SELinux user system_u starts crond during system booting up, its cron job process should be in the system_cronjob_t domain, which has the required entrypoint permission on system crontab files labeled as system_cron_spool_t. Otherwise we can run into below error messages: Jan 31 08:40:53 QtCao crond[535]: (system_u) Unauthorized SELinux context (/etc/crontab) Jan 31 08:40:53 QtCao crond[535]: (system_u) Unauthorized SELinux context (/etc/cron.d/sysstat) The weird thing is that the getdefaultcon command even can not fetch "system_r:cronjob_t:s0" but "system_r:logrotate_t:s0" ! After fixing default_contexts files the getdefaultcon command could properly fetch "system_r:system_cronjob_t:s0" : root@QtCao:/root> getdefaultcon system_u system_u:system_r:crond_t:s0 system_u:system_r:logrotate_t:s0 root@QtCao:/root> root@QtCao:/root> grep crond_t /etc/selinux/refpolicy-mls/contexts/default_contexts system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 root@QtCao:/root> root@QtCao:/root> getdefaultcon system_u system_u:system_r:crond_t:s0 system_u:system_r:system_cronjob_t:s0 root@QtCao:/root> Signed-off-by: Harry Ciao --- config/appconfig-mcs/default_contexts | 2 +- config/appconfig-mls/default_contexts | 2 +- config/appconfig-standard/default_contexts | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts index 22aeb67d8..801d97b6f 100644 --- a/config/appconfig-mcs/default_contexts +++ b/config/appconfig-mcs/default_contexts @@ -1,4 +1,4 @@ -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 +system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts index 22aeb67d8..801d97b6f 100644 --- a/config/appconfig-mls/default_contexts +++ b/config/appconfig-mls/default_contexts @@ -1,4 +1,4 @@ -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 +system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts index 6141347d9..64a0a90c3 100644 --- a/config/appconfig-standard/default_contexts +++ b/config/appconfig-standard/default_contexts @@ -1,4 +1,4 @@ -system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t +system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t