c1b9938e96
When SELinux user system_u starts crond during system booting up, its cron job process should be in the system_cronjob_t domain, which has the required entrypoint permission on system crontab files labeled as system_cron_spool_t. Otherwise we can run into below error messages: Jan 31 08:40:53 QtCao crond[535]: (system_u) Unauthorized SELinux context (/etc/crontab) Jan 31 08:40:53 QtCao crond[535]: (system_u) Unauthorized SELinux context (/etc/cron.d/sysstat) The weird thing is that the getdefaultcon command even can not fetch "system_r:cronjob_t:s0" but "system_r:logrotate_t:s0" ! After fixing default_contexts files the getdefaultcon command could properly fetch "system_r:system_cronjob_t:s0" : root@QtCao:/root> getdefaultcon system_u system_u:system_r:crond_t:s0 system_u:system_r:logrotate_t:s0 root@QtCao:/root> root@QtCao:/root> grep crond_t /etc/selinux/refpolicy-mls/contexts/default_contexts system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 root@QtCao:/root> root@QtCao:/root> getdefaultcon system_u system_u:system_r:crond_t:s0 system_u:system_r:system_cronjob_t:s0 root@QtCao:/root> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> |
||
|---|---|---|
| .. | ||
| appconfig-mcs | ||
| appconfig-mls | ||
| appconfig-standard | ||
| local.users | ||