Re: Problem: myscript, crontab and policy rules for this

[Tanel Kokk <tanel.kokk@eyp.ee>]

Stephen Smalley wrote:

> First, the transition is wrong, so you don't want to allow it.  It
> should be transitioning to system_r:system_crond_t for system cron
> jobs.  Try restarting crond via run_init, i.e. run_init
> /etc/init.d/crond restart.  That should place it into the proper
> starting security context (system_u:system_r:crond_t); yours was running
> in root:system_r:crond_t, presumably due to a manual restart without
> using run_init.  In FC3 devel, we have also amended the
> policy/constraints to allow proper transitioning from
> root:system_r:crond_t, so that manual restarts will work without
> run_init.

Thanks a lot! Everything is OK now after restarting crond with run_init.

> Second, a denial may occur due to a component of the policy other than
> the TE rules, as noted in the selinux-doc README and the Configuring the
> SELinux Policy report, due to the RBAC configuration or a constraint. 
> This is particularly true when changing the SELinux user identity or
> role in some manner.  audit2allow just generates TE allow rules from the
> audit message; it doesn't try to infer other causes.
>   
Understood.

Tanel


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.