From: psystem@laposte.net (psystem)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Problem with crond ENTRYPOINT FAILED (/etc/crontab)
Date: Tue, 29 Dec 2009 16:17:15 +0100 [thread overview]
Message-ID: <4B3A1D7B.7000907@laposte.net> (raw)
Hello
When i start crond under my gentoo hardened i have this error log under /Var/log/cron.log
Dec 29 10:11:01 xxxx cron[3926]: (system_u) ENTRYPOINT FAILED (/etc/crontab)
I have checked all my file contexts which seems good
ls -lZ /etc/crontab
-rw-r--r--. 1 root root system_u:object_r:system_cron_spool_t 611 Oct 9 15:05 /etc/crontab
ls -lZR /var/spool/cron/
/var/spool/cron/:
drwx-wx--T. 2 root crontab system_u:object_r:cron_spool_t 4096 Dec 29 10:10 crontabs
drwxr-x---. 2 root root system_u:object_r:crond_tmp_t 4096 Oct 9 13:53 lastrun
/var/spool/cron/crontabs:
-rw-------. 1 toto crontab staff_u:object_r:user_cron_spool_t 319 Dec 29 10:10 toto
/var/spool/cron/lastrun:
crond run with the right context:
ps auxZ |grep cron
system_u:system_r:crond_t root 10492 0.0 0.0 2172 836 ? Ss 11:59 0:00 /usr/sbin/cron
I use the latest refpolicy from git repository.
Latest gentoo stable x86 with a 2.6.31-gentoo-r6 kernel.
Latest gentoo table SELinux packages.
I have straced the /etc/init.d/vixie-cron start and i saw that
10395 stat64("/etc/crontab", {st_mode=S_IFREG|0600, st_size=611, ...}) = 0
10395 open("/etc/crontab", O_RDONLY|O_NONBLOCK) = 5
10395 fstat64(5, {st_mode=S_IFREG|0600, st_size=611, ...}) = 0
10395 gettid() = 10395
10395 open("/proc/self/task/10395/attr/current", O_RDONLY|O_LARGEFILE) = 6
10395 read(6, "system_u:system_r:crond_t\0"..., 4095) = 26
10395 close(6) = 0
10395 fgetxattr(5, "security.selinux", "system_u:object_r:system_cron_spool_t", 255) = 38
10395 gettid() = 10395
10395 open("/proc/self/task/10395/attr/current", O_RDONLY|O_LARGEFILE) = 6
10395 read(6, "system_u:system_r:crond_t\0"..., 4095) = 26
10395 close(6) = 0
10395 open("/selinux/user", O_RDWR|O_LARGEFILE) = 6
10395 write(6, "system_u:system_r:crond_t system_u"..., 34) = 34
10395 read(6,
"26\0system_u:system_r:logrotate_t\0system_u:system_r:initrc_t\0system_u:system_r:locate_t\0system_u:system_r:crack_t\0system_u:system_r:fsadm_t\0system_u:system_r:gpg_t\0system_u:system_r:postfix_postdrop_t\0system_u:system_r:urlwatch_t\0system_u:system_r:checkpc_t\0system_u:system_r:prelink_t\0system_u:system_r:system_cronjob_t\0system_u:system_r:tmpreaper_t\0system_u:system_r:backup_t\0system_u:system_r:chkpwd_t\0system_u:system_r:acct_t\0system_u:system_r:apmd_t\0system_u:system_r:crond_t\0system_u:system_r:cupsd_t\0system_u:system_r:ftpd_t\0system_u:system_r:httpd_t\0system_u:system_r:munin_t\0system_u:system_r:ntpd_t\0system_u:system_r:ulogd_t\0system_u:system_r:cupsd_config_t\0system_u:system_r:system_mail_t\0system_u:system_r:syslogd_t\0"...,
4095) = 727
10395 close(6) = 0
10395 open("/etc/selinux/tresys/contexts/users/system_u", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
10395 open("/etc/selinux/tresys/contexts/default_contexts", O_RDONLY|O_LARGEFILE) = 6
10395 fstat64(6, {st_mode=S_IFREG|0644, st_size=875, ...}) = 0
10395 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77e1000
10395 read(6, "system_r:crond_t\tuser_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t\nsystem_r:local_login_t\tuser_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t\nsystem_r:remote_login_t\tuser_r:user_t staff_r:staff_t unconfined_r:unconfined_t\nsystem_r:sshd_t\t\tuser_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t\nsystem_r:sulogin_t\tsysadm_r:sysadm_t\nsystem_r:xdm_t\t\tuser_r:user_t
staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t\n\nstaff_r:staff_su_t\tuser_r:user_t staff_r:staff_t sysadm_r:sysadm_t\nstaff_r:staff_sudo_t\tsysadm_r:sysadm_t staff_r:staff_t\n\nsysadm_r:sysadm_su_t\tuser_r:user_t staff_r:staff_t sysadm_r:sysadm_t\nsysadm_r:sysadm_sudo_t\tsysadm_r:sysadm_t\n\nuser_r:user_su_t\tuser_r:user_t staff_r:staff_t sysadm_r:sysadm_t\nuser_r:user_sudo_t\tsysadm_r:sysadm_t user_r:user_t\n"..., 4096) = 875
10395 close(6) = 0
10395 munmap(0xb77e1000, 4096) = 0
10395 open("/selinux/access", O_RDWR|O_LARGEFILE) = 6
10395 write(6, "system_u:system_r:logrotate_t system_u:object_r:system_cron_spool_t 6 40000"..., 75) = 75
10395 read(6, "0 ffffffff 0 ffffffff 27 0"..., 4095) = 26
10395 close(6) = 0
10395 time(NULL) = 1262084312
10395 send(4, "<78>Dec 29 11:58:32 cron[10395]: (system_u) ENTRYPOINT FAILED (/etc/crontab)\0"..., 77, MSG_NOSIGNAL) = 77
10395 close(5) = 0
Why crond check if it has the rights to use /etc/crontab with the context system_u:system_r:logrotate_t ? (because it is the first context available returned by get_default_context()?)
Cordially
reply other threads:[~2009-12-29 15:17 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B3A1D7B.7000907@laposte.net \
--to=psystem@laposte.net \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.