Bug 821004
Summary: | Cannot create crontabs for users under MLS | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Josh <jokajak> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 6.2 | CC: | dwalsh, mmalik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-151.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-20 12:34:30 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Josh
2012-05-11 14:32:33 UTC
# rpm -qa selinux-policy\* selinux-policy-doc-3.7.19-150.el6.noarch selinux-policy-minimum-3.7.19-150.el6.noarch selinux-policy-targeted-3.7.19-150.el6.noarch selinux-policy-mls-3.7.19-150.el6.noarch selinux-policy-3.7.19-150.el6.noarch # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: mls # id -Z root:sysadm_r:sysadm_t:s0-s15:c0.c1023 # useradd theone # passwd theone Changing password for user theone. New password: Retype new password: passwd: all authentication tokens updated successfully. # crontab -e -u theone Security class "passwd" is not defined in the SELinux policy. Access denied by SELinux, must be privileged to use -u # crontab -l -u theone Security class "passwd" is not defined in the SELinux policy. Access denied by SELinux, must be privileged to use -u # crontab -r -u theone Security class "passwd" is not defined in the SELinux policy. Access denied by SELinux, must be privileged to use -u # I'm not sure if it's bug or feature. The problem is we have optional_policy(` cron_role(sysadm_r, sysadm_t) ') ifndef(`distro_redhat',` optional_policy(` cron_admin_role(sysadm_r, sysadm_t) ') --- which causes this issue. We have in Fedora optional_policy(` cron_admin_role(sysadm_r, sysadm_t) ') Fixed in selinux-policy-3.7.19-151.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html |