Bug 199294 - LSPP - cron jobs not executed in the exact SELinux security context of submitter
LSPP - cron jobs not executed in the exact SELinux security context of submitter
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Brock Organ
Depends On:
  Show dependency treegraph
Reported: 2006-07-18 14:20 EDT by IBM Bug Proxy
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version: beta2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-12-22 18:54:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch implementing new multi-context crontab feature (11.48 KB, text/x-patch)
2006-07-20 22:46 EDT, Jason Vas Dias
no flags Details

  None (edit)
Description IBM Bug Proxy 2006-07-18 14:20:26 EDT
LTC Owner is: jdesai@linux.ibm.com
LTC Originator is: jdesai@us.ibm.com

Problem description:
In SELinux, if a user submits a cron job after changing a role or mls range, the
job is not executed with the changed role/mls range. This functionality is
required by LSPP certification.

If this is a customer issue, please indicate the impact to the customer:

If this is not an installation problem,
       Describe any custom patches installed.
       Provide output from "uname -a", if possible:n/a

Hardware Environment
    Machine type (p650, x235, SF2, etc.):machine independent
    Cpu type (Power4, Power5, IA-64, etc.):Cpu independent
    Describe any special hardware you think might be relevant to this problem:

Please provide contact information if the submitter is not the primary contact.

Please provide access information for the machine if it is available.

Is this reproducible? Yes
    If so, how long does it (did it) take to reproduce it? 2 Minutes
    Describe the steps:
    1. Login and change role or effective mls level
    2. Execute command "id -Z" and note down the output
    3. Submit a cron job to execute the command "id -Z"
    4. Note that the command reports different security context from the 
       one written down in step 2.

    If not, describe how the bug was encountered:

Is the system (not just the application) hung? No
    If so, describe how you determined this:

Did the system produce an OOPS message on the console? No
    If so, copy it here: 

Is the system sitting in a debugger right now? No
    If so, how long may it stay there?

Additional information:
Comment 1 Jason Vas Dias 2006-07-20 22:42:40 EDT
This issue is now fixed in rawhide/FC-6 with vixie-cron-4.1-58.fc6 .

Users can now specify the security context of each job in a crontab file, 
with the SELINUX_ROLE_TYPE environment variable, as documented in the new
man crontab(5) man-page - ie. in an /etc/cron.d crontab like:
* * * * * root logger `id -Z`
* * * * * root logger `id -Z`
will log different contexts to the system log.

Running crontab(1) with the new '-s' option will cause the 'SELINUX_ROLE_TYPE='
setting for the current context to be appended to the crontab; ie running 
 # crontab -se
as the root user with an empty crontab will bring up an editor containing only
the line:
Users are then free to edit the job context and use different contexts for 
different jobs.

When each job with a SELINUX_ROLE_TYPE setting is run, the transition to the 
new SELINUX_ROLE_TYPE context from the crontab file context must be allowed by 
  security_compute_av(se_role_context, crontab_file_context, ...)
otherwise the job will be rejected.

The new vixie-cron-4.1-58.fc6.src.rpm is at:
Please try out the new cron version and let me know of any issues - thanks.
Comment 2 Jason Vas Dias 2006-07-20 22:46:24 EDT
Created attachment 132778 [details]
Patch implementing new multi-context crontab feature

Hi Dan, Janak, Steve -
Please review this patch and let me know of any issues - thanks!
Comment 3 Daniel Walsh 2006-09-19 16:39:27 EDT
Cron seems to be running system cron jobs as user_cron_t which is broken on MLS.
 System cron jobs should be running under system_crond_t
Comment 4 Daniel Walsh 2006-09-27 16:01:23 EDT
Fixed in latest policy package.
Comment 5 IBM Bug Proxy 2006-09-29 17:35:49 EDT
----- Additional Comments From ameet@us.ibm.com (prefers email at ameet@austin.ibm.com)  2006-09-29 17:33 EDT -------
>Fixed in latest policy package.


Does this mean we should expect the fix to be in RHEL5 beta2? 
Comment 6 Daniel Walsh 2006-10-02 15:14:42 EDT
Comment 7 IBM Bug Proxy 2006-12-22 11:56:10 EST

           What    |Removed                     |Added
                 CC|                            |kweidner@us.ibm.com
             Status|ACCEPTED                    |CLOSED

------- Additional Comments From klausk@br.ibm.com  2006-12-22 11:50 EDT -------
(Added Klaus W. in cc)

Also see Bug #27232 (LTC bugzilla): Seems that now you can no longer define
complete contexts (as user_u:role_r:type_t:level-range), but only MLS levels.

Klaus W.: Is this sufficient for lspp requirements? 

Either way, I'll close this bug and open a new one if necessary. 
Comment 8 RHEL Product and Program Management 2006-12-22 18:54:23 EST
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.
Comment 9 IBM Bug Proxy 2006-12-23 15:01:50 EST
----- Additional Comments From salina@us.ibm.com  2006-12-23 14:56 EDT -------
problem closed at IBM.  Thanks 

Note You need to log in before you can comment on or make changes to this bug.