Description of problem: The default policy under FC6/SELinux/strict, ( 2.4.6-27 ), doesn't allow for the correct operation of anacron. This is mainly because anacron itself, unlike crond, doesn't internally setexeccon from crond_t to system_crond_t before launching its child Jobs. Under targeted policy, crond_t and system_crond_t are aliases for each other, and therefore I presume the problem doesn't arise. Because of this, anacron's child Jobs are launched in crond_t, which doesn't have the correct permissions to run most of the standard Jobs in /etc/cron.daily, in particular logrotate and logwatch. As a workround therefore, I've re-created the anacron_exec_t type, and created an additional policy module for anacron's needs. This basically involves making initrc_t transition to system_crond_t when launching anacron, granting system_crond_t some permissions which crond_t already has, and allowing system_crond_t to run anacron_exec_t itself so as to update anacron's timestamp files in /var/spool/anacron. I suspect that the better solution for the overall problem may be to recode anacron to perform the same setexeccon() call which crond uses; some additional problems I've found with crond's interaction with sendmail meant that I found it quicker to patch the SELinux policy for the present. Hence my revised anacron policy is now the following - together with the manual relabelling of /usr/sbin/anacron itself to anacron_exec_t. I would suggest that these patches be merged into the existing cron.fc/cron.te cat /root/selinux.local/localanacron.fc # anacrond executable will have: # label: system_u:object_r:anacron_exec_t # MLS sensitivity: s0 # MCS categories: <none> # We cant easily override the /usr/sbin/anacron setting in Fedora policy, # so we create a clone binary and label as anacron_exec_t /usr/sbin/anacrond -- gen_context(system_u:object_r:anacron_exec_t,s0) # The latest 2.4.6-23 policy already contains this: #/var/lock/subsys/anacron -- gen_context(system_u:object_r:cron_lock_t,s0) # The latest 2.4.6-23 policy already contains this: #/var/spool/anacron(/.*)? gen_context(system_u:object_r:cron_spool_t,s0) cat /root/selinux.local/localanacron.fc policy_module(localanacron,0.1.2) require { type system_crond_t; type system_crond_lock_t; type cron_spool_t; type crond_var_run_t; } ######################################## # # Anacron local policy # type anacron_exec_t; corecmd_executable_file(anacron_exec_t) # anacron transitions directly to system_crond_t, # rather than crond_t because it doesnt currently # perform a setexeccon internally init_daemon_domain(system_crond_t,anacron_exec_t) # Additional permissions for system_crond_t / anacron under # strict, when system_crond_t != crond_t ifdef(`strict_policy',` # Allow anacron to update spool files in /var/spool/anacron allow system_crond_t cron_spool_t:file create_file_perms; # Allow anacron to write to /var/run/anacron.pid allow system_crond_t crond_var_run_t:file create_file_perms; files_pid_filetrans(system_crond_t,crond_var_run_t,file) # Allow anacron to handle creation of files in the # /var/lock directory. (anacron) allow system_crond_t system_crond_lock_t:file manage_file_perms; files_lock_filetrans(system_crond_t,system_crond_lock_t,file) # Allow crond to run anacron so as to update /var/spool/anacron # timestamp files can_exec(system_crond_t, anacron_exec_t) ') Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Should be fixed in the current release.
Fixed in current release