Description of problem: crontab -e run as root gives error message "access denied" Version-Release number of selected component (if applicable): # rpm -qa | grep selinux libselinux-python-2.0.37-1.fc8 selinux-policy-3.0.8-32.fc8 libselinux-2.0.37-1.fc8 selinux-policy-targeted-3.0.8-32.fc8 libselinux-2.0.37-1.fc8 How reproducible: 100% ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary SELinux is preventing unix_update (unconfined_crontab_t) "read" to <Unknown> (shadow_t). Detailed Description SELinux denied access requested by unix_update. It is not expected that this access is required by unix_update and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:unconfined_crontab_t:s0 Target Context system_u:object_r:shadow_t:s0 Target Objects None [ file ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-32.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall_file Host Name yardsale Platform Linux yardsale 2.6.23.1-31.fc8 #1 SMP Tue Oct 23 14:54:38 EDT 2007 x86_64 x86_64 Alert Count 2 First Seen Thu 25 Oct 2007 09:19:29 PM PDT Last Seen Thu 25 Oct 2007 09:22:14 PM PDT Local ID 42505bd4-88c8-4d80-9e6e-f8470ab98f03 Line Numbers Raw Audit Messages avc: denied { read } for comm=unix_update dev=sda1 name=shadow pid=5474 scontext=system_u:system_r:unconfined_crontab_t:s0 tclass=file tcontext=system_u:object_r:shadow_t:s0 ~~~~~~~~~~~~~~~~~~~~~ Summary SELinux is preventing unix_update (unconfined_crontab_t) "getattr" to pipe (unconfined_crontab_t). Detailed Description SELinux denied access requested by unix_update. It is not expected that this access is required by unix_update and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:unconfined_crontab_t:s0 Target Context system_u:system_r:unconfined_crontab_t:s0 Target Objects pipe [ fifo_file ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-32.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall Host Name yardsale Platform Linux yardsale 2.6.23.1-31.fc8 #1 SMP Tue Oct 23 14:54:38 EDT 2007 x86_64 x86_64 Alert Count 2 First Seen Thu 25 Oct 2007 09:19:29 PM PDT Last Seen Thu 25 Oct 2007 09:22:14 PM PDT Local ID 0e71cdfa-9a60-4636-b438-30436c1a473e Line Numbers Raw Audit Messages avc: denied { getattr } for comm=unix_update dev=pipefs path=pipe:[58444] pid=5474 scontext=system_u:system_r:unconfined_crontab_t:s0 tclass=fifo_file tcontext=system_u:system_r:unconfined_crontab_t:s0 ~~~~~~~~~~~~~~~~~~~~~~ Summary SELinux is preventing /sbin/unix_update (unconfined_crontab_t) "execute_no_trans" to /sbin/unix_update (updpwd_exec_t). Detailed Description SELinux denied access requested by /sbin/unix_update. It is not expected that this access is required by /sbin/unix_update and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /sbin/unix_update, restorecon -v /sbin/unix_update If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq- fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:unconfined_crontab_t:s0 Target Context system_u:object_r:updpwd_exec_t:s0 Target Objects /sbin/unix_update [ file ] Affected RPM Packages pam-0.99.8.1-10.fc8 [application]pam-0.99.8.1-10.fc8 [target] Policy RPM selinux-policy-3.0.8-32.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall_file Host Name yardsale Platform Linux yardsale 2.6.23.1-31.fc8 #1 SMP Tue Oct 23 14:54:38 EDT 2007 x86_64 x86_64 Alert Count 1 First Seen Thu 25 Oct 2007 09:22:14 PM PDT Last Seen Thu 25 Oct 2007 09:22:14 PM PDT Local ID ba2cf533-6183-48d4-b042-288c791fded7 Line Numbers Raw Audit Messages avc: denied { execute_no_trans } for comm=unix_update dev=sda1 egid=0 euid=0 exe=/sbin/unix_update exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=unix_update path=/sbin/unix_update pid=5474 scontext=system_u:system_r:unconfined_crontab_t:s0 sgid=0 subj=system_u:system_r:unconfined_crontab_t:s0 suid=0 tclass=file tcontext=system_u:object_r:updpwd_exec_t:s0 tty=pts0 uid=0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary SELinux is preventing /usr/bin/crontab (unconfined_crontab_t) "write" to <Unknown> (unconfined_crontab_t). Detailed Description SELinux denied access requested by /usr/bin/crontab. It is not expected that this access is required by /usr/bin/crontab and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:unconfined_crontab_t:s0 Target Context system_u:system_r:unconfined_crontab_t:s0 Target Objects None [ netlink_audit_socket ] Affected RPM Packages vixie-cron-4.2-3.fc8 [application] Policy RPM selinux-policy-3.0.8-32.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall Host Name yardsale Platform Linux yardsale 2.6.23.1-31.fc8 #1 SMP Tue Oct 23 14:54:38 EDT 2007 x86_64 x86_64 Alert Count 1 First Seen Thu 25 Oct 2007 09:22:14 PM PDT Last Seen Thu 25 Oct 2007 09:22:14 PM PDT Local ID 32958f61-bc0e-4fcf-8e3d-7cdb72fa44ff Line Numbers Raw Audit Messages avc: denied { write } for comm=crontab egid=0 euid=0 exe=/usr/bin/crontab exit=116 fsgid=0 fsuid=0 gid=0 items=0 pid=5473 scontext=system_u:system_r:unconfined_crontab_t:s0 sgid=0 subj=system_u:system_r:unconfined_crontab_t:s0 suid=0 tclass=netlink_audit_socket tcontext=system_u:system_r:unconfined_crontab_t:s0 tty=pts0 uid=0
Fixed in selinux-policy-3.0.8-36.fc8.src.rpm
I haven't been able to reproduce this with the new policy update. John, can you quickly confirm whether this update fixes the problem for you?
please point me to a download location for the udpated RPM
Koji to the rescue http://koji.fedoraproject.org/koji/buildinfo?buildID=22493
still broken doesn't get flagged or alert by setroubleshoot either. # strace crontab -e execve("/usr/bin/crontab", ["crontab", "-e"], [/* 26 vars */]) = -1 EACCES (Permission denied) dup(2) = 3 fcntl(3, F_GETFL) = 0x8002 (flags O_RDWR|O_LARGEFILE) fstat(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaaac8000 lseek(3, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) write(3, "strace: exec: Permission denied\n", 32strace: exec: Permission denied ) = 32 close(3) = 0 munmap(0x2aaaaaac8000, 4096) = 0 exit_group(1) = ?
confirmed 3.0.8-36 fails for me too.
Looking in my audit.log, I see the following type=SELINUX_ERR msg=audit(1193601682.942:777): security_compute_sid: invalid context system_u:system_r:unconfined_crontab_t:s0 for scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:crontab_exec_t:s0 tclass=process type=SYSCALL msg=audit(1193601682.942:777): arch=40000003 syscall=11 success=no exit=-13 a0=9dba058 a1=9dbaf08 a2=9dc19b0 a3=0 items=0 ppid=17973 pid=24090 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts8 comm="bash" exe="/bin/bash" subj=system_u:system_r:unconfined_t:s0 key=(null)
Confirmed this with 3.0.8-38, confirmed fixed in 3.0.8-39.
And confirmed with -40 building now
still broken with the same error message... running on x86_64 # rpm -qa | grep selinux selinux-policy-targeted-3.0.8-42.fc8 libselinux-2.0.37-1.fc8 libselinux-python-2.0.37-1.fc8 libselinux-2.0.37-1.fc8 selinux-policy-3.0.8-42.fc8 Do I need to relabel or change something to correctly test this?
WORKSFORME on a fresh install. Maybe you need to do a "fixfiles restore /var/spool/cron"?
Reporter can't test anymore and we can't reproduce the problem. Closing (again).