Hide Forgot
SELinux is preventing /usr/sbin/crond (deleted) from using the 'chown' capabilities. I have no idea why I should want to have polyinstantiated directory support. Couldn't the blurb contain some advice why I should want it? ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to enable polyinstantiated directory support. Then you must tell SELinux about this by enabling the 'allow_polyinstantiation' boolean. Do setsebool -P allow_polyinstantiation 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that crond (deleted) should have the chown capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep crond /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:crond_t:s0-s0:c0.c1023 Target Context system_u:system_r:crond_t:s0-s0:c0.c1023 Target Objects Unknown [ capability ] Source crond Source Path /usr/sbin/crond (deleted) Port <Neznámé> Host (removed) Source RPM Packages cronie-1.4.7-3.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-24.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.6-27.fc15.x86_64 #1 SMP Sun May 15 17:23:28 UTC 2011 x86_64 x86_64 Alert Count 1690 First Seen Po 16. květen 2011, 16:16:02 CEST Last Seen So 21. květen 2011, 09:30:02 CEST Local ID 64d05ddb-c230-42f9-80b8-8a7864798524 Raw Audit Messages type=AVC msg=audit(1305963002.126:1236): avc: denied { chown } for pid=28571 comm="crond" capability=0 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1305963002.126:1236): arch=x86_64 syscall=chown success=no exit=EPERM a0=2274a00 a1=1f4 a2=1f4 a3=74616d2f72657375 items=0 ppid=990 pid=28571 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=119 comm=crond exe=/usr/sbin/crond subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) Hash: crond,crond_t,crond_t,capability,chown audit2allow #============= crond_t ============== #!!!! This avc can be allowed using the boolean 'allow_polyinstantiation' allow crond_t self:capability chown; audit2allow -R #============= crond_t ============== #!!!! This avc can be allowed using the boolean 'allow_polyinstantiation' allow crond_t self:capability chown;
I can reproduce this: #============= crond_t ============== #!!!! This avc can be allowed using the boolean 'allow_polyinstantiation' allow crond_t self:capability chown; #============= crontab_t ============== #!!!! The source type 'crontab_t' can write to a 'dir' of the following types: # crontab_tmp_t, user_tmp_t allow crontab_t cgroup_t:dir { write rmdir setattr read remove_name create add_name }; #!!!! The source type 'crontab_t' can write to a 'file' of the following types: # pcscd_var_run_t, crontab_tmp_t, user_cron_spool_t, user_tmp_t allow crontab_t cgroup_t:file { write read getattr open setattr }; allow crontab_t init_t:dir search; allow crontab_t init_t:file { read getattr open }; allow crontab_t self:process getcap; #!!!! The source type 'crontab_t' can write to a 'file' of the following types: # faillog_t, pcscd_var_run_t, crontab_tmp_t, user_cron_spool_t, user_tmp_t allow crontab_t var_auth_t:file { read write open lock }; #============= staff_t ============== allow staff_t user_cron_spool_t:file { write read ioctl };
Created attachment 500210 [details] Make cron work patch Enclosed suggested fix (patch)
I also see this issue. Dominick, could you push the patch?
http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=5a830b735c2cf935d310781303a051caa2f2809e