Description of problem: Version-Release number of selected component (if applicable): selinux-policy-2.4.6-306.el5 selinux-policy-targeted-2.4.6-306.el5 selinux-policy-minimum-2.4.6-306.el5 selinux-policy-strict-2.4.6-306.el5 selinux-policy-mls-2.4.6-306.el5 selinux-policy-devel-2.4.6-306.el5 How reproducible: always Steps to Reproduce: * get a RHEL-5.7 machine with active MLS policy * boot into single-user mode and have SELinux in enforcing mode sh-3.2# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: mls sh-3.2# id -Z system_u:system_r:sysadm_t:s0-s15:c0.c1023 sh-3.2# crontab -l sh: /usr/bin/crontab: Permission denied sh-3.2# echo $? 126 sh-3.2# dmesg | grep type= type=2000 audit(1306759738.504:1): initialized type=1403 audit(1306759764.383:2): policy loaded auid=4294967295 ses=4294967295 type=1401 audit(1306759836.943:3): security_compute_sid: invalid context system_u:system_r:sysadm_crontab_t:s0-s15:c0.c1023 for scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:crontab_exec_t:s0 tclass=process Actual results: "crontab -l" does not work Expected results: "crontab -l" works as expected
Milos, try to load a local policy module # cat mycron.te policy_module(mycron, 1.0) require{ type sysadm_crontab_t; role system_r; } role system_r types sysadm_crontab_t;
It works well when local policy module is loaded: sh-3.2# crontab -l no crontab for root sh-3.2# echo $? 1 sh-3.2#
Fixed in selinux-policy-2.4.6-308.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html