Bug 709045 - single-user mode, enforcing MLS: sh: /usr/bin/crontab: Permission denied
single-user mode, enforcing MLS: sh: /usr/bin/crontab: Permission denied
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-30 09:16 EDT by Milos Malik
Modified: 2012-10-15 11:18 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-308.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 05:20:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2011-05-30 09:16:55 EDT
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-306.el5
selinux-policy-targeted-2.4.6-306.el5
selinux-policy-minimum-2.4.6-306.el5
selinux-policy-strict-2.4.6-306.el5
selinux-policy-mls-2.4.6-306.el5
selinux-policy-devel-2.4.6-306.el5

How reproducible:
always

Steps to Reproduce:
 * get a RHEL-5.7 machine with active MLS policy
 * boot into single-user mode and have SELinux in enforcing mode
sh-3.2# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        mls
sh-3.2# id -Z
system_u:system_r:sysadm_t:s0-s15:c0.c1023
sh-3.2# crontab -l
sh: /usr/bin/crontab: Permission denied
sh-3.2# echo $?
126
sh-3.2# dmesg | grep type=
type=2000 audit(1306759738.504:1): initialized
type=1403 audit(1306759764.383:2): policy loaded auid=4294967295 ses=4294967295
type=1401 audit(1306759836.943:3): security_compute_sid:  invalid context system_u:system_r:sysadm_crontab_t:s0-s15:c0.c1023 for scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:crontab_exec_t:s0 tclass=process

Actual results:
"crontab -l" does not work

Expected results:
"crontab -l" works as expected
Comment 1 Miroslav Grepl 2011-05-30 09:35:43 EDT
Milos,
try to load a local policy module 

# cat mycron.te

policy_module(mycron, 1.0)

require{
 type sysadm_crontab_t;
 role system_r;
}

role system_r types sysadm_crontab_t;
Comment 2 Milos Malik 2011-05-30 09:46:58 EDT
It works well when local policy module is loaded:

sh-3.2# crontab -l
no crontab for root
sh-3.2# echo $?
1
sh-3.2#
Comment 3 Miroslav Grepl 2011-06-01 08:57:31 EDT
Fixed in selinux-policy-2.4.6-308.el5
Comment 6 errata-xmlrpc 2011-07-21 05:20:40 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 7 errata-xmlrpc 2011-07-21 07:57:10 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.