Description of problem: When logged in as root on a MLS system, cannot create a cron job for another user. Version-Release number of selected component (if applicable): 3.7.19-126.el6_2.10.noarch How reproducible: always Steps to Reproduce: 1. login as root 2. crontab -e -u Actual results: Security class "passwd" is not defined in the SELinux policy. Access denied by SELinux, must be privileged to use -u Expected results: Editor opens Additional info: Works if I switch to that user then execute crontab -e
# rpm -qa selinux-policy\* selinux-policy-doc-3.7.19-150.el6.noarch selinux-policy-minimum-3.7.19-150.el6.noarch selinux-policy-targeted-3.7.19-150.el6.noarch selinux-policy-mls-3.7.19-150.el6.noarch selinux-policy-3.7.19-150.el6.noarch # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: mls # id -Z root:sysadm_r:sysadm_t:s0-s15:c0.c1023 # useradd theone # passwd theone Changing password for user theone. New password: Retype new password: passwd: all authentication tokens updated successfully. # crontab -e -u theone Security class "passwd" is not defined in the SELinux policy. Access denied by SELinux, must be privileged to use -u # crontab -l -u theone Security class "passwd" is not defined in the SELinux policy. Access denied by SELinux, must be privileged to use -u # crontab -r -u theone Security class "passwd" is not defined in the SELinux policy. Access denied by SELinux, must be privileged to use -u # I'm not sure if it's bug or feature.
The problem is we have optional_policy(` cron_role(sysadm_r, sysadm_t) ') ifndef(`distro_redhat',` optional_policy(` cron_admin_role(sysadm_r, sysadm_t) ') --- which causes this issue. We have in Fedora optional_policy(` cron_admin_role(sysadm_r, sysadm_t) ')
Fixed in selinux-policy-3.7.19-151.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html