Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...
|
Re: rawhide strict & crond: msg#00222
|
Subject: |
Re: rawhide strict & crond |
Hi;
It looked that way :
[root@dragon bin]# ls -lZ /var/spool/cron/
-rw------- root root root:object_r:sysadm_cron_spool_t apache
I created the cron entry as root/sysadm_r with the -u flag for user
apache.
After i changed it to root:object_r:user_cron_spool_t it worked !
THX
hb
Am Dienstag, den 26.04.2005, 07:35 -0400 schrieb Stephen Smalley:
> On Tue, 2005-04-26 at 10:05 +0200, Holger Burde wrote:
> > I tried to run a cron job from the apache account but nothing happends
> > beside a entry in /var/log/cron :
> >
> > Apr 26 10:51:49 dragon crond[4284]: (CRON) STARTUP (V5.0)
> > Apr 26 10:51:49 dragon crond[4284]: (apache) ENTRYPOINT FAILED
> > (cron/apache)
> >
> > (wrong context? )
>
> Yes; crond applies an entrypoint permission check of its own between the
> security context for the cron job process and the security context on
> the crontab file to prevent tricking a more trusted cron job process
> (e.g. root's cron jobs) from running untrustworthy input. What does ls
> -Z /var/spool/cron/ show? In the absence of an explicit user identity
> for apache in the SELinux policy, I'd expect the apache crontab to be
> labeled <user>:object_r:user_cron_spool_t (the <user> doesn't matter;
> could be system_u or user_u or root).
>
> > audit2allow -i /var/log/messages -l
> > nothing ...
>
> Yes, it isn't a kernel denial; it is a check by crond.
>
--
Holger Burde <hburde@xxxxxxxxxxx>
|
| |
