[gentoo-commits] proj/hardened-docs:master commit in: html/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     a547a0055cd566d3766c7285bb24c0b050dd4932
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May  1 20:24:07 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May  1 20:24:07 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a547a005

Update previews

---
 html/selinux-faq.html |   50 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 49 insertions(+), 1 deletions(-)

diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index 9dc1bfb..42ccef9 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -68,6 +68,10 @@ as well.
   LD_PRELOAD cannot be preloaded: ignored'
 </a></li>
 <li><a href="#emergefails">Emerge does not work, giving 'Permission denied: /etc/make.conf'</a></li>
+<li><a href="#cronfails">
+  Cron fails to load in root's crontab with message '(root) ENTRYPOINT
+  FAILED (crontabs/root)'
+</a></li>
 </ul>
 <p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
             </span>General SELinux Support Questions</p>
@@ -337,11 +341,55 @@ This is also necessary if you logged on to your system as root but through SSH.
 The default behavior is that SSH sets the lowest role for the particular user
 when logged on. And you shouldn't allow remote root logins anyhow.
 </p>
+<p class="secthead"><a name="cronfails"></a><a name="doc_chap5_sect6">
+  Cron fails to load in root's crontab with message '(root) ENTRYPOINT
+  FAILED (crontabs/root)'
+</a></p>
+<p>
+When you hit the mentioned error with a root crontab or an administrative
+users' crontab, but not with a regular users' crontab, then check the context of
+the crontab file:
+</p>
+<a name="doc_chap5_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.7: Check context of the crontab file</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">ls -Z /var/spool/cron/crontabs/root</span>
+staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root
+</pre></td></tr>
+</table>
+<p>
+Next, check what the default context is for the given user (in this case, root)
+when originating from the <span class="code" dir="ltr">crond_t</span> domain:
+</p>
+<a name="doc_chap5_pre8"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.8: Check default context for user root</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">getseuser root system_u:system_r:crond_t</span>
+seuser:  root, level (null)
+Context 0       root:sysadm_r:cronjob_t
+Context 1       root:staff_r:cronjob_t
+</pre></td></tr>
+</table>
+<p>
+As you can see, the default context is always for the <span class="code" dir="ltr">root</span> SELinux user.
+However, the <span class="path" dir="ltr">/var/spool/cron/crontabs/root</span> file context in the
+above example is for the SELinux user staff_u. Hence, cron will not be able to
+read this file (the <span class="code" dir="ltr">user_cron_spool_t</span> type is a UBAC constrained one).
+</p>
+<p>
+To fix this, change the user of the file to root:
+</p>
+<a name="doc_chap5_pre9"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.9: Change the SELinux user of the root crontab file</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">chcon -u root /var/spool/cron/crontabs/root</span>
+</pre></td></tr>
+</table>
 <br><br>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated April 30, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 1, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 Frequently Asked Questions on SELinux integration with Gentoo Hardened.
 The FAQ is a collection of solutions found on IRC, mailinglist, forums or