From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-commits+bounces-341065-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1QGd9E-000521-WF
	for garchives@archives.gentoo.org; Sun, 01 May 2011 20:21:45 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 6F71FE0444;
	Sun,  1 May 2011 20:21:37 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 37ED0E0444
	for <gentoo-commits@lists.gentoo.org>; Sun,  1 May 2011 20:21:36 +0000 (UTC)
Received: from pelican.gentoo.org (unknown [66.219.59.40])
	(using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 7EB551B403E
	for <gentoo-commits@lists.gentoo.org>; Sun,  1 May 2011 20:21:35 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by pelican.gentoo.org (Postfix) with ESMTP id CC6C780505
	for <gentoo-commits@lists.gentoo.org>; Sun,  1 May 2011 20:21:34 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <ae56f62162c95b724fb5f2f749b94255dee913bb.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/
X-VCS-Repository: proj/hardened-docs
X-VCS-Files: xml/selinux-faq.xml
X-VCS-Directories: xml/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: ae56f62162c95b724fb5f2f749b94255dee913bb
Date: Sun,  1 May 2011 20:21:34 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 
X-Archives-Hash: ecfea05d0bf707b8fede9af694d55ab8

commit:     ae56f62162c95b724fb5f2f749b94255dee913bb
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May  1 20:21:26 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May  1 20:21:26 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs=
.git;a=3Dcommit;h=3Dae56f621

Add cron failure information

---
 xml/selinux-faq.xml |   51 +++++++++++++++++++++++++++++++++++++++++++++=
++++--
 1 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index d042d2c..3922c94 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mail=
inglist, forums or
 elsewhere
 </abstract>
=20
-<version>5</version>
-<date>2011-04-30</date>
+<version>6</version>
+<date>2011-05-01</date>
=20
 <faqindex>
 <title>Questions</title>
@@ -415,5 +415,52 @@ when logged on. And you shouldn't allow remote root =
logins anyhow.
=20
 </body>
 </section>
+<section id=3D"cronfails">
+<title>
+  Cron fails to load in root's crontab with message '(root) ENTRYPOINT
+  FAILED (crontabs/root)'
+</title>
+<body>
+
+<p>
+When you hit the mentioned error with a root crontab or an administrativ=
e
+users' crontab, but not with a regular users' crontab, then check the co=
ntext of
+the crontab file:
+</p>
+
+<pre caption=3D"Check context of the crontab file">
+~# <i>ls -Z /var/spool/cron/crontabs/root</i>
+staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root
+</pre>
+
+<p>
+Next, check what the default context is for the given user (in this case=
, root)
+when originating from the <c>crond_t</c> domain:
+</p>
+
+<pre caption=3D"Check default context for user root">
+~# <i>getseuser root system_u:system_r:crond_t</i>
+seuser:  root, level (null)
+Context 0       root:sysadm_r:cronjob_t
+Context 1       root:staff_r:cronjob_t
+</pre>
+
+<p>
+As you can see, the default context is always for the <c>root</c> SELinu=
x user.
+However, the <path>/var/spool/cron/crontabs/root</path> file context in =
the
+above example is for the SELinux user staff_u. Hence, cron will not be a=
ble to
+read this file (the <c>user_cron_spool_t</c> type is a UBAC constrained =
one).
+</p>
+
+<p>
+To fix this, change the user of the file to root:
+</p>
+
+<pre caption=3D"Change the SELinux user of the root crontab file">
+~# <i>chcon -u root /var/spool/cron/crontabs/root</i>
+</pre>
+
+</body>
+</section>
 </chapter>
 </guide>