* [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/modules/
@ 2011-07-21 9:21 Sven Vermeulen
0 siblings, 0 replies; 2+ messages in thread
From: Sven Vermeulen @ 2011-07-21 9:21 UTC (permalink / raw
To: gentoo-commits
commit: 4f3f69a18997e5f8400550724b39fb375b218f2d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jul 21 09:20:56 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jul 21 09:20:56 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=4f3f69a1
Updating previews
---
html/index.html | 8 ++++-
html/index2.html | 11 ++++--
html/selinux/modules/portage.html | 16 +++++++--
html/support-state.html | 66 ++++++++++++++++++------------------
4 files changed, 60 insertions(+), 41 deletions(-)
diff --git a/html/index.html b/html/index.html
index 8cbf79a..89d5342 100644
--- a/html/index.html
+++ b/html/index.html
@@ -269,11 +269,17 @@ GNU Stack Quickstart
</b>
<ul>
<li>
- <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook</a>
+ <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (including installation)</a>
</li>
<li>
<a href="selinux-faq.html">Gentoo SELinux FAQ</a>
</li>
+ <li>
+ <a href="roadmap.html">Gentoo Hardened Roadmap (incl. SELinux development)</a>
+ </li>
+ <li>
+ <a href="support-state.html">Gentoo Hardened Support Matrices (incl. SELinux)</a>
+ </li>
</ul>
</li>
</ul>
diff --git a/html/index2.html b/html/index2.html
index 1f8776e..8e243b3 100644
--- a/html/index2.html
+++ b/html/index2.html
@@ -97,8 +97,7 @@ Gentoo once they've been tested for security and stability by the Hardened team.
</tr>
<tr>
<td class="tableinfo"></td>
- <td class="tableinfo">blueness
-</td>
+ <td class="tableinfo">blueness</td>
<td class="tableinfo">Policy development, Proxy (non developer contributors)</td>
</tr>
<tr>
@@ -238,11 +237,17 @@ GNU Stack Quickstart</a>
</b>
<ul>
<li>
- <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook</a>
+ <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (including installation)</a>
</li>
<li>
<a href="selinux-faq.html">Gentoo SELinux FAQ</a>
</li>
+ <li>
+ <a href="roadmap.html">Gentoo Hardened Roadmap (incl. SELinux development)</a>
+ </li>
+ <li>
+ <a href="support-state.html">Gentoo Hardened Support Matrices (incl. SELinux)</a>
+ </li>
</ul>
</li>
</ul>
diff --git a/html/selinux/modules/portage.html b/html/selinux/modules/portage.html
index 1d062aa..4b629f7 100644
--- a/html/selinux/modules/portage.html
+++ b/html/selinux/modules/portage.html
@@ -251,8 +251,9 @@ mount option to force the context of all files on the mounted location.
</p>
<p class="secthead"><a name="doc_chap2_sect2">Booleans</a></p>
<p>
-The Portage module within Gentoo defines two booleans, called
-<span class="code" dir="ltr">gentoo_try_dontaudit</span> and <span class="code" dir="ltr">gentoo_portage_allow_nfs</span>.
+The Portage module within Gentoo defines three booleans, called
+<span class="code" dir="ltr">gentoo_try_dontaudit</span>, <span class="code" dir="ltr">gentoo_portage_use_nfs</span> and
+<span class="code" dir="ltr">gentoo_wait_requests</span>.
</p>
<p>
When <span class="code" dir="ltr">gentoo_try_dontaudit</span> is enabled, the policy will hide the AVC
@@ -262,12 +263,19 @@ is wise to first disable the boolean and see if you now get any denials that
could explain the problem.
</p>
<p>
-When <span class="code" dir="ltr">gentoo_portage_allow_nfs</span> is enabled, then the Portage-related
+When <span class="code" dir="ltr">gentoo_portage_use_nfs</span> is enabled, then the Portage-related
domains will be able to manage the <span class="code" dir="ltr">nfs_t</span> and as such, allow for the
Portage tree and other locations to be NFS-mounted without correcting their
label (which is still supported when using the <span class="code" dir="ltr">context=</span> mount option).
</p>
<p>
+When <span class="code" dir="ltr">gentoo_wait_requests</span> is enabled, then policy rules that are
+introduced to get things working, but which are temporary until the upstream
+project enhances its application (and a bug report is opened for it), are
+active. Disabling this boolean is only recommended if you are running the
+system with the proper patches and is more used for development traceability.
+</p>
+<p>
To switch booleans, use <span class="code" dir="ltr">setsebool</span> or <span class="code" dir="ltr">togglesebool</span>.
</p>
<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
@@ -296,7 +304,7 @@ To switch booleans, use <span class="code" dir="ltr">setsebool</span> or <span c
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux/modules/portage.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated July 7, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated July 21, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Within SELinux, the portage module is responsible for defining the
Gentoo-related domains and privileges, including those for the Portage package
diff --git a/html/support-state.html b/html/support-state.html
index 1ddfa9e..94aad74 100644
--- a/html/support-state.html
+++ b/html/support-state.html
@@ -51,57 +51,57 @@ reports and feedback).
</tr>
<tr>
<td class="tableinfo">x86</td>
- <td class="tableinfo"><span class="code-keyword">In place</span></td>
+ <td class="tableinfo">In place</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">amd64 / x86_64</td>
- <td class="tableinfo"><span class="code-keyword">In place</span></td>
+ <td class="tableinfo">In place</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">ppc</td>
- <td class="tableinfo"><span class="code-keyword">In place</span></td>
+ <td class="tableinfo">In place</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">ppc64</td>
- <td class="tableinfo"><span class="code-keyword">In place</span></td>
+ <td class="tableinfo">In place</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">ia64</td>
- <td class="tableinfo"><span class="code-keyword">In place</span></td>
+ <td class="tableinfo">In place</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">arm</td>
- <td class="tableinfo"><span class="code-variable">In progress</span></td>
+ <td class="tableinfo">In progress</td>
<td class="tableinfo">Contact blueness for more information</td>
</tr>
<tr>
<td class="tableinfo">mips</td>
- <td class="tableinfo"><span class="code-variable">In progress</span></td>
+ <td class="tableinfo">In progress</td>
<td class="tableinfo">Contact blueness for more information</td>
</tr>
<tr>
<td class="tableinfo">sparc32</td>
- <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo">Unsupported</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">sparc64</td>
- <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo">Unsupported</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">s390</td>
- <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo">Unsupported</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">hppa</td>
- <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo">Unsupported</td>
<td class="tableinfo"></td>
</tr>
</table>
@@ -114,57 +114,57 @@ reports and feedback).
</tr>
<tr>
<td class="tableinfo">x86</td>
- <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo">Yet to be determined</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">amd64 / x86_64</td>
- <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo">Yet to be determined</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">ppc</td>
- <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo">Yet to be determined</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">ppc64</td>
- <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo">Yet to be determined</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">ia64</td>
- <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo">Yet to be determined</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">arm</td>
- <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo">Yet to be determined</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">mips</td>
- <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo">Yet to be determined</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">sparc32</td>
- <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo">Yet to be determined</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">sparc64</td>
- <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo">Yet to be determined</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">s390</td>
- <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo">Yet to be determined</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">hppa</td>
- <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo">Yet to be determined</td>
<td class="tableinfo"></td>
</tr>
</table>
@@ -177,57 +177,57 @@ reports and feedback).
</tr>
<tr>
<td class="tableinfo">x86</td>
- <td class="tableinfo"><span class="code-keyword">In place</span></td>
+ <td class="tableinfo">In place</td>
<td class="tableinfo">Still ~arch for the time being</td>
</tr>
<tr>
<td class="tableinfo">amd64 / x86_64</td>
- <td class="tableinfo"><span class="code-keyword">In place</span></td>
+ <td class="tableinfo">In place</td>
<td class="tableinfo">Still ~arch for the time being</td>
</tr>
<tr>
<td class="tableinfo">ppc</td>
- <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo">Unsupported</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">ppc64</td>
- <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo">Unsupported</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">ia64</td>
- <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo">Unsupported</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">arm</td>
- <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo">Unsupported</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">mips</td>
- <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo">Unsupported</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">sparc32</td>
- <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo">Unsupported</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">sparc64</td>
- <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo">Unsupported</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">s390</td>
- <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo">Unsupported</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">hppa</td>
- <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo">Unsupported</td>
<td class="tableinfo"></td>
</tr>
</table>
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/modules/
@ 2011-08-10 18:38 Sven Vermeulen
0 siblings, 0 replies; 2+ messages in thread
From: Sven Vermeulen @ 2011-08-10 18:38 UTC (permalink / raw
To: gentoo-commits
commit: e0bbfdd1f93c89fb7facd49a2e8be0bd2addedc8
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 10 18:37:26 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 10 18:37:26 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e0bbfdd1
Update previews
---
html/selinux-faq.html | 34 +++++++++++++++++-
html/selinux/modules/cron.html | 75 ++++++++++++++++++++++++++++++++++-----
2 files changed, 97 insertions(+), 12 deletions(-)
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index 3a511e5..e9c8608 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -61,7 +61,10 @@ as well.
</a></li>
</ul>
<p class="secthead">SELinux Kernel Error Messages</p>
-<ul><li><a href="#register_security">I get a register_security error message when booting</a></li></ul>
+<ul>
+<li><a href="#register_security">I get a register_security error message when booting</a></li>
+<li><a href="#permission_not_defined">I get a 'Permission ... in class ... not defined' message during booting</a></li>
+</ul>
<p class="secthead">SELinux and Gentoo</p>
<ul>
<li><a href="#no_module">I get a missing SELinux module error when using emerge</a></li>
@@ -273,6 +276,33 @@ This means that the Capability LSM module couldn't register as the primary
module, since SELinux is the primary module. The third message means that it
registers with SELinux as a secondary module.
</p>
+<p class="secthead"><a name="permission_not_defined"></a><a name="doc_chap4_sect2">I get a 'Permission ... in class ... not defined' message during booting</a></p>
+<p>
+During boot-up, the following message is shown:
+</p>
+<a name="doc_chap4_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.2: Kernel message on undefined permission(s)</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+SELinux: 2048 avtab hash slots, 16926 rules.
+SELinux: 2048 avtab hash slots, 16926 rules.
+SELinux: 6 users, 6 roles, 1083 types, 34 bools
+SELinux: 77 classes, 16926 rules
+SELinux: Permission read_policy in class security not defined in policy.
+SELinux: Permission audit_access in class file not defined in policy.
+SELinux: Permission audit_access in class dir not defined in policy.
+SELinux: Permission execmod in class dir not defined in policy.
+...
+SELinux: the above unknown classes and permissions will be denied
+SELinux: Completing initialization.
+</pre></td></tr>
+</table>
+<p>
+This means that the Linux kernel that you are booting supports permissions that
+are not defined in the policy (as offered through the
+<span class="code" dir="ltr">sec-policy/selinux-base-policy</span> package). If you do not notice any errors
+during regular operations, then this can be ignored (the permissions will be
+made part of upcoming policy definitions).
+</p>
<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
</span>SELinux and Gentoo</p>
<p class="secthead"><a name="no_module"></a><a name="doc_chap5_sect1">I get a missing SELinux module error when using emerge</a></p>
@@ -478,7 +508,7 @@ Another fix would be to disable UBAC completely. This is accomplished with
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated July 13, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated August 10, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Frequently Asked Questions on SELinux integration with Gentoo Hardened.
The FAQ is a collection of solutions found on IRC, mailinglist, forums or
diff --git a/html/selinux/modules/cron.html b/html/selinux/modules/cron.html
index 1344db5..14f4f94 100644
--- a/html/selinux/modules/cron.html
+++ b/html/selinux/modules/cron.html
@@ -223,7 +223,7 @@ Found 1 semantic av rules:
If the domain does not have the necessary privileges, you need to update the
policy. More information on maintaining the SELinux policy can be found in the
<a href="http://hardened.gentoo.org/selinux/selinux-handbook.xml">Gentoo
-Hardened SELinux Handbook</a>.
+Hardened SELinux Handbook</a>.
</p>
<p>
An example policy file to allow executing <span class="code" dir="ltr">dmesg</span>:
@@ -240,9 +240,38 @@ require {
dmesg_domtrans(system_cronjob_t)
</pre></td></tr>
</table>
+<p>
+In order to find out which specific calls are necessary, it can come in handy to
+use the privileges assigned to the <span class="emphasis">sysadm_t</span> domain. Take a look at this
+<a href="http://oss.tresys.com/projects/refpolicy/browser/policy/modules/roles/sysadm.te">sysadm.te</a>
+file. If you search for "dmesg" you will notice the following in the file:
+</p>
+<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Snippet in sysadm.te related to dmesg</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+128 ')
+129
+130 optional_policy(`
+131 dmesg_domtrans(sysadm_t)
+132 ')
+133
+134 optional_policy(`
+</pre></td></tr>
+</table>
+<p>
+It is this call - <span class="code" dir="ltr">dmesg_domtrans</span> - that we are interested in (and which you
+can notice in the sample policy mentioned above. It is possible that you notice
+a <span class="code" dir="ltr">_run</span> or <span class="code" dir="ltr">_exec</span> instead. Try this one first, but most of the time
+you'll need a <span class="code" dir="ltr">_domtrans</span> method.
+</p>
+<p>
+For more information or help with managing your policies, do not hesitate to
+drop by on <span class="code" dir="ltr">#gentoo-hardened</span> in <span class="code" dir="ltr">irc.freenode.net</span>.
+</p>
<p class="secthead"><a name="doc_chap2_sect2">User (incl. root) Cronjobs</a></p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
-This is applicable to vixie-cron users with USE="ubac" set.
+Part of this is for vixie-cron users with USE="ubac" set, but even if this is
+not the case it is still pertinent (cfr. the default_contexts issue).
</p></td></tr></table>
<p>
When working with end user crontabs (those triggered / managed through the
@@ -255,8 +284,8 @@ user (and not a staff user that <span class="code" dir="ltr">su</span>/<span cla
<p>
If this was not done correctly, you will get the following error:
</p>
-<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Error due to mismatch on SELinux user</p></td></tr>
+<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Error due to mismatch on SELinux user</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
cron[20642]: (root) ENTRYPOINT FAILED (crontabs/root)
</pre></td></tr>
@@ -264,8 +293,8 @@ cron[20642]: (root) ENTRYPOINT FAILED (crontabs/root)
<p>
Verify that the file's user and SELinux user match:
</p>
-<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Verify that the SELinux user and file user ownership matches</p></td></tr>
+<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Verify that the SELinux user and file user ownership matches</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">ls -Z /var/spool/cron/crontabs/root</span>
staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root
@@ -283,19 +312,45 @@ instead of <span class="emphasis">root</span>, which is why the failure occurred
<p>
To fix this, use <span class="code" dir="ltr">chcon</span>:
</p>
-<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Fix the crontab SELinux user ownership</p></td></tr>
+<a name="doc_chap2_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.6: Fix the crontab SELinux user ownership</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">chcon -u root /var/spool/cron/crontabs/root</span>
</pre></td></tr>
</table>
+<p>
+Another problem that you might see is immediately at startup:
+</p>
+<a name="doc_chap2_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.7: Entrypoint failure on crontab</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+cron[26653]: (system_u) ENTRYPOINT FAILED (/etc/crontab)
+</pre></td></tr>
+</table>
+<p>
+In this case, even if the user of the file is correct, it is most likely due to
+the <span class="path" dir="ltr">/etc/selinux/*/contexts/default_context</span> file containing an
+incorrect definition. Look at the cron-related line and verify that each
+mentioned context is valid. For instance:
+</p>
+<a name="doc_chap2_pre8"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.8: Verify if contexts are valid</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment"># Verify the context "system_r:cronjob_t:s0"</span>
+~# <span class="code-input">seinfo -rsystem_r -x | grep cronjob</span>
+ system_cronjob_t
+</pre></td></tr>
+</table>
+<p>
+In the above case, <span class="emphasis">cronjob_t</span> is not valid, but <span class="emphasis">system_cronjob_t</span> is.
+</p>
<p class="secthead"><a name="doc_chap2_sect3">Reporting Cron and SELinux Issues</a></p>
<p>
If you have an issue with cron and believe that it is related to SELinux, please
also give the output of the following command:
</p>
-<a name="doc_chap2_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.6: Getting the initial context from crond_t</p></td></tr>
+<a name="doc_chap2_pre9"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.9: Getting the initial context from crond_t</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment"># Get the domain under which system-level jobs will run</span>
~# <span class="code-input">getseuser system_u system_u:system_r:crond_t</span>
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-08-10 18:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-08-10 18:38 [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/modules/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2011-07-21 9:21 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox