Gnome-Schedule opens, but cannot update any tasks. ~/audit/.log doesn't show any specific denials. Hpappens as pure root, (sudo, su) user
sudo gnome-schedule Access denied by SELinux, must be privileged to use -u
On Fri, 2009-02-20 at 11:15 +0000, Frank Murphy wrote:
Gnome-Schedule opens, but cannot update any tasks. ~/audit/.log doesn't show any specific denials. Hpappens as pure root, (sudo, su) user
sudo gnome-schedule Access denied by SELinux, must be privileged to use -u
Have the same issue. After semodule -DB, got these:
#============= chkpwd_t ============== selinux_getattr_fs(chkpwd_t) selinux_search_fs(chkpwd_t) selinux_set_generic_booleans(chkpwd_t)
#============= crontab_t ============== allow crontab_t chkpwd_t:process { siginh noatsecure rlimitinh }; allow crontab_t security_t:security compute_av; selinux_getattr_fs(crontab_t) selinux_set_generic_booleans(crontab_t)
#============= dgrift_sudo_t ============== allow dgrift_sudo_t unconfined_t:process { siginh noatsecure rlimitinh }; userdom_search_admin_dir(dgrift_sudo_t)
#============= dgrift_t ============== allow dgrift_t dgrift_sudo_t:process { siginh noatsecure rlimitinh };
#============= semanage_t ============== allow semanage_t setfiles_t:process { siginh noatsecure rlimitinh };
Will try to figure out which of these solves this issue.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Fri, 2009-02-20 at 11:15 +0000, Frank Murphy wrote:
Gnome-Schedule opens, but cannot update any tasks. ~/audit/.log doesn't show any specific denials. Hpappens as pure root, (sudo, su) user
sudo gnome-schedule Access denied by SELinux, must be privileged to use -u
It wants this:
time->Fri Feb 20 13:32:32 2009 type=SYSCALL msg=audit(1235133152.394:41): arch=c000003e syscall=137 success=yes exit=0 a0=860060 a1=7fffe9f391f0 a2=1000 a3=7fffe9f38f90 items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1235133152.394:41): avc: denied { getattr } for pid=3741 comm="crontab" name="/" dev=selinuxfs ino=1 scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem ---- time->Fri Feb 20 13:32:32 2009 type=SYSCALL msg=audit(1235133152.394:42): arch=c000003e syscall=4 success=no exit=1427685336 a0=7fffe9f381c0 a1=7fffe9f38130 a2=7fffe9f38130 a3=7fffe9f37ee0 items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1235133152.394:42): avc: denied { getattr } for pid=3741 comm="crontab" path="/selinux/class" dev=selinuxfs ino=26 scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir type=AVC msg=audit(1235133152.394:42): avc: denied { search } for pid=3741 comm="crontab" name="/" dev=selinuxfs ino=1 scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir ---- time->Fri Feb 20 13:32:32 2009 type=SYSCALL msg=audit(1235133152.395:43): arch=c000003e syscall=2 success=no exit=1427685336 a0=7fffe9f38190 a1=0 a2=7fffe9f3819c a3=7fffe9f37f40 items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1235133152.395:43): avc: denied { open } for pid=3741 comm="crontab" name="mls" dev=selinuxfs ino=12 scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1235133152.395:43): avc: denied { read } for pid=3741 comm="crontab" name="mls" dev=selinuxfs ino=12 scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file ---- time->Fri Feb 20 13:32:32 2009 type=SYSCALL msg=audit(1235133152.397:44): arch=c000003e syscall=2 success=yes exit=3 a0=7fffe9f381c0 a1=90800 a2=7fffe9f381db a3=7fffe9f37e90 items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1235133152.397:44): avc: denied { open } for pid=3741 comm="crontab" name="perms" dev=selinuxfs ino=67111432 scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir type=AVC msg=audit(1235133152.397:44): avc: denied { read } for pid=3741 comm="crontab" name="perms" dev=selinuxfs ino=67111432 scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir ---- time->Fri Feb 20 13:32:32 2009 type=SYSCALL msg=audit(1235133152.398:45): arch=c000003e syscall=4 success=yes exit=0 a0=7fffe9f381c0 a1=7fffe9f38120 a2=7fffe9f38120 a3=fffffff9 items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1235133152.398:45): avc: denied { getattr } for pid=3741 comm="crontab" path="/selinux/class/passwd/perms/crontab" dev=selinuxfs ino=67109859 scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file ---- time->Fri Feb 20 13:32:32 2009 type=SYSCALL msg=audit(1235133152.398:46): arch=c000003e syscall=2 success=yes exit=3 a0=7fffe9f38200 a1=2 a2=7fffe9f3820f a3=8101010101010100 items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1235133152.398:46): avc: denied { write } for pid=3741 comm="crontab" name="access" dev=selinuxfs ino=6 scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file ---- time->Fri Feb 20 13:32:32 2009 type=SYSCALL msg=audit(1235133152.398:47): arch=c000003e syscall=1 success=no exit=1427685336 a0=3 a1=1070300 a2=65 a3=7fffe9f37f70 items=0 ppid=3737 pid=3741 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1235133152.398:47): avc: denied { compute_av } for pid=3741 comm="crontab" scontext=dgrift:unconfined_r:crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=security
This module will allow it:
policy_module(myschedule, 0.0.1)
require { type crontab_t, security_t; }
allow crontab_t security_t:security compute_av; selinux_set_generic_booleans(crontab_t)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org