From: psystem@laposte.net (psystem)
Date: Tue, 29 Dec 2009 16:17:15 +0100
Subject: [refpolicy] Problem with crond ENTRYPOINT FAILED  (/etc/crontab)
Message-ID: <4B3A1D7B.7000907@laposte.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello

When i start crond under my gentoo hardened i have this error log under /Var/log/cron.log
Dec 29 10:11:01 xxxx cron[3926]: (system_u) ENTRYPOINT FAILED (/etc/crontab)

I have checked all my file contexts which seems good

ls -lZ /etc/crontab
-rw-r--r--. 1 root root system_u:object_r:system_cron_spool_t 611 Oct  9 15:05 /etc/crontab

ls -lZR /var/spool/cron/
/var/spool/cron/:
drwx-wx--T. 2 root crontab system_u:object_r:cron_spool_t 4096 Dec 29 10:10 crontabs
drwxr-x---. 2 root root    system_u:object_r:crond_tmp_t  4096 Oct  9 13:53 lastrun
/var/spool/cron/crontabs:
-rw-------. 1 toto crontab staff_u:object_r:user_cron_spool_t 319 Dec 29 10:10 toto
/var/spool/cron/lastrun:


crond run with the right context:
ps auxZ |grep cron
system_u:system_r:crond_t       root     10492  0.0  0.0   2172   836 ?        Ss   11:59   0:00 /usr/sbin/cron

I use the latest refpolicy from git repository.
Latest gentoo stable x86 with a 2.6.31-gentoo-r6 kernel.
Latest gentoo table SELinux packages.

I have straced the /etc/init.d/vixie-cron start and i saw that

10395 stat64("/etc/crontab", {st_mode=S_IFREG|0600, st_size=611, ...}) = 0
10395 open("/etc/crontab", O_RDONLY|O_NONBLOCK) = 5
10395 fstat64(5, {st_mode=S_IFREG|0600, st_size=611, ...}) = 0
10395 gettid()                          = 10395
10395 open("/proc/self/task/10395/attr/current", O_RDONLY|O_LARGEFILE) = 6
10395 read(6, "system_u:system_r:crond_t\0"..., 4095) = 26
10395 close(6)                          = 0
10395 fgetxattr(5, "security.selinux", "system_u:object_r:system_cron_spool_t", 255) = 38
10395 gettid()                          = 10395
10395 open("/proc/self/task/10395/attr/current", O_RDONLY|O_LARGEFILE) = 6
10395 read(6, "system_u:system_r:crond_t\0"..., 4095) = 26
10395 close(6)                          = 0
10395 open("/selinux/user", O_RDWR|O_LARGEFILE) = 6
10395 write(6, "system_u:system_r:crond_t system_u"..., 34) = 34
10395 read(6,
"26\0system_u:system_r:logrotate_t\0system_u:system_r:initrc_t\0system_u:system_r:locate_t\0system_u:system_r:crack_t\0system_u:system_r:fsadm_t\0system_u:system_r:gpg_t\0system_u:system_r:postfix_postdrop_t\0system_u:system_r:urlwatch_t\0system_u:system_r:checkpc_t\0system_u:system_r:prelink_t\0system_u:system_r:system_cronjob_t\0system_u:system_r:tmpreaper_t\0system_u:system_r:backup_t\0system_u:system_r:chkpwd_t\0system_u:system_r:acct_t\0system_u:system_r:apmd_t\0system_u:system_r:crond_t\0system_u:system_r:cupsd_t\0system_u:system_r:ftpd_t\0system_u:system_r:httpd_t\0system_u:system_r:munin_t\0system_u:system_r:ntpd_t\0system_u:system_r:ulogd_t\0system_u:system_r:cupsd_config_t\0system_u:system_r:system_mail_t\0system_u:system_r:syslogd_t\0"...,
4095) = 727
10395 close(6)                          = 0
10395 open("/etc/selinux/tresys/contexts/users/system_u", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
10395 open("/etc/selinux/tresys/contexts/default_contexts", O_RDONLY|O_LARGEFILE) = 6
10395 fstat64(6, {st_mode=S_IFREG|0644, st_size=875, ...}) = 0
10395 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77e1000
10395 read(6, "system_r:crond_t\tuser_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t\nsystem_r:local_login_t\tuser_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t\nsystem_r:remote_login_t\tuser_r:user_t staff_r:staff_t unconfined_r:unconfined_t\nsystem_r:sshd_t\t\tuser_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t\nsystem_r:sulogin_t\tsysadm_r:sysadm_t\nsystem_r:xdm_t\t\tuser_r:user_t
staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t\n\nstaff_r:staff_su_t\tuser_r:user_t staff_r:staff_t sysadm_r:sysadm_t\nstaff_r:staff_sudo_t\tsysadm_r:sysadm_t staff_r:staff_t\n\nsysadm_r:sysadm_su_t\tuser_r:user_t staff_r:staff_t sysadm_r:sysadm_t\nsysadm_r:sysadm_sudo_t\tsysadm_r:sysadm_t\n\nuser_r:user_su_t\tuser_r:user_t staff_r:staff_t sysadm_r:sysadm_t\nuser_r:user_sudo_t\tsysadm_r:sysadm_t user_r:user_t\n"..., 4096) = 875
10395 close(6)                          = 0
10395 munmap(0xb77e1000, 4096)          = 0
10395 open("/selinux/access", O_RDWR|O_LARGEFILE) = 6
10395 write(6, "system_u:system_r:logrotate_t system_u:object_r:system_cron_spool_t 6 40000"..., 75) = 75
10395 read(6, "0 ffffffff 0 ffffffff 27 0"..., 4095) = 26
10395 close(6)                          = 0
10395 time(NULL)                        = 1262084312
10395 send(4, "<78>Dec 29 11:58:32 cron[10395]: (system_u) ENTRYPOINT FAILED (/etc/crontab)\0"..., 77, MSG_NOSIGNAL) = 77
10395 close(5)                          = 0


Why crond check if it has the rights to use /etc/crontab with the context system_u:system_r:logrotate_t ? (because it is the first context available returned by get_default_context()?)

Cordially