From: harrytaurus2002@hotmail.com (HarryCiao) Date: Mon, 31 Jan 2011 11:20:29 +0000 Subject: [refpolicy] cron patches and remaining questions Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Chris and all, I've run into some cron issues and come up with the attached 3 patches, so far I am new to cron and cron.pp so it's likely there is a better way to fix the problems, any comments are greatly welcomed! Aslo there are a few cron problems that have not been fixed after applying these 3 patches: 1. on creation of /var/log/cron.log, its label is still var_log_t, the type_transition rule still not take effect; 2. on creation of /var/spool/cron/root by the crontab command, its label is still cron_spool_t, the type_transition rule still not take effect; 3. if pam_loginuid.so is used for the session phase in crond's PAM config file, then there will be PAM related issues: [root/sysadm_r/s0 at qemu-client ~]# grep pam_loginuid /etc/pam.d/crond session required pam_loginuid.so [root/sysadm_r/s0 at qemu-client ~]# Jan 31 09:30:01 QtCao crond[818]: Cannot make/remove an entry for the specified session Jan 31 09:30:01 QtCao crond[818]: CRON (root) ERROR: failed to open PAM security session: Unknown error 4294967292 Jan 31 09:30:01 QtCao crond[818]: CRON (root) ERROR: cannot set security context and the related audit messages are: time->Fri Jan 28 05:30:02 2011 type=USER_START msg=audit(1296192602.112:2919): user pid=2652 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s15:c0.c255 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=failed)' ---- time->Fri Jan 28 05:30:02 2011 type=USER_END msg=audit(1296192602.124:2920): user pid=2652 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s15:c0.c255 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=failed)' How to debug this crond PAM issue? Thanks a lot! Best regards, Harry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110131/b72025a6/attachment.html -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-the-label-of-cron-log-files.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20110131/b72025a6/attachment.pl -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Fix-var-spool-cron-labels.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20110131/b72025a6/attachment-0001.pl -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Fix-cron-job-process-domain-during-system-booting-up.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20110131/b72025a6/attachment-0002.pl