1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/../../css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/../../favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Documentation
--
SELinux cron Module</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<br><h1>SELinux cron Module</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
<select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Structure</option>
<option value="#doc_chap2">2. Using Cron</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Structure</p>
<p class="secthead"><a name="doc_chap1_sect1">Domains</a></p>
<br><a name="doc_chap1_fig1"></a><table cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Figure1.1: General cron domain overview</p></td></tr>
<tr><td align="center" bgcolor="#ddddff"><img src="./images/crondomain.png" alt="Fig. 1: General cron domain overview"></td></tr>
</table>
<br><p>
The cron daemon itself (like <span class="code" dir="ltr">vixie-cron</span>) runs in the <span class="emphasis">crond_t</span>
domain. Depending on the cron daemon used, this daemon either immediately
executes the jobs (hence its ability to transition to various other domains) or
does this through an intermediate domain (<span class="emphasis">system_cronjob_t</span> for system
cronjobs and <span class="emphasis">cronjob_t</span> for user cronjobs).
</p>
<p>
The <span class="emphasis">crontab_t</span> and <span class="emphasis">admin_crontab_t</span> domains are used by the users
(and administrators) for maintaining their crontab files. These files are read
in by the cron daemon.
</p>
<p class="secthead"><a name="doc_chap1_sect2">File Types/Labels</a></p>
<p>
The following table lists the file type/labels defined in the <span class="code" dir="ltr">cron</span>
module (part of the base policy).
</p>
<table class="ntable">
<tr>
<td class="infohead"><b>Type</b></td>
<td class="infohead"><b>Function</b></td>
<td class="infohead"><b>Description</b></td>
</tr>
<tr>
<td class="tableinfo">cronjob_t</td>
<td class="tableinfo">Domain</td>
<td class="tableinfo">Domain for end user cronjobs</td>
</tr>
<tr>
<td class="tableinfo">system_cronjob_t</td>
<td class="tableinfo">Domain</td>
<td class="tableinfo">Domain for system cronjobs</td>
</tr>
<tr>
<td class="tableinfo">crond_t</td>
<td class="tableinfo">Domain</td>
<td class="tableinfo">Domain for the cron daemon</td>
</tr>
<tr>
<td class="tableinfo">admin_crontab_t</td>
<td class="tableinfo">Domain</td>
<td class="tableinfo">Domain for administrator-started crontab commands</td>
</tr>
<tr>
<td class="tableinfo">crontab_t</td>
<td class="tableinfo">Domain</td>
<td class="tableinfo">Domain for user-started crontab commands</td>
</tr>
<tr>
<td class="tableinfo">crond_exec_t</td>
<td class="tableinfo">Entrypoint</td>
<td class="tableinfo">Entrypoint for the cron daemon binaries</td>
</tr>
<tr>
<td class="tableinfo">crontab_exec_t</td>
<td class="tableinfo">Entrypoint</td>
<td class="tableinfo">Entrypoint for the crontab commands</td>
</tr>
<tr>
<td class="tableinfo">cron_spool_t</td>
<td class="tableinfo">Configuration</td>
<td class="tableinfo">Spool files (where the user crontab files are in)</td>
</tr>
<tr>
<td class="tableinfo">user_cron_spool_t</td>
<td class="tableinfo">Configuration</td>
<td class="tableinfo">Spool files (for the user crontab files)</td>
</tr>
<tr>
<td class="tableinfo">system_cron_spool_t</td>
<td class="tableinfo">Configuration</td>
<td class="tableinfo">Spool files (where the system crontab files are in)</td>
</tr>
<tr>
<td class="tableinfo">cron_var_lib_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Label for cron's /var/lib items</td>
</tr>
<tr>
<td class="tableinfo">cron_var_run_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Label for cron's /var/run items</td>
</tr>
<tr>
<td class="tableinfo">cron_log_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Label for cron's logfiles (/var/log/cron)</td>
</tr>
<tr>
<td class="tableinfo">crond_tmp_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Label for the cron daemon's temporary files</td>
</tr>
<tr>
<td class="tableinfo">crond_var_run_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Label for the cron daemon's /var/run items</td>
</tr>
<tr>
<td class="tableinfo">system_cronjob_lock_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Label for the system cronjobs' lock files</td>
</tr>
<tr>
<td class="tableinfo">system_cronjob_tmp_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Label for the system cronjobs' temporary files</td>
</tr>
<tr>
<td class="tableinfo">admin_crontab_tmp_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">
Label for temporary files created by a system administrators' crontab
command
</td>
</tr>
<tr>
<td class="tableinfo">crontab_tmp_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Label for temporary files created by a users' crontab command</td>
</tr>
</table>
<p class="secthead"><a name="doc_chap1_sect3">Booleans</a></p>
<p>
The <span class="code" dir="ltr">cron</span> domain supports the following SELinux booleans, which can be set
/ unset using the standard <span class="code" dir="ltr">setsebool</span> statements.
</p>
<table class="ntable">
<tr>
<td class="infohead"><b>Boolean</b></td>
<td class="infohead"><b>Default</b></td>
<td class="infohead"><b>Description</b></td>
</tr>
<tr>
<td class="tableinfo">cron_can_relabel</td>
<td class="tableinfo">false</td>
<td class="tableinfo">
Allow jobs running in the <span class="emphasis">system_cronjob_t</span> domain to relabel files
and directories. When set, these jobs can also call the <span class="code" dir="ltr">setfiles</span> and
<span class="code" dir="ltr">restorecon</span> commands.
</td>
</tr>
<tr>
<td class="tableinfo">fcron_crond</td>
<td class="tableinfo">false</td>
<td class="tableinfo">
Needed to set more privileges for the cron domains in case <span class="code" dir="ltr">fcron</span> is
used as a cron daemon. These privileges are not necessary for other cron
daemons and as such are "behind" this boolean.
</td>
</tr>
</table>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
</span>Using Cron</p>
<p class="secthead"><a name="doc_chap2_sect1">System Administration</a></p>
<p>
If you want to perform system administrative tasks using cronjobs, you will need
to take special care that the domain in which the job runs has sufficient
privileges.
</p>
<p>
First, make sure that your cronjobs run in the <span class="emphasis">system_cronjob_t</span> domains.
This means that the cronjobs must be defined as either
</p>
<ul>
<li>
scripts in the <span class="path" dir="ltr">/etc/cron.hourly</span>, <span class="path" dir="ltr">/etc/cron.daily</span>,
... directories
</li>
<li>
crontab entries in the <span class="path" dir="ltr">/etc/cron.d</span> directory
</li>
<li>
crontab entries in the <span class="path" dir="ltr">/etc/crontab</span> file
</li>
</ul>
<p>
Next, verify that the commands you want to run (and thus their target domain in
which they will run) are allowed for the <span class="emphasis">system_cronjob_t</span> domain.
</p>
<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Validationg the system_cronjob_t privileges</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment"># Example to verify if we can call emerge</span>
~# <span class="code-input">sesearch -s system_cronjob_t -t portage_t -A</span>
Found 1 semantic av rules:
allow system_cronjob_t portage_t : process transition;
</pre></td></tr>
</table>
<p>
If the domain does not have the necessary privileges, you need to update the
policy. More information on maintaining the SELinux policy can be found in the
<a href="http://hardened.gentoo.org/selinux/selinux-handbook.xml">Gentoo
Hardened SELinux Handbook</a>.
</p>
<p>
An example policy file to allow executing <span class="code" dir="ltr">dmesg</span>:
</p>
<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Allowing system_cronjob_t to execute dmesg</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
policy_module(fixcron, 1.0)
require {
type system_cronjob_t;
}
dmesg_domtrans(system_cronjob_t)
</pre></td></tr>
</table>
<p>
In order to find out which specific calls are necessary, it can come in handy to
use the privileges assigned to the <span class="emphasis">sysadm_t</span> domain. Take a look at this
<a href="http://oss.tresys.com/projects/refpolicy/browser/policy/modules/roles/sysadm.te">sysadm.te</a>
file. If you search for "dmesg" you will notice the following in the file:
</p>
<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Snippet in sysadm.te related to dmesg</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
128 ')
129
130 optional_policy(`
131 dmesg_domtrans(sysadm_t)
132 ')
133
134 optional_policy(`
</pre></td></tr>
</table>
<p>
It is this call - <span class="code" dir="ltr">dmesg_domtrans</span> - that we are interested in (and which you
can notice in the sample policy mentioned above. It is possible that you notice
a <span class="code" dir="ltr">_run</span> or <span class="code" dir="ltr">_exec</span> instead. Try this one first, but most of the time
you'll need a <span class="code" dir="ltr">_domtrans</span> method.
</p>
<p>
For more information or help with managing your policies, do not hesitate to
drop by on <span class="code" dir="ltr">#gentoo-hardened</span> in <span class="code" dir="ltr">irc.freenode.net</span>.
</p>
<p class="secthead"><a name="doc_chap2_sect2">User (incl. root) Cronjobs</a></p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
Part of this is for vixie-cron users with USE="ubac" set, but even if this is
not the case it is still pertinent (cfr. the default_contexts issue).
</p></td></tr></table>
<p>
When working with end user crontabs (those triggered / managed through the
<span class="code" dir="ltr">crontab</span> command), you must take care that you do this as the <span class="emphasis">SELinux
user</span> which is associated with the file (this is a result of the SELinux User
Based Access Control, aka <span class="emphasis">UBAC</span>). In other words, if you want to edit the
root users' <span class="path" dir="ltr">crontab</span> file, you need to be the <span class="code" dir="ltr">root</span> SELinux
user (and not a staff user that <span class="code" dir="ltr">su</span>/<span class="code" dir="ltr">sudo</span>'ed into root).
</p>
<p>
If this was not done correctly, you will get the following error:
</p>
<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Error due to mismatch on SELinux user</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
cron[20642]: (root) ENTRYPOINT FAILED (crontabs/root)
</pre></td></tr>
</table>
<p>
Verify that the file's user and SELinux user match:
</p>
<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Verify that the SELinux user and file user ownership matches</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">ls -Z /var/spool/cron/crontabs/root</span>
staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root
~# <span class="code-input">semanage login -l | grep root</span>
root root
</pre></td></tr>
</table>
<p>
In the above case, the root Unix account (cfr filename of the crontab file) is
mapped to the root SELinux user (cfr second "root" in the <span class="code" dir="ltr">semanage login
-l</span> output). However, the SELinux user of the crontab file is <span class="emphasis">staff_u</span>
instead of <span class="emphasis">root</span>, which is why the failure occurred.
</p>
<p>
To fix this, use <span class="code" dir="ltr">chcon</span>:
</p>
<a name="doc_chap2_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.6: Fix the crontab SELinux user ownership</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">chcon -u root /var/spool/cron/crontabs/root</span>
</pre></td></tr>
</table>
<p>
Another problem that you might see is immediately at startup:
</p>
<a name="doc_chap2_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.7: Entrypoint failure on crontab</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
cron[26653]: (system_u) ENTRYPOINT FAILED (/etc/crontab)
</pre></td></tr>
</table>
<p>
In this case, even if the user of the file is correct, it is most likely due to
the <span class="path" dir="ltr">/etc/selinux/*/contexts/default_context</span> file containing an
incorrect definition. Look at the cron-related line and verify that each
mentioned context is valid. For instance:
</p>
<a name="doc_chap2_pre8"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.8: Verify if contexts are valid</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment"># Verify the context "system_r:cronjob_t:s0"</span>
~# <span class="code-input">seinfo -rsystem_r -x | grep cronjob</span>
system_cronjob_t
</pre></td></tr>
</table>
<p>
In the above case, <span class="emphasis">cronjob_t</span> is not valid, but <span class="emphasis">system_cronjob_t</span> is.
</p>
<p class="secthead"><a name="doc_chap2_sect3">Reporting Cron and SELinux Issues</a></p>
<p>
If you have an issue with cron and believe that it is related to SELinux, please
also give the output of the following command:
</p>
<a name="doc_chap2_pre9"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.9: Getting the initial context from crond_t</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment"># Get the domain under which system-level jobs will run</span>
~# <span class="code-input">getseuser system_u system_u:system_r:crond_t</span>
seuser: system_u, level (null)
Context 0 system_u:system_r:system_cronjob_t
<span class="code-comment"># Get the domain under which user-level jobs will run</span>
~# <span class="code-input">getseuser john system_u:system_r:crond_t</span>
seuser: user_u, level (null)
Context 0 user_u:user_r:cronjob_t
</pre></td></tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
The <span class="code" dir="ltr">getseuser</span> command usually takes a Unix account name for the first
argument, but treats <span class="code" dir="ltr">system_u</span> as a special case.
</p></td></tr></table>
<br><p class="copyright">
The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
</p>
<!--
<rdf:RDF xmlns="http://web.resource.org/cc/"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
<License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
<permits rdf:resource="http://web.resource.org/cc/Reproduction" />
<permits rdf:resource="http://web.resource.org/cc/Distribution" />
<requires rdf:resource="http://web.resource.org/cc/Notice" />
<requires rdf:resource="http://web.resource.org/cc/Attribution" />
<permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
<requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
</License>
</rdf:RDF>
--><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux/modules/cron.xml?style=printable">Print</a></p></td></tr>
<tr><td class="topsep" align="center"><p class="alttext">Updated August 13, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Within SELinux, the cron module is responsible for defining the scheduling
domains and interactions.
</p></td></tr>
<tr><td align="left" class="topsep"><p class="alttext">
<a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a>
<br><i>Author</i><br></p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>
|
GitWeb