/usr/bin/run-parts->system_u:object_r:bin_t (?!)

Tom London selinux at comcast.net
Thu Jun 17 01:10:49 UTC 2004


Is it possible that the 'mrtg_exec_t' issue is the same?  crond seems to 
want to execute /usr/bin/mrtg (system_u:object:r:mrtg_exec_t) as crond_t 
as well.....

tom

Russell Coker wrote:

>On Thu, 17 Jun 2004 08:54, Tom London <selinux at comcast.net> wrote:
>  
>
>>/usr/bin/run-parts has context system_u:object_r:bin_t under
>>selinux-policy-strict-1.13.4-6 (and earlier).
>>
>>crond_t.te has entries to search bin_t dirs, but not to
>>read/getattr/execute bin_t files.
>>
>>Here is the AVC for run-parts:
>>audit(1087423260.368:0): avc:  denied  { getattr } for  pid=4135
>>exe=/bin/bash path=/usr/bin/run-parts dev=hdb3 ino=1006312
>>scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
>>tclass=file
>>    
>>
>
>This appears to be a bug in crond, it should not be executing that program in 
>crond_t.
>
>  
>




More information about the fedora-selinux-list mailing list