[Clip] System crontabs not being run
James Homer
James.Homer at nexor.com
Wed May 6 04:17:17 CDT 2009
It appears that the CLIP Policy is preventing the system crontabs from executing. This includes the systat program installed as default and ntpd/ntpdate client if that is how you choose to run them.
Adding setrlimit to the list of process permissions for crond_t seems to allow these to run. Although in the case of both ntpd and systat there may be other stuff stopping them running to completion without any other problems.
The change is
Index: policy/modules/services/cron.te
===================================================================
--- policy/modules/services/cron.te (revision 246)
+++ policy/modules/services/cron.te (working copy)
@@ -83,7 +83,7 @@
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow crond_t self:process { setexec setfscreate };
+allow crond_t self:process { setrlimit setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
allow crond_t self:unix_dgram_socket create_socket_perms;
--
James Homer CEng MBCS CITP
Senior Technical Consultant
CESG Listed Advisor Scheme Member
Nexor
DDI: +44 (0) 115 952 0587
Tel: +44 (0) 115 952 0500
Fax: +44 (0) 115 952 0519
mailto:james.homer at nexor.com
http://www.nexor.com
Nexor is recognised as an Investor in People and is accredited to ISO 9001/TickIT and ISO/IEC27001:2005. Further details of Nexor's accreditations can be found on our website.
DISCLAIMER: Privileged or confidential information may be contained in this message or within any files transmitted with it. If you are not the intended recipient, kindly destroy the message and notify the sender by reply email. Opinions, conclusions and other information in this message that do not relate to the official business of Nexor are neither given nor endorsed by it.
Nexor Limited, Bell House, Nottingham Science and Technology Park, University Boulevard, Nottingham, NG7 2RL A company registered in England, No: 05152465
More information about the Clip
mailing list