[Clip] System crontabs not being run
Brandon Whalen
bwhalen at tresys.com
Fri May 22 13:15:49 CDT 2009
On 5/6/09 5:17 AM, "James Homer" <James.Homer at nexor.com> wrote:
> It appears that the CLIP Policy is preventing the system crontabs from
> executing. This includes the systat program installed as default and
> ntpd/ntpdate client if that is how you choose to run them.
>
> Adding setrlimit to the list of process permissions for crond_t seems to allow
> these to run. Although in the case of both ntpd and systat there may be other
> stuff stopping them running to completion without any other problems.
>
> The change is
>
> Index: policy/modules/services/cron.te
> ===================================================================
> --- policy/modules/services/cron.te (revision 246)
> +++ policy/modules/services/cron.te (working copy)
> @@ -83,7 +83,7 @@
> allow crond_t self:capability { dac_override setgid setuid sys_nice
> dac_read_search audit_control };
> dontaudit crond_t self:capability { sys_resource sys_tty_config };
> allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
> execmem execstack execheap };
> -allow crond_t self:process { setexec setfscreate };
> +allow crond_t self:process { setrlimit setexec setfscreate };
This permission should not be needed. CLIP disables the sysstat module in
modules.conf. You need to enable the module, rebuild, and reinstall your
policy. Let me know if this solves your problem.
> allow crond_t self:fd use;
> allow crond_t self:fifo_file rw_fifo_file_perms;
> allow crond_t self:unix_dgram_socket create_socket_perms;
>
>
>
> --
> James Homer CEng MBCS CITP
> Senior Technical Consultant
> CESG Listed Advisor Scheme Member
> Nexor
>
> DDI: +44 (0) 115 952 0587
> Tel: +44 (0) 115 952 0500
> Fax: +44 (0) 115 952 0519
> mailto:james.homer at nexor.com
> http://www.nexor.com
>
> Nexor is recognised as an Investor in People and is accredited to ISO
> 9001/TickIT and ISO/IEC27001:2005. Further details of Nexor's accreditations
> can be found on our website.
>
> DISCLAIMER: Privileged or confidential information may be contained in this
> message or within any files transmitted with it. If you are not the intended
> recipient, kindly destroy the message and notify the sender by reply email.
> Opinions, conclusions and other information in this message that do not relate
> to the official business of Nexor are neither given nor endorsed by it.
>
> Nexor Limited, Bell House, Nottingham Science and Technology Park, University
> Boulevard, Nottingham, NG7 2RL A company registered in England, No: 05152465
>
> _______________________________________________
> Clip mailing list
> Clip at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/clip
Brandon Whalen
Linux Solutions Practice
Tresys Technology
8840 Stanford Boulevard, Suite 2100
Columbia, MD 21045
Phone: +1 410 290-1411 x147
FAX: +1 410 953-0494
bwhalen at tresys.com | www.tresys.com
More information about the Clip
mailing list