Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1052401 - Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Summary: Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0....
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-13 18:54 UTC by Nicolas Mailhot
Modified: 2014-01-20 08:02 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-20 08:02:09 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Nicolas Mailhot 2014-01-13 18:54:48 UTC 
Description of problem:
Jan 13 19:50:30 arekh crond[3698]: (nim) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/nim)
Jan 13 19:50:30 arekh crond[3698]: (nim) FAILED (loading cron table)

selinux-policy-targeted-3.13.1-13.fc21.noarch
cronie-1.4.11-4.fc21.x86_64
Comment 1 Miroslav Grepl 2014-01-14 08:09:16 UTC 
Try to turn on the cron_userdomain_transition boolean

# setsebool -P cron_userdomain_transition 1
Comment 2 Daniel Walsh 2014-01-14 21:51:58 UTC 
This might be caused by the entrypoint change?
Comment 3 Miroslav Grepl 2014-01-15 08:14:42 UTC 
Definitely yes but I believe it is correct and users need to turn on the boolean. It has been adopted from upstream.
Comment 4 Daniel Walsh 2014-01-16 20:28:32 UTC 
Which boolean?
Comment 5 Miroslav Grepl 2014-01-17 08:34:24 UTC 
# setsebool -P cron_userdomain_transition 1
Comment 6 Nicolas Mailhot 2014-01-18 08:49:10 UTC 
Does not work

Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/nim)

getsebool cron_userdomain_transition
cron_userdomain_transition --> on
Comment 7 Miroslav Grepl 2014-01-19 20:19:02 UTC 
Ok,taking back. You are right, this boolean does not affect unconfined_t SELinux user.
Comment 8 Miroslav Grepl 2014-01-20 08:02:09 UTC 
commit 31456ed1981a7668ab06890151527e42b02a7e2e
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jan 20 09:01:49 2014 +0100

    Add cron unconfined role support for uncofined SELinux user
Note You need to log in before you can comment on or make changes to this bug.