severity 333837 wishlist thanks On Fri, Oct 14, 2005 at 12:51:30AM +0200, Erich Schubert wrote: > Package: cron > Version: 3.0pl1-91 > Severity: normal > > Cron tries to backup shadow and gshadow, but cron doesn't have read > access to these files. On SELinux, this backup should be handled by a > special task (with special permissions), so cron.daily/standard should > not backup these files on an SELinux enabled system.
Errr.. The cron.daily/standard tasks are run by root, as root runs cron. If
you don't want those tasks in your SElinux system then disable them, it's
that simple.
I'm not going to add this:
> Example code fragment to test for SELinux:
> if test -x /usr/sbin/selinuxenabled && /usr/sbin/selinuxenabled;
> then
> # run only if SELinux enabled
> fi
Because people with SElinux that have granted root access (and to the cron
process) to those files (i.e. have a proper SElinux policy in place) will
disable the tasks even though they would execute fine.
What I *might* add is a check in the tasks so that it will only try to copy
the shadow/gshadow files if they are readable, i.e., change:
if [ -f /etc/shadow ] ; then
to
if [ -f /etc/shadow ] && [ -r /etc/shadow ] ; then
Regards
Javier
signature.asc
Description: Digital signature
