I have been setting cron_userdomain_transition on because otherwise cron doesn't work. However despite using the -P option I have occasionally had to go back and set the boolean again.
Is there some changes going on in policy updates that would affect this?
How do I check that the change is stored in the policy, and not just in effect until the next reboot?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/06/2014 10:28 AM, Bruno Wolff III wrote:
I have been setting cron_userdomain_transition on because otherwise cron doesn't work. However despite using the -P option I have occasionally had to go back and set the boolean again.
Is there some changes going on in policy updates that would affect this?
How do I check that the change is stored in the policy, and not just in effect until the next reboot? -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
That should not happen.
Off the top of my head you could try:
sesearch -A -b cron_userdomain_transition -C /etc/selinux/targeted/policy/policy.29
If this shows most of the lines lines beginning with E then you know it is on in the policy file. If they begin with D then it is off.
On Thu, Mar 06, 2014 at 12:13:10 -0500, Daniel J Walsh dwalsh@redhat.com wrote:
sesearch -A -b cron_userdomain_transition -C /etc/selinux/targeted/policy/policy.29
If this shows most of the lines lines beginning with E then you know it is on in the policy file. If they begin with D then it is off.
I tried this and saw the lines began with E. I'll try testing a reboot and then try testing a reinstall of the targeted policy. I'll see if either those change things. If so I'll file a bug. If not, I'll just keep an eye on it. (Unfortunately it isn't obvious until I reboot, so that makes it hard to narrow down what change caused the issue.)
Thanks.
On Thu, 2014-03-06 at 09:28 -0600, Bruno Wolff III wrote:
I have been setting cron_userdomain_transition on because otherwise cron doesn't work. However despite using the -P option I have occasionally had to go back and set the boolean again.
Is there some changes going on in policy updates that would affect this?
How do I check that the change is stored in the policy, and not just in effect until the next reboot? --
A bug for this functionality was reported i believe. Turns out that Fedora needs some extra tweaks. No sure if this has been fixed yet in fedora.
Here is a screencast that discusses the fix:
On Thu, Mar 06, 2014 at 21:02:17 +0100, Dominick Grift dominick.grift@gmail.com wrote:
On Thu, 2014-03-06 at 09:28 -0600, Bruno Wolff III wrote:
I have been setting cron_userdomain_transition on because otherwise cron doesn't work. However despite using the -P option I have occasionally had to go back and set the boolean again.
Is there some changes going on in policy updates that would affect this?
How do I check that the change is stored in the policy, and not just in effect until the next reboot? --
A bug for this functionality was reported i believe. Turns out that Fedora needs some extra tweaks. No sure if this has been fixed yet in fedora.
I filed bug 1063503 for the cron issue. In this thread I was more interested in why the boolean got turned back off. I know for sure that I used the -P option on two systems to work around the cron issue and both got changed back to unset. (It might have happened twice on one machine, but I am not sure of that.)
I have just tested a reboot and reinstalling (yum reinstall) selinux-policy-targeted, but am not seeing cron_userdomain_transition change.
I don't have any other easily testable guesses for what happened, so for now I'll just keep an eye on it.
I report the same problem several days ago.
httpd_can_connect_network_db was off. I rebooted the day before.
Don't know why.
2014-03-07 6:02 GMT+09:00, Bruno Wolff III bruno@wolff.to:
On Thu, Mar 06, 2014 at 21:02:17 +0100, Dominick Grift dominick.grift@gmail.com wrote:
On Thu, 2014-03-06 at 09:28 -0600, Bruno Wolff III wrote:
I have been setting cron_userdomain_transition on because otherwise cron doesn't work. However despite using the -P option I have occasionally had to go back and set the boolean again.
Is there some changes going on in policy updates that would affect this?
How do I check that the change is stored in the policy, and not just in effect until the next reboot? --
A bug for this functionality was reported i believe. Turns out that Fedora needs some extra tweaks. No sure if this has been fixed yet in fedora.
I filed bug 1063503 for the cron issue. In this thread I was more interested in why the boolean got turned back off. I know for sure that I used the -P option on two systems to work around the cron issue and both got changed back to unset. (It might have happened twice on one machine, but I am not sure of that.)
I have just tested a reboot and reinstalling (yum reinstall) selinux-policy-targeted, but am not seeing cron_userdomain_transition change.
I don't have any other easily testable guesses for what happened, so for now I'll just keep an eye on it. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 03/06/2014 10:02 PM, Bruno Wolff III wrote:
On Thu, Mar 06, 2014 at 21:02:17 +0100, Dominick Grift dominick.grift@gmail.com wrote:
On Thu, 2014-03-06 at 09:28 -0600, Bruno Wolff III wrote:
I have been setting cron_userdomain_transition on because otherwise cron doesn't work. However despite using the -P option I have occasionally had to go back and set the boolean again.
Is there some changes going on in policy updates that would affect this?
How do I check that the change is stored in the policy, and not just in effect until the next reboot? --
A bug for this functionality was reported i believe. Turns out that Fedora needs some extra tweaks. No sure if this has been fixed yet in fedora.
I filed bug 1063503 for the cron issue. In this thread I was more interested in why the boolean got turned back off. I know for sure that I used the -P option on two systems to work around the cron issue and both got changed back to unset. (It might have happened twice on one machine, but I am not sure of that.)
I have just tested a reboot and reinstalling (yum reinstall) selinux-policy-targeted, but am not seeing cron_userdomain_transition change.
I don't have any other easily testable guesses for what happened, so for now I'll just keep an eye on it. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Will work on this bug ASAP.
Regards, Miroslav
selinux@lists.fedoraproject.org