1crontab_selinux(8) SELinux Policy crontab crontab_selinux(8)
2
6 crontab_selinux - Security Enhanced Linux Policy for the crontab pro‐
7 cesses
8
10 Security-Enhanced Linux secures the crontab processes via flexible
11 mandatory access control.
12 The crontab processes execute with the crontab_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep crontab_t
20
24 The crontab_t SELinux type can be entered via the crontab_exec_t file
25 type.
26 The default entrypoint paths for the crontab_t domain are the follow‐
28 ing:
29 /usr/bin/(f)?crontab, /usr/bin/at, /usr/sbin/fcronsighup,
31 /usr/libexec/fcronsighup
32
34 SELinux defines process types (domains) for each process running on the
35 system
36 You can see the context of a process using the -Z option to ps
38 Policy governs the access confined processes have to files. SELinux
40 crontab policy is very flexible allowing users to setup their crontab
41 processes in as secure a method as possible.
42 The following process types are defined for crontab:
44 crontab_t
46 Note: semanage permissive -a crontab_t can be used to make the process
48 type crontab_t permissive. SELinux does not deny access to permissive
49 process types, but the AVC (SELinux denials) messages are still gener‐
50 ated.
51
54 SELinux policy is customizable based on least access required. crontab
55 policy is extremely flexible and has several booleans that allow you to
56 manipulate the policy and run crontab with the tightest access possi‐
57 ble.
58 If you want to allow users to resolve user passwd entries directly from
62 ldap rather then using a sssd server, you must turn on the authlo‐
63 gin_nsswitch_use_ldap boolean. Disabled by default.
64 setsebool -P authlogin_nsswitch_use_ldap 1
66 If you want to deny any process from ptracing or debugging any other
70 processes, you must turn on the deny_ptrace boolean. Enabled by
71 default.
72 setsebool -P deny_ptrace 1
74 If you want to allow any process to mmap any file on system with
78 attribute file_type, you must turn on the domain_can_mmap_files bool‐
79 ean. Enabled by default.
80 setsebool -P domain_can_mmap_files 1
82 If you want to allow all domains write to kmsg_device, while kernel is
86 executed with systemd.log_target=kmsg parameter, you must turn on the
87 domain_can_write_kmsg boolean. Disabled by default.
88 setsebool -P domain_can_write_kmsg 1
90 If you want to allow all domains to use other domains file descriptors,
94 you must turn on the domain_fd_use boolean. Enabled by default.
95 setsebool -P domain_fd_use 1
97 If you want to allow all domains to have the kernel load modules, you
101 must turn on the domain_kernel_load_modules boolean. Disabled by
102 default.
103 setsebool -P domain_kernel_load_modules 1
105 If you want to allow all domains to execute in fips_mode, you must turn
109 on the fips_mode boolean. Enabled by default.
110 setsebool -P fips_mode 1
112 If you want to enable reading of urandom for all domains, you must turn
116 on the global_ssp boolean. Disabled by default.
117 setsebool -P global_ssp 1
119 If you want to allow confined applications to run with kerberos, you
123 must turn on the kerberos_enabled boolean. Enabled by default.
124 setsebool -P kerberos_enabled 1
126 If you want to allow system to run with NIS, you must turn on the
130 nis_enabled boolean. Disabled by default.
131 setsebool -P nis_enabled 1
133 If you want to allow confined applications to use nscd shared memory,
137 you must turn on the nscd_use_shm boolean. Disabled by default.
138 setsebool -P nscd_use_shm 1
140 If you want to support ecryptfs home directories, you must turn on the
144 use_ecryptfs_home_dirs boolean. Disabled by default.
145 setsebool -P use_ecryptfs_home_dirs 1
147 If you want to support fusefs home directories, you must turn on the
151 use_fusefs_home_dirs boolean. Disabled by default.
152 setsebool -P use_fusefs_home_dirs 1
154 If you want to support NFS home directories, you must turn on the
158 use_nfs_home_dirs boolean. Disabled by default.
159 setsebool -P use_nfs_home_dirs 1
161 If you want to support SAMBA home directories, you must turn on the
165 use_samba_home_dirs boolean. Disabled by default.
166 setsebool -P use_samba_home_dirs 1
168
172 The SELinux process type crontab_t can manage files labeled with the
173 following file types. The paths listed are the default paths for these
174 file types. Note the processes UID still need to have DAC permissions.
175 cgroup_t
177 /sys/fs/cgroup
179 crontab_tmp_t
181 faillog_t
184 /var/log/btmp.*
186 /var/log/faillog.*
187 /var/log/tallylog.*
188 /var/run/faillock(/.*)?
189 user_cron_spool_t
191 /var/spool/at(/.*)?
193 /var/spool/cron
194 user_tmp_t
196 /dev/shm/mono.*
198 /var/run/user(/.*)?
199 /tmp/.X11-unix(/.*)?
200 /tmp/.ICE-unix(/.*)?
201 /dev/shm/pulse-shm.*
202 /tmp/.X0-lock
203 /tmp/hsperfdata_root
204 /var/tmp/hsperfdata_root
205 /home/[^/]+/tmp
206 /home/[^/]+/.tmp
207 /tmp/gconfd-[^/]+
208 var_auth_t
210 /var/ace(/.*)?
212 /var/rsa(/.*)?
213 /var/lib/abl(/.*)?
214 /var/lib/rsa(/.*)?
215 /var/lib/pam_ssh(/.*)?
216 /var/run/pam_ssh(/.*)?
217 /var/lib/pam_shield(/.*)?
218 /var/opt/quest/vas/vasd(/.*)?
219 /var/lib/google-authenticator(/.*)?
220
223 SELinux requires files to have an extended attribute to define the file
224 type.
225 You can see the context of a file using the -Z option to ls
227 Policy governs the access confined processes have to these files.
229 SELinux crontab policy is very flexible allowing users to setup their
230 crontab processes in as secure a method as possible.
231 STANDARD FILE CONTEXT
233 SELinux defines the file context types for the crontab, if you wanted
235 to store files with these types in a diffent paths, you need to execute
236 the semanage command to sepecify alternate labeling and then use
237 restorecon to put the labels on disk.
238 semanage fcontext -a -t crontab_tmp_t '/srv/mycrontab_content(/.*)?'
240 restorecon -R -v /srv/mycrontab_content
241 Note: SELinux often uses regular expressions to specify labels that
243 match multiple files.
244 The following file types are defined for crontab:
246 crontab_exec_t
250 - Set files with the crontab_exec_t type, if you want to transition an
252 executable to the crontab_t domain.
253 Paths:
256 /usr/bin/(f)?crontab, /usr/bin/at, /usr/sbin/fcronsighup,
257 /usr/libexec/fcronsighup
258 crontab_tmp_t
261 - Set files with the crontab_tmp_t type, if you want to store crontab
263 temporary files in the /tmp directories.
264 Note: File context can be temporarily modified with the chcon command.
268 If you want to permanently change the file context you need to use the
269 semanage fcontext command. This will modify the SELinux labeling data‐
270 base. You will need to use restorecon to apply the labels.
271
274 semanage fcontext can also be used to manipulate default file context
275 mappings.
276 semanage permissive can also be used to manipulate whether or not a
278 process type is permissive.
279 semanage module can also be used to enable/disable/install/remove pol‐
281 icy modules.
282 semanage boolean can also be used to manipulate the booleans
284 system-config-selinux is a GUI tool available to customize SELinux pol‐
287 icy settings.
288
291 This manual page was auto-generated using sepolicy manpage .
292
295 selinux(8), crontab(8), semanage(8), restorecon(8), chcon(1), sepol‐
296 icy(8) , setsebool(8)
297crontab 19-04-25 crontab_selinux(8)