path: root/html/selinux-faq.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Documentation
--
  Gentoo Hardened SELinux Frequently Asked Questions</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<br><h1>Gentoo Hardened SELinux Frequently Asked Questions</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
        <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Questions</option>
<option value="#doc_chap2">2. General SELinux Support Questions</option>
<option value="#doc_chap3">3. Using SELinux</option>
<option value="#doc_chap4">4. SELinux Kernel Error Messages</option>
<option value="#doc_chap5">5. SELinux and Gentoo</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Questions</p>
<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
<p>
Using SELinux requires administrators a more thorough knowledge of their
system and a good idea on how processes should behave. Next to the <a href="selinux/selinux-handbook.html">Gentoo Hardened SELinux
handbook</a>, a proper FAQ allows us to inform and help users in their 
day-to-day SELinux experience.
</p>
<p>
The FAQ is an aggregation of solutions found on IRC, mailinglists, forums
and elsewhere. It focuses on SELinux integration on Gentoo Hardened, but 
general SELinux questions that are popping up regularly will be incorporated
as well.
</p>
<p class="secthead">General SELinux Support Questions</p>
<ul>
<li><a href="#features">Does SELinux enforce resource limits?</a></li>
<li><a href="#grsecurity">Can I use SELinux with grsecurity (and PaX)?</a></li>
<li><a href="#pie-ssp">Can I use SELinux and the hardened compiler (with PIE-SSP)?</a></li>
<li><a href="#rsbac">Can I use SELinux and RSBAC?</a></li>
<li><a href="#filesystem">Can I use SELinux with any file system?</a></li>
<li><a href="#nomultilib">Can I use SELinux with AMD64 no-multilib?</a></li>
<li><a href="#ubac">What is UBAC exactly?</a></li>
</ul>
<p class="secthead">Using SELinux</p>
<ul>
<li><a href="#enable_selinux">How do I enable SELinux?</a></li>
<li><a href="#switch_status">How do I switch between permissive and enforcing?</a></li>
<li><a href="#disable_selinux">How do I disable SELinux completely?</a></li>
<li><a href="#matchcontext">
  How do I know which file context rule is used for a particular file?
</a></li>
</ul>
<p class="secthead">SELinux Kernel Error Messages</p>
<ul><li><a href="#register_security">I get a register_security error message when booting</a></li></ul>
<p class="secthead">SELinux and Gentoo</p>
<ul>
<li><a href="#no_module">I get a missing SELinux module error when using emerge</a></li>
<li><a href="#loadpolicy">I get 'FEATURES variable contains unknown value(s): loadpolicy'</a></li>
<li><a href="#conflicting_types">During rlpkg I get 'conflicting specifications for ... and ..., using ...'</a></li>
<li><a href="#portage_libsandbox">
  During package installation, ld.so complains 'object 'libsandbox.so' from 
  LD_PRELOAD cannot be preloaded: ignored'
</a></li>
<li><a href="#emergefails">Emerge does not work, giving 'Permission denied: /etc/make.conf'</a></li>
<li><a href="#cronfails">
  Cron fails to load in root's crontab with message '(root) ENTRYPOINT
  FAILED (crontabs/root)'
</a></li>
</ul>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
            </span>General SELinux Support Questions</p>
<p class="secthead"><a name="features"></a><a name="doc_chap2_sect1">Does SELinux enforce resource limits?</a></p>
<p>
No, resource limits are outside the scope of an access control system. If you 
are looking for this type of support, take a look at technologies like
grsecurity, cgroups, pam and the like.
</p>
<p class="secthead"><a name="grsecurity"></a><a name="doc_chap2_sect2">Can I use SELinux with grsecurity (and PaX)?</a></p>
<p>
Definitely, we even recommend it. However, it is suggested that grsecurity's
ACL support is not used as it would be redundant to SELinux's access control.
</p>
<p class="secthead"><a name="pie-ssp"></a><a name="doc_chap2_sect3">Can I use SELinux and the hardened compiler (with PIE-SSP)?</a></p>
<p>
Definitely. We also suggest to use PaX to take full advantage of the PIE
features of the compiler.
</p>
<p class="secthead"><a name="rsbac"></a><a name="doc_chap2_sect4">Can I use SELinux and RSBAC?</a></p>
<p>
Yes, SELinux and RSBAC can be used together, but it is not recommended. The
RSBAC framework that is added to the Linux Security Modules framework (which
is used by SELinux) impacts performance for little added value. 
</p>
<p>
In most cases, it makes more sense to use RSBAC without SELinux, or SELinux
without RSBAC.
</p>
<p class="secthead"><a name="filesystem"></a><a name="doc_chap2_sect5">Can I use SELinux with any file system?</a></p>
<p>
SELinux requires access to a file's security context to operate properly.
To do so, SELinux uses <span class="emphasis">extended file attributes</span> which needs to be 
properly supported by the underlying file system. If the file system supports
extended file attributes and you have configured your kernel to enable this
support, then SELinux will work on those file systems.
</p>
<p>
General Linux file systems, such as ext2, ext3, ext4, jfs, xfs and btrfs
support extended attributes (but don't forget to enable it in the kernel
configuration) as well as tmpfs (for instance used by udev). If your file
system collection is limited to this set, then you should have no issues.
</p>
<p>
Ancillary file systems such as vfat and iso9660 are supported too, but with
an important caveat: all files in each file system will have the same SELinux
security context information since these file systems do not support extended
file attributes. 
</p>
<p>
Network file systems can be supported in the same manner as ancillary file
systems (all files share the same security context). However, some development
has been made in supported extended file attributes on the more popular file
systems such as NFS. Although this is far from production-ready, it does look
like we will eventually support these file systems on SELinux fully as well.
</p>
<p class="secthead"><a name="nomultilib"></a><a name="doc_chap2_sect6">Can I use SELinux with AMD64 no-multilib?</a></p>
<p>
Yes. However, for the time being, it is only supported through developer
profiles, meaning that the profiles should not be seen as very stable (their
content can still change swiftly). Try out
<span class="code" dir="ltr">hardened/linux/amd64/no-multilib/selinux</span> and tell us what you get.
</p>
<p class="secthead"><a name="ubac"></a><a name="doc_chap2_sect7">What is UBAC exactly?</a></p>
<p>
UBAC, or <span class="emphasis">User Based Access Control</span>, introduces additional constraints
when using SELinux policy. Participating domains / types that are <span class="emphasis">both</span>
marked as a <span class="code" dir="ltr">ubac_constrained_type</span> (which is an attribute) will only
have the allowed privileges in effect if they both run with the same SELinux
user context.
</p>
<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Domains and their SELinux user context</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment"># The SELinux allow rule</span>
allow foo_t bar_t:file { read };

<span class="code-comment"># This will succeed:</span>
staff_u:staff_r:foo_t reads file with type staff_u:object_r:bar_t

<span class="code-comment"># This will be prohibited:</span>
user_u:user_r:foo_t reads file with type staff_u:object_r:bar_t
</pre></td></tr>
</table>
<p>
Of course, this is not always the case. Besides the earlier mentioned
requirement that both types are <span class="code" dir="ltr">ubac_constrained_type</span>, if the source
domain is <span class="code" dir="ltr">sysadm_t</span>, then the constraint will not be in effect (the 
<span class="code" dir="ltr">sysadm_t</span> domain is exempt from UBAC constraints). Also, if the source
or destination SELinux user is <span class="code" dir="ltr">system_u</span> then the constraint will also
not be in effect. 
</p>
<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
            </span>Using SELinux</p>
<p class="secthead"><a name="enable_selinux"></a><a name="doc_chap3_sect1">How do I enable SELinux?</a></p>
<p>
This is explained in the <a href="selinux/selinux-handbook.html">SELinux Handbook</a>
in the chapter on <span class="emphasis">Using Gentoo/Hardened SELinux</span>.
</p>
<p class="secthead"><a name="switch_status"></a><a name="doc_chap3_sect2">How do I switch between permissive and enforcing?</a></p>
<p>
The easiest way is to use the <span class="code" dir="ltr">setenforce</span> command. With <span class="code" dir="ltr">setenforce 
0</span> you tell SELinux to run in permissive mode. Similarly, with 
<span class="code" dir="ltr">setenforce 1</span> you tell SELinux to run in enforcing mode.
</p>
<p>
You can also add a kernel option <span class="code" dir="ltr">enforcing=0</span> or <span class="code" dir="ltr">enforcing=1</span>
in the bootloader configuration (or during the startup routine of the system). 
This allows you to run SELinux in permissive or enforcing mode from the start 
of the system.
</p>
<p>
The default state of the system is kept in <span class="path" dir="ltr">/etc/selinux/config</span>.
</p>
<p class="secthead"><a name="disable_selinux"></a><a name="doc_chap3_sect3">How do I disable SELinux completely?</a></p>
<p>
It might be possible that running SELinux in permissive mode is not sufficient
to properly fix any issue you have. To disable SELinux completely, you need to
edit <span class="path" dir="ltr">/etc/selinux/config</span> and set <span class="code" dir="ltr">SELINUX=disabled</span>. Next,
reboot your system.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
When you have been running your system with SELinux disabled, you must boot 
in permissive mode first and relabel your entire file system. Activities ran
while SELinux was disabled might have created new files or removed the labels
from existing files, causing these files to be available without security
context.
</p></td></tr></table>
<p class="secthead"><a name="matchcontext"></a><a name="doc_chap3_sect4">
  How do I know which file context rule is used for a particular file?
</a></p>
<p>
If you use the <span class="code" dir="ltr">matchpathcon</span> command, it will tell you what the security
context for the given path (file or directory) should be, but it doesn't tell
you which rule it used to deduce this. To do that, you can use <span class="code" dir="ltr">findcon</span>:
</p>
<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Using findcon</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">findcon /etc/selinux/strict/contexts/files/file_contexts -p /lib64/rc/init.d</span>
/.*                          system_u:object_r:default_t
/lib64/rc/init\.d(/.*)?   system_u:object_r:initrc_state_t
/lib64/.*                    system_u:object_r:lib_t
</pre></td></tr>
</table>
<p>
When the SELinux utilities try to apply a context, they try to match the rule
that is the most specific, so in the above case, it is the one that leads to the
initrc_state_t context.
</p>
<p>
The most specific means, in order of tests:
</p>
<ol>
  <li>
    If line A has a regular expression, and line B doesn't, then line B is more
    specific.
  </li>
  <li>
    If the number of characters before the first regular expression in line A is
    less than the number of characters before the first regular expression in
    line B, then line B is more specific
  </li>
  <li>
    If the number of characters in line A is less than in line B, then line B is
    more specific
  </li>
  <li>
    If line A does not map to a specific SELinux type, and line B does, then
    line B is more specific
  </li>
</ol>
<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
            </span>SELinux Kernel Error Messages</p>
<p class="secthead"><a name="register_security"></a><a name="doc_chap4_sect1">I get a register_security error message when booting</a></p>
<p>
During boot-up, the following message pops up:
</p>
<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: Kernel message on register_security</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
There is already a security framework initialized, register_security failed.
Failure registering capabilities with the kernel
selinux_register_security: Registering secondary module capability
Capability LSM initialized
</pre></td></tr>
</table>
<p>
This is nothing to worry about (and perfectly normal).
</p>
<p>
This means that the Capability LSM module couldn't register as the primary 
module, since SELinux is the primary module. The third message means that it
registers with SELinux as a secondary module.
</p>
<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
            </span>SELinux and Gentoo</p>
<p class="secthead"><a name="no_module"></a><a name="doc_chap5_sect1">I get a missing SELinux module error when using emerge</a></p>
<p>
When trying to use <span class="code" dir="ltr">emerge</span>, the following error message is displayed:
</p>
<a name="doc_chap5_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.1: Error message from emerge on the SELinux module</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
!!! SELinux module not found. Please verify that it was installed.
</pre></td></tr>
</table>
<p>
This indicates that the portage SELinux module is missing or damaged. Recent 
Portage versions provide this module out-of-the-box, but the security contexts
of the necessary files might be wrong on your system. Try relabelling the files
of the portage package:
</p>
<a name="doc_chap5_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.2: Relabel all portage files</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">rlpkg portage</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="loadpolicy"></a><a name="doc_chap5_sect2">I get 'FEATURES variable contains unknown value(s): loadpolicy'</a></p>
<p>
When running emerge, the following error is shown:
</p>
<a name="doc_chap5_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.3: Emerge error on loadpolicy</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
FEATURES variable contains unknown value(s): loadpolicy
</pre></td></tr>
</table>
<p>
This is a remnant of the older SELinux policy module set where policy packages
might require this FEATURE to be available. Although the more recent packages
do not support this FEATURE value anymore, these are still in the ~arch phase 
so the current SELinux profile still offers this value. Portage however already
knows that this FEATURE is not supported anymore and complains.
</p>
<p>
We recommend you to use the ~arch versions of all packages in the sec-policy
category, and set <span class="code" dir="ltr">FEATURES="-loadpolicy"</span> to disable this (cosmetic)
error.
</p>
<p>
Once the newer policy modules are stabilized, the SELinux profile will be updated
to remove this setting.
</p>
<p class="secthead"><a name="conflicting_types"></a><a name="doc_chap5_sect3">During rlpkg I get 'conflicting specifications for ... and ..., using ...'</a></p>
<p>
When trying to relabel a package (<span class="code" dir="ltr">rlpkg packagename</span>) or system (<span class="code" dir="ltr">rlpkg
-a -r</span>) you get a message similar to the following:
</p>
<a name="doc_chap5_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.4: rlpkg complaining about conflicting specifications</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
filespec_add: conflicting specifications for /usr/bin/getconf and 
/usr/lib64/misc/glibc/getconf/XBS5_LP64_OFF64, using
system_u:object_r:lib_t
</pre></td></tr>
</table>
<p>
This is most likely caused by hard linked files. Remember, SELinux uses the
extended attributes in the file system to store the security context of a file.
If two separate paths point to the same file using hard links (i.e. the files
share the same inode) then both files will have the same security context.
</p>
<p>
The solution depends on the particular case; in order of most likely to happen
and resolve:
</p>
<ol>
  <li>
    Although both files are the same, they are not used in the same context. 
    In such cases, it is recommended to remove one of the files and then copy
    the other file back to the first (<span class="code" dir="ltr">rm B; cp A B</span>). This way, both
    files have different inodes and can be labelled accordingly.
  </li>
  <li>
    Both files are used for the same purpose; in this case, it might be better
    to label the file which would not be labelled correctly (say a binary
    somewhere in a <span class="path" dir="ltr">/usr/lib64</span> location) using <span class="code" dir="ltr">semanage</span>
    (<span class="code" dir="ltr">semanage fcontext -a -t correct_domain_t /usr/lib64/path/to/file</span>)
  </li>
</ol>
<p>
It is also not a bad idea to report (after verifying if it hasn't been reported
first) this on <a href="https://bugs.gentoo.org">Gentoo's bugzilla</a> so 
that the default policies are updated accordingly.
</p>
<p class="secthead"><a name="portage_libsandbox"></a><a name="doc_chap5_sect4">
  During package installation, ld.so complains 'object 'libsandbox.so' from 
  LD_PRELOAD cannot be preloaded: ignored'
</a></p>
<p>
During installation of a package, you might see the following error message:
</p>
<a name="doc_chap5_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.5: Error message during package installation</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
&gt;&gt; Installing (1 of 1) net-dns/host-991529
&gt;&gt;&gt; Setting SELinux security labels
ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.
</pre></td></tr>
</table>
<p>
This message should <span class="emphasis">only</span> occur after the <span class="emphasis">Setting SELinux security
labels</span> message. It happens because SELinux tells glibc to disable 
<span class="code" dir="ltr">LD_PRELOAD</span> (and other environment variables that are considered 
potentially harmful) during domain transitions. Here, portage calls the
<span class="code" dir="ltr">setfiles</span> command (part of a SELinux installation) and as such 
transitions from portage_t to setfiles_t, which clears the environment
variable.
</p>
<p>
We believe that it is safer to trust the SELinux policy here (as setfiles runs
in its own confined domain anyhow) rather than updating the policy to allow
transitioning between portage_t to setfiles_t without clearing these 
environment variables. Note that <span class="emphasis">libsandbox.so is not disabled during builds
and merges</span>, only during the activity where Portage labels the files it 
just merged.
</p>
<p>
So the error is in our opinion cosmetic and can be ignored (but sadly not
hidden).
</p>
<p class="secthead"><a name="emergefails"></a><a name="doc_chap5_sect5">Emerge does not work, giving 'Permission denied: /etc/make.conf'</a></p>
<p>
This is to be expected if you are not using the <span class="code" dir="ltr">sysadm_r</span> role. Any
Portage related activity requires that you are in the <span class="code" dir="ltr">sysadm_r</span> role. To
transition to the role, first validate if you are currently known as
<span class="code" dir="ltr">staff_u</span> (or, if you added your own SELinux identities, a user that has
the permission to transition to the <span class="code" dir="ltr">sysadm_r</span> role). Then run <span class="code" dir="ltr">newrole
-r sysadm_r</span> to transition.
</p>
<a name="doc_chap5_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.6: Transitioning to sysadm_r</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~$ <span class="code-input">emerge --info</span>
Permission denied: '/etc/make.conf'
~$ <span class="code-input">id -Z</span>
staff_u:staff_r:staff_t
~$ <span class="code-input">newrole -r sysadm_r</span>
Password: <span class="code-comment"># Enter your users' password</span>
</pre></td></tr>
</table>
<p>
This is also necessary if you logged on to your system as root but through SSH.
The default behavior is that SSH sets the lowest role for the particular user
when logged on. And you shouldn't allow remote root logins anyhow.
</p>
<p class="secthead"><a name="cronfails"></a><a name="doc_chap5_sect6">
  Cron fails to load in root's crontab with message '(root) ENTRYPOINT
  FAILED (crontabs/root)'
</a></p>
<p>
When you hit the mentioned error with a root crontab or an administrative
users' crontab, but not with a regular users' crontab, then check the context of
the crontab file:
</p>
<a name="doc_chap5_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.7: Check context of the crontab file</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">ls -Z /var/spool/cron/crontabs/root</span>
staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root
</pre></td></tr>
</table>
<p>
Next, check what the default context is for the given user (in this case, root)
when originating from the <span class="code" dir="ltr">crond_t</span> domain:
</p>
<a name="doc_chap5_pre8"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.8: Check default context for user root</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">getseuser root system_u:system_r:crond_t</span>
seuser:  root, level (null)
Context 0       root:sysadm_r:cronjob_t
Context 1       root:staff_r:cronjob_t
</pre></td></tr>
</table>
<p>
As you can see, the default context is always for the <span class="code" dir="ltr">root</span> SELinux user.
However, the <span class="path" dir="ltr">/var/spool/cron/crontabs/root</span> file context in the
above example is for the SELinux user staff_u. Hence, cron will not be able to
read this file (the <span class="code" dir="ltr">user_cron_spool_t</span> type is a UBAC constrained one).
</p>
<p>
To fix this, change the user of the file to root:
</p>
<a name="doc_chap5_pre9"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.9: Change the SELinux user of the root crontab file</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">chcon -u root /var/spool/cron/crontabs/root</span>
</pre></td></tr>
</table>
<p>
Another fix would be to disable UBAC completely. This is accomplished with
<span class="code" dir="ltr">USE="-ubac"</span>.
</p>
<br><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
<tr><td class="topsep" align="center"><p class="alttext">Updated July 13, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Frequently Asked Questions on SELinux integration with Gentoo Hardened.
The FAQ is a collection of solutions found on IRC, mailinglist, forums or 
elsewhere
</p></td></tr>
<tr><td align="left" class="topsep"><p class="alttext">
  <a href="mailto:pebenito@gentoo.org" class="altlink"><b>Chris PeBenito</b></a>
<br><i>Author</i><br><br>
  <a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a>
<br><i>Author</i><br></p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
        </p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>