On 1/27/14, 12:38 PM, Josh Kayse wrote:
Per the RHEL6 Guide I have configured my system to utilize faillock
and lastlog. Now I have found that cron no longer works.
I have tracked it down to being an SELinux problem. crond_t is trying
to read/write lastlog_t and faillog_t files. Has anyone else run in
to this problem or have recommendations?
My findings so far have shown that cron requires auth, account, and
session from password-auth. Inside password-auth we have the
appropriate faillock/lastlog lines in auth/account/session.
Previously we have put the faillock/lastlog lines in the individual
services that users can use to access the system (gdm, sshd, login,
etc) but this was not compliant with the SSG/STIG.
Should we go back to placing these lines in the individual services or
grant the permission to crond_t? Could this be because we disable the
unconfined domain?
Happen to be sitting next to Dan Walsh.... he says:
"If a restorecon doesn't fix the problem, have them open a ticket. Even
with unconfined disabled type enforcement should grant cron_t
applications access to write logs"
So, with that said, what happens after you:
restorecon /var/log/<yourfile>