On Thursday, August 28, 2014 08:24:32 Jonathan Billings wrote: > On Thu, Aug 28, 2014 at 07:05:49AM -0500, Bill Gee wrote: > > Another curious thing is that it all works perfectly when I "run-parts > > /etc/cron.daily" from a root login. Why should SELinux regard that as > > different from when it is run by cron??? > > Cron runs processes in a different SELinux domain (crond_t I think?) > than processes started by the root user, so this is entirely expected > behavior. But that means that SELinux contexts are NOT stable ... They are NOT the same for all instances of a process. It seems to me that defeats the whole purpose of SELinux. How does the SELinux inheritance work? How is it related to the user context under which a process runs? As I look at it, I see this chain ... == Cron run under the crond_t context and chrony user account. It calls logwatch. ==== Logwatch runs under the logwatch_t context and user account of the caller. It calls various binaries such as uptime and hddtemp and virsh. ====== Uptime is bin_t. hddtemp is bin_t. virsh is virsh_exec_t. They all run under the user account of the caller. If I run-parts from a root login, then the cron service is not involved. The processes all run in the root user account. That does not change their SELinux types, but it sure changes what they can do! I know this issue is in SELinux somewhere because if I set the system to permissive, then it all works. Bill Gee