Crontab not functioning after Bastille Lockdown
 

So my cronjobs were working before I used Bastille lockdown on a particular box checked a few things so far:

/var/log/cron - the daemon is running and logs the command I want to run

The command it's self is valid, and runs fine

I have checked cron.allow and cron.deny - I'm not sure if in here lies my issue I had several things placed in my .deny file by the lockdown, however I added root to the cron.allow, tested, no joy, renamed both allow and deny and tested again No joy.


I'm not sure were to go next, any suggestions?

if the command is being logged in /var/log/cron since the bastille lock down, then the issue is not with the cron.allow or cron.deny files.

root is allowed to always run cron anyway
does bastille have some sort of log you can look at?

I believe it does, let me try and find out if there is anything in there.

I don't even see anything in the script that seems like it would change anything to do with cron, I'm only hypothesizing that the lockdown broke it anyway.

What is it your cronjobs are doing? They're being logged upon execution, so perhaps they are simply not working as you would expect.

Check mail for the user who the cronjobs are running as. (stdout/stderr from cronjobs goes there by default.)

the cron log says their are launching, but the process never starts, I see the following error message


audit(1251379441.263:143): avc: denied { lock } for pid=18654 comm="exim" path="/var/spool/exim/db/retry.lockfile" dev=cciss/c0d0p2 ino=26804412 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file

system isn't running sendmail, is it possible that it's cron is trying to use mail and failing?

That's an selinux issue. It may simply be that since cron sends stderr/stdout to the user that runs cron as an email that it is trying to open exim, being denied by your selinux policy, and therefore not running the actual program. Try allowing that selinux path and see if that fixes things. If you don't know how to do this, write back.

HTH

Forrest

@forestt, time to change your sig :)
PS Welcome to the 1K+ club

Well, Selinux is in permissive mode, and I don't have sendmail running on this box, could that be a problem?

OK, the permissive is the reason it is logging the string (basically, permissive means show me what you would not allow in the audit log, but let me do it anyway).

The line says, 'comm="exim" path="/var/spool/exim/db/retry.lockfile"'. That means it is trying to run exim (which is a sendmail replacement). I'm guessing that you do have exim running, but even if you don't, it shouldn't stop cron. Perhaps it is simply that the lockfile is stopping things from running. Try shutting down exim, removing the lockfile and then restarting exim. May not help, but that shouldn't hurt anything either.

Let us know,

Forrest

p.s. Yeah chrism01 I noticed that in another post. Is this better :)

I like guy with ambition :)

So I'm looking at the latest log info and that Selinux message about exim has no correlation to my crontab, guess it was just coincidence that I saw the two at the same time.. So I"m stumped... I have no idea why my crontab isn't running.