Fedora 8 selinux blocks root cron but not user cron
Here's the situation:
Upgraded Fedora Core 6 to Fedora 7, then Fedora 8 in rapid succession. I don't know if this problem came into being when going 6->7 or 7->8. SELinux is in enforcing mode. Cron is running the contents of crontab just fine for my regular user and my database user (which does database dumps to files). Cron is NOT running root jobs in the crontab, which is making me crazy! I CAN run these jobs when I log in and su to root and then run them manually. If I edit the crontab as root, here's what pops up in the /var/log/cron log about a minute later. Code:
Nov 23 12:02:01 machinename crond[1725]: (root) Unauthorized SELinux context (cron/root) I can't figure out two things: What to change the context on with chcon, and what to change the context to to let Cron run for root. In /var/spool/cron we have: Code:
[root@machinename cron]# ls --context Code:
[root@machinename sbin]# ls --context crond The maddening thing is that there's definitely a one-line command to make this right, but I'm not looking to turn off SELinux, and I think that the command that will take care of this problem will probably teach me something useful for the future. Any ideas? |
Have you checked the Fedora SELinux Troubleshooting guide?
http://fedoraproject.org/wiki/SELinux/Troubleshooting In particular, the restorcon command looks good. http://fedoraproject.org/wiki/SELinux/restorecon |
Restorcon may help, but a core problem is not knowing what privilege to assign to what file to get it running. Is it something to assign to the user root? Something to assign to the crond? Something to assign to the crontab file?
The fact that it's not generating a permissions warning in /var/log/messages as other posts I've read seem to say should be happening when permission is denied seems unusual as well. |
may be you try this
If cron is working just fine for myusername's Cron and postgres's Cron loging using user, check the security context and make changes for root user ls --context crond |
It might be worth checking the other files cron installs. I think the command is:
rpm -ql vixie-cron | xargs ls --context and rpm -ql crontabs | xargs ls --context It may show an obvious discrepancy. |
The results of the rpm -ql vixie-cron command are:
Code:
-rw-r--r-- root root system_u:object_r:etc_t /etc/cron.deny The rpm -ql crontabs results are: Code:
-rwxr-xr-x root root system_u:object_r:bin_t /etc/cron.daily/000-delay.cron |
Here is the results from my Fedora 8 box. Compare it against yours, it may show a significant difference.
rpm -ql vixie-cron | xargs ls --context Code:
[root@localhost ~]# rpm -ql vixie-cron | xargs ls --context Code:
[root@localhost ~]# rpm -ql crontabs | xargs ls --context |
This seems to have magically fixed itself via an update that occurred this morning. I can't be sure when exactly it was fixed since I hadn't run the yum update in a couple of days thanks to a business trip.
I'll post more if I see anything else wacky related to this. |
All times are GMT -5. The time now is 02:07 PM. |