Fedora 8 selinux blocks root cron but not user cron

Infinity · 11-23-2007, 01:09 PM

Here's the situation:

Upgraded Fedora Core 6 to Fedora 7, then Fedora 8 in rapid succession. I don't know if this problem came into being when going 6->7 or 7->8.

SELinux is in enforcing mode.

Cron is running the contents of crontab just fine for my regular user and my database user (which does database dumps to files). Cron is NOT running root jobs in the crontab, which is making me crazy! I CAN run these jobs when I log in and su to root and then run them manually.

If I edit the crontab as root, here's what pops up in the /var/log/cron log about a minute later.

Code:

Nov 23 12:02:01 machinename crond[1725]: (root) Unauthorized SELinux context (cron/root)

If I put SELinux in disabled mode, it runs the root cron jobs just fine.

I can't figure out two things:
What to change the context on with chcon, and what to change the context to to let Cron run for root.

In /var/spool/cron we have:

Code:

[root@machinename cron]# ls --context
-rw-------  myusername    root system_u:object_r:unconfined_cron_spool_t myusername
-rw-------  postgres root user_u:object_r:cron_spool_t     postgres
-rw-------  root     root system_u:object_r:unconfined_cron_spool_t root

In /usr/sbin we have:

Code:

[root@machinename sbin]# ls --context crond
-rwxr-xr-x  root root system_u:object_r:crond_exec_t   crond

I want the benefits of SELinux so I'm looking for something appropriate to allow the root Cron to work the same as myusername's Cron and postgres's Cron.

The maddening thing is that there's definitely a one-line command to make this right, but I'm not looking to turn off SELinux, and I think that the command that will take care of this problem will probably teach me something useful for the future.

Any ideas?

harry edwards · 11-23-2007, 05:18 PM

Have you checked the Fedora SELinux Troubleshooting guide?

http://fedoraproject.org/wiki/SELinux/Troubleshooting

In particular, the restorcon command looks good.

http://fedoraproject.org/wiki/SELinux/restorecon

Infinity · 11-23-2007, 05:23 PM

Restorcon may help, but a core problem is not knowing what privilege to assign to what file to get it running. Is it something to assign to the user root? Something to assign to the crond? Something to assign to the crontab file?

The fact that it's not generating a permissions warning in /var/log/messages as other posts I've read seem to say should be happening when permission is denied seems unusual as well.

WAJEDUR REHMAN · 11-23-2007, 05:38 PM

may be you try this
If cron is working just fine for myusername's Cron and postgres's Cron
loging using user, check the security context and make changes for root user
ls --context crond

harry edwards · 11-23-2007, 05:47 PM

It might be worth checking the other files cron installs. I think the command is:

rpm -ql vixie-cron | xargs ls --context

and

rpm -ql crontabs | xargs ls --context

It may show an obvious discrepancy.

Infinity · 11-23-2007, 10:27 PM

The results of the rpm -ql vixie-cron command are:

Code:

-rw-r--r--  root root system_u:object_r:etc_t          /etc/cron.deny
-rw-r--r--  root root system_u:object_r:etc_t          /etc/pam.d/crond
-rwxr-xr-x  root root system_u:object_r:initrc_exec_t  /etc/rc.d/init.d/crond
-rw-r--r--  root root system_u:object_r:etc_t          /etc/sysconfig/crond
-rwsr-sr-x  root root system_u:object_r:crontab_exec_t /usr/bin/crontab
-rwxr-xr-x  root root system_u:object_r:crond_exec_t   /usr/sbin/crond
-rw-r--r--  root root system_u:object_r:usr_t          /usr/share/doc/cron/CHANGES
-rw-r--r--  root root system_u:object_r:usr_t          /usr/share/doc/cron/CONVERSION
-rw-r--r--  root root system_u:object_r:usr_t          /usr/share/doc/cron/FEATURES
-rw-r--r--  root root system_u:object_r:usr_t          /usr/share/doc/cron/INSTALL
-rw-r--r--  root root system_u:object_r:usr_t          /usr/share/doc/cron/MAIL
-rw-r--r--  root root system_u:object_r:usr_t          /usr/share/doc/cron/README
-rw-r--r--  root root system_u:object_r:usr_t          /usr/share/doc/cron/THANKS
-rw-r--r--  root root system_u:object_r:man_t          /usr/share/man/man1/crontab.1.gz
-rw-r--r--  root root system_u:object_r:man_t          /usr/share/man/man5/crontab.5.gz
-rw-r--r--  root root system_u:object_r:man_t          /usr/share/man/man8/cron.8.gz
-rw-r--r--  root root system_u:object_r:man_t          /usr/share/man/man8/crond.8.gz

/etc/cron.d:

/var/spool/cron:
-rw-------  myusername    root system_u:object_r:unconfined_cron_spool_t myusername
-rw-------  postgres root user_u:object_r:cron_spool_t     postgres
-rw-------  root     root system_u:object_r:unconfined_cron_spool_t root

==

The rpm -ql crontabs results are:

Code:

-rwxr-xr-x  root root system_u:object_r:bin_t          /etc/cron.daily/000-delay.cron
lrwxrwxrwx  root root system_u:object_r:etc_t          /etc/cron.monthly/000-delay.cron
-rw-r--r--  root root system_u:object_r:system_cron_spool_t /etc/crontab
lrwxrwxrwx  root root system_u:object_r:etc_t          /etc/cron.weekly/000-delay.cron
-rw-r--r--  root root system_u:object_r:etc_t          /etc/sysconfig/crontab
-rwxr-xr-x  root root system_u:object_r:bin_t          /usr/bin/run-parts

/etc/cron.daily:
-rwxr-xr-x  root root system_u:object_r:bin_t          000-delay.cron
-rwxr-xr-x  root root system_u:object_r:bin_t          0anacron
lrwxrwxrwx  root root system_u:object_r:etc_t          0logwatch
-rwxr-xr-x  root root system_u:object_r:bin_t          cups
-rwxr-xr-x  root root system_u:object_r:bin_t          logrotate
-rwxr-xr-x  root root system_u:object_r:bin_t          makewhatis.cron
-rwxr-xr-x  root root system_u:object_r:bin_t          mlocate.cron
-rwxr-xr-x  root root system_u:object_r:bin_t          prelink
-rwxr-xr-x  root root system_u:object_r:bin_t          readahead.cron
-rwxr-xr-x  root root system_u:object_r:bin_t          rpm
-rwxr-xr-x  root root system_u:object_r:bin_t          tetex.cron
-rwxr-xr-x  root root system_u:object_r:bin_t          tmpwatch

/etc/cron.hourly:

/etc/cron.monthly:
lrwxrwxrwx  root root system_u:object_r:etc_t          000-delay.cron
-rwxr-xr-x  root root system_u:object_r:bin_t          0anacron

/etc/cron.weekly:
lrwxrwxrwx  root root system_u:object_r:etc_t          000-delay.cron
-rwxr-xr-x  root root system_u:object_r:bin_t          0anacron
-rwxr-xr-x  root root system_u:object_r:bin_t          makewhatis.cron

harry edwards · 11-24-2007, 03:00 PM

Here is the results from my Fedora 8 box. Compare it against yours, it may show a significant difference.

rpm -ql vixie-cron | xargs ls --context

Code:

[root@localhost ~]# rpm -ql vixie-cron | xargs ls --context
-rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/cron.deny
-rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/pam.d/crond
-rwxr-xr-x  root root system_u:object_r:initrc_exec_t:s0 /etc/rc.d/init.d/crond
-rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/sysconfig/crond
-rwsr-sr-x  root root system_u:object_r:crontab_exec_t:s0 /usr/bin/crontab
-rwxr-xr-x  root root system_u:object_r:crond_exec_t:s0 /usr/sbin/crond
-rw-r--r--  root root system_u:object_r:usr_t:s0       /usr/share/doc/cron/CHANGES
-rw-r--r--  root root system_u:object_r:usr_t:s0       /usr/share/doc/cron/CONVERSION
-rw-r--r--  root root system_u:object_r:usr_t:s0       /usr/share/doc/cron/FEATURES
-rw-r--r--  root root system_u:object_r:usr_t:s0       /usr/share/doc/cron/INSTALL
-rw-r--r--  root root system_u:object_r:usr_t:s0       /usr/share/doc/cron/MAIL
-rw-r--r--  root root system_u:object_r:usr_t:s0       /usr/share/doc/cron/README
-rw-r--r--  root root system_u:object_r:usr_t:s0       /usr/share/doc/cron/THANKS
-rw-r--r--  root root system_u:object_r:man_t:s0       /usr/share/man/man1/crontab.1.gz
-rw-r--r--  root root system_u:object_r:man_t:s0       /usr/share/man/man5/crontab.5.gz
-rw-r--r--  root root system_u:object_r:man_t:s0       /usr/share/man/man8/cron.8.gz
-rw-r--r--  root root system_u:object_r:man_t:s0       /usr/share/man/man8/crond.8.gz

/etc/cron.d:
-rw-r--r--  root root system_u:object_r:system_cron_spool_t:s0 smolt

/var/spool/cron:

rpm -ql crontabs | xargs ls --context

Code:

[root@localhost ~]# rpm -ql crontabs | xargs ls --context
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /etc/cron.daily/000-delay.cron
lrwxrwxrwx  root root system_u:object_r:etc_t:s0       /etc/cron.monthly/000-delay.cron
-rw-r--r--  root root system_u:object_r:system_cron_spool_t:s0 /etc/crontab
lrwxrwxrwx  root root system_u:object_r:etc_t:s0       /etc/cron.weekly/000-delay.cron
-rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/sysconfig/crontab
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /usr/bin/run-parts

/etc/cron.daily:
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       000-delay.cron
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       0anacron
lrwxrwxrwx  root root system_u:object_r:etc_t:s0       0logwatch
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       cups
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       logrotate
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       makewhatis.cron
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       mlocate.cron
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       prelink
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       readahead.cron
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       rpm
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       tmpwatch

/etc/cron.hourly:

/etc/cron.monthly:
lrwxrwxrwx  root root system_u:object_r:etc_t:s0       000-delay.cron
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       0anacron

/etc/cron.weekly:
lrwxrwxrwx  root root system_u:object_r:etc_t:s0       000-delay.cron
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       0anacron
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       makewhatis.cron

Infinity · 11-29-2007, 08:21 AM

This seems to have magically fixed itself via an update that occurred this morning. I can't be sure when exactly it was fixed since I hadn't run the yum update in a couple of days thanks to a business trip.

I'll post more if I see anything else wacky related to this.