Bug 1263328
| Summary: | rawhide selinux policy prevents /var/spool/cron/root from working | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Kevin Fenzi <kevin> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 23 | CC: | abologna, alex.williamson, ben.r.xiao, bojan, brianrhbugzilla, cunio, daniel, devin, dmitryburstein, dominick.grift, dwalsh, dylan.graham, frank, frankly3d, gary.buhrmaster, Gecko8211, igeorgex, jeff, jwakely, letfid, lvrabec, mgrepl, mhlavink, michael, mjc, opensource, orders, plautrba, rocketraman, simon.guest, tim, tom+f, wshi, zingale |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-01-15 14:36:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Kevin Fenzi
2015-09-15 14:41:37 UTC
Hi, This problem is now in Fedora 23 (so probably should update the header fields). I am using the official release, with these package versions: cronie-1.5.0-3.fc23.x86_64 selinux-policy-targeted-3.13.1-152.fc23.noarch On creating a brand new cron job, running crontab -e as root (for the first time), I get this in the journal: Nov 10 08:57:01 kiai.tesujimath.org crond[1524]: (root) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/root) Nov 10 08:57:01 kiai.tesujimath.org crond[1524]: (root) FAILED (loading cron table) My attempted work-around, to install the job as a normal user, fails to work, also because of SELinux. After installing the cron job running crontab -e as sjg, I get this in the journal: Nov 10 09:18:01 kiai.tesujimath.org crond[1524]: (sjg) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/sjg) Nov 10 09:18:01 kiai.tesujimath.org crond[1524]: (sjg) FAILED (loading cron table) I see the problem for Fedora 23 and user crontab also. My automatic backup with the help of BackinTime is not working anymore after upgrading from F22 to F23 Nov 15 13:01:46 jacek crond[4958]: (ja) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/ja) Nov 15 13:01:46 ja crond[4958]: (ja) FAILED (loading cron table) #cat /var/spool/cron/ja #Back In Time system entry, this will be edited by the gui: 0 * * * * /bin/nice -n 19 /bin/ionice -c2 -n7 /bin/backintime --backup-job >/dev/null 2>&1 There are upstream fixes for this issue. Just bumped into this today on F-23: ------------------- Jan 8 07:54:45 beauty crond[5167]: (root) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=system_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/root) Jan 8 07:54:45 beauty crond[5167]: (root) FAILED (loading cron table) ------------------- Changed absolutely nothing, except for applying updates. It just stopped working. I have the same bug in Fedora 23 with the latest updates: Jan 13 08:54:07 daniel-laptop crond[1320]: (daniel) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/daniel) Jan 13 08:54:07 daniel-laptop crond[1320]: (daniel) FAILED (loading cron table) So could somebody change the version from rawhide to 23? Can confirm the same. Is there a workaround for the meanwhile - besides disabling the selinux? When can we expect the upstream fixes to go into F23? I just ran into this issue on my server today. @Dmitry Burstein I've had to put selinux into permissive mode and then restart crond. Isn't a very suitable workaround in terms of security but at least my cron jobs are running. I tried using semanage to only put crond_t into permissive mode, but that didn't seem to work. Switching back to kernel 4.2.8-300.fc23.x86_64 worked around the issue for me. This is definitely affecting F23 now, and is a pretty major bug. Is there any progress towards fixing it? Could anyone test this issue with these scratch builds? F23: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-158.2.fc23.1/ Rawhide: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-166.fc24.1/ Thank you. (In reply to Lukas Vrabec from comment #14) > Could anyone test this issue with these scratch builds? > > F23: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-158.2.fc23.1/ > Rawhide: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-166.fc24.1/ I installed the F23 selinux-policy and selinux-policy-targeted packages on F23, didn't reboot, still using kernel-4.3.3-300.fc23.x86_64. I edited my user's crontab, and it still gets blocked by selinux. So the scratch build doesn't seem to help. To be clear, I edited the crontab to add: */1 * * * * date > /tmp/date Then waited for the top of the minute, and then /var/log/cron shows the job isn't permitted to run: (jwakely) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/jwakely) I installed the scratch builds from comment #(In reply to Lukas Vrabec from comment #14) > Could anyone test this issue with these scratch builds? > > F23: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-158.2.fc23.1/ > Rawhide: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-166.fc24.1/ > > Thank you. I have installed F23 selinux-policy and selinux-policy-targeted as well. After a restart it still doesn't work and I get the same error message as before. *** Bug 1298192 has been marked as a duplicate of this bug. *** Folks, could you please to use the following local policy $ cat mycron.cil (allow unconfined_t user_cron_spool_t( file ( entrypoint))) and run # semodule -i mycron.cil and reload crond as a workaround for now. Does that workaround persist reboots? If so, how to remove it once the bug has been properly fixed? (In reply to Andrea Bolognani from comment #20) > Does that workaround persist reboots? > > If so, how to remove it once the bug has been properly fixed? Yes, it persists. semodule -r mycron to remove it. Or you can boot with older kernel. *** This bug has been marked as a duplicate of bug 1298192 *** The workaround in comment 19 works, thanks. (In reply to Jonathan Wakely from comment #23) > The workaround in comment 19 works, thanks. Thank you for testing. (In reply to Miroslav Grepl from comment #19) > Folks, > could you please to use the following local policy > > $ cat mycron.cil > (allow unconfined_t user_cron_spool_t( file ( entrypoint))) > > and run > > # semodule -i mycron.cil > > and reload crond as a workaround for now. Works for me as well. Thanks! comment #19 is working for me as well. comment #19 ok for me too, thanks |