Bug 1547368

Summary: Unable to run cron jobs from /etc/crontab due to selinux
Product: [Fedora] Fedora Reporter: Robin <robin.bjorklin>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 27CC: dwalsh, lvrabec, mgrepl, plautrba, pmoore, robin.bjorklin, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-05 15:45:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robin 2018-02-21 07:20:31 UTC 
Description of problem:
Unable to run cron jobs.


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-283.24.fc27.noarch
cronie-1.5.1-8.fc27.x86_64
crontabs-1.11-15.20150630git.fc27.noarch
cronie-anacron-1.5.1-8.fc27.x86_64

How reproducible: 5 out of 5 so far.


Steps to Reproduce:
1. Add "* * * * * root touch /tmp/cron-test" to /etc/crontab


Actual results: Cron job not run.

$ systemctl status crond
crond[1458]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=system_u:object_r:etc_t:s0 (/etc/crontab)


Expected results: Cron jobs should run.


Additional info:
Comment 1 Lukas Vrabec 2018-03-10 13:49:45 UTC 
Robin, 

Hi, 

Avc msgs is not complete. Could you reproduce it and attach output of: 

# ausearch -m AVC -m USER_AVC -ts recent 

Thanks,
Lukas.
Comment 2 Robin 2018-03-20 12:03:48 UTC 
So... Running ausearch doesn't produce any information just after cron should have run the job. I am on the other hand very sure it's selinux causing this issue since running `setenforce 0` makes the problem go away.

Any other way I can provide useful information?
Comment 3 Lukas Vrabec 2018-09-05 15:43:04 UTC 
Robin, 

Could you change parameter "-ts today" and send me logs? 


# ausearch -m AVC -m USER_AVC -ts today


THanks,
Lukas.
Comment 4 Lukas Vrabec 2018-09-05 15:45:25 UTC 
Could we continue with solving this in rhbz#1625645 ? Closing this as duplicate

*** This bug has been marked as a duplicate of bug 1625645 ***
Comment 5 Tomas Mraz 2018-09-10 07:49:16 UTC 
Robin, did you try to restorecon -Fv /etc/crontab ? It seems it has a wrong context.
Comment 6 Robin 2018-09-17 11:27:49 UTC 
Thanks Tomas! That solved the issue!