Bug 155184

Summary: SELinux and Cron Daily Issue
Product: [Fedora] Fedora Reporter: Ryan Skadberg <redhat>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-20 15:00:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Skadberg 2005-04-17 19:26:12 UTC 
Installed FC3 cleanly and then did a yum update to development.  Now, I get this
in my e-mail:

From: root@machine (Cron Daemon)
To: root@machine
Subject: Cron <root@codewarrior> run-parts /etc/cron.hourly
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <HOME=/>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

execl: couldn't exec `/bin/bash'
execl: Permission denied

And see this in /var/log/messages:

Apr 17 15:01:01 machine kernel: audit(1113764461.774:0): avc:  denied  {
transition } for  pid=3559 exe=/usr/sbin/crond path=/bin/bash dev=dm-0 ino=1769565
scontext=user_u:system_r:initrc_t tcontext=system_u:system_r:unconfined_t
tclass=process
Comment 1 Ryan Skadberg 2005-04-17 20:13:32 UTC 
Actually, seeing this in cron.hourly, cron.daily and cron.weekly
Comment 2 Daniel Walsh 2005-04-19 15:45:50 UTC 
This looks like a labeling problem.  cron should be running under crond_t.

What is /usr/sbin/crond context?

ls -lZ /usr/sbin/crond
-rwxr-xr-x  root     root     system_u:object_r:crond_exec_t   /usr/sbin/crond

If it is not this, restorecon -v /usr/sbin/crond should fix it.  If you want to
relabel the system

touch /.autorelabel 
reboot
Comment 3 Ryan Skadberg 2005-04-19 23:50:07 UTC 
This seems to have been the issue.  Doing the restorecon fixed things.  I did a
relabel just in case other things were broken and all seems well now.

Someone probably needs to look in to why this permission got changed for me.  Or
maybe any selinux upgrade should automatically add a /.autorelabel?
Comment 4 Daniel Walsh 2005-04-20 15:00:05 UTC 
Did you ever turn off SELinux?
Comment 5 Ryan Skadberg 2005-04-20 15:06:04 UTC 
Nope.  Process was:

Installed FC3
Yum Update to Development
Problem started
Comment 6 Daniel Walsh 2005-04-20 15:18:09 UTC 
Well the rpm is supposed to figure out what requires a relabel and relabel on
the fly.  Something must have gone wrong during the upgrade.  Did you see lots
of restorecon messages during the upgrade?