Bug 1645825

Summary: SELinux preventing crond from access to crontab and cron.d contents
Product: [Fedora] Fedora Reporter: dan
Component: crontabsAssignee: Tomas Mraz <tmraz>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 29CC: dan, mmaslano, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-05 07:59:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dan 2018-11-04 04:04:07 UTC 
After upgrading to FC29, I noticed that several cron jobs were not running.  In checking the journal I found:

Nov 03 23:51:32 zzz.com crond[4261]: (CRON) STARTUP (1.5.2)
Nov 03 23:51:32 zzz.com crond[4261]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 56% if used.)
Nov 03 23:51:32 zzz.com crond[4261]: ((null)) Unauthorized SELinux context=system_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:system_cron_spool_t:s0 (/etc/cron.d/suncron)
Nov 03 23:51:32 zzz.com crond[4261]: (root) FAILED (loading cron table)
Nov 03 23:51:32 zzz.com crond[4261]: ((null)) Unauthorized SELinux context=system_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:system_cron_spool_t:s0 (/etc/cron.d/clamav-update)
Nov 03 23:51:32 zzz.com crond[4261]: (root) FAILED (loading cron table)
Nov 03 23:51:32 zzz.com crond[4261]: ((null)) Unauthorized SELinux context=system_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:system_cron_spool_t:s0 (/etc/cron.d/0hourly)
Nov 03 23:51:32 zzz.com crond[4261]: (root) FAILED (loading cron table)
Nov 03 23:51:32 zzz.com crond[4261]: ((null)) Unauthorized SELinux context=system_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:system_cron_spool_t:s0 (/etc/cron.d/raid-check)
Nov 03 23:51:32 zzz.com crond[4261]: (root) FAILED (loading cron table)

crontab and cron.d are labeled as: unconfined_u:object_r:system_cron_spool_t:s0

However, I noticed that the cron.daily, weeekly, monthly files were labeled as:

system_u:object_r:bin_t:s0

So as I workaround, I relabeled crontab and cron.d contents and then crond succeeded.

This needs to be reconciled as to what the files should be labeled and what SELinux expects.
Comment 1 Tomas Mraz 2018-11-05 07:59:13 UTC 

*** This bug has been marked as a duplicate of bug 1639381 ***