Bug 388001
Summary: | selinux preventing cron from starting. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dave Jones <davej> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | pfrields |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-30 19:05:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dave Jones
2007-11-17 01:48:51 UTC
Have you updated to the latest policy version? This should have been fixed in selinux-policy-3.0.8-47? still broken for me. (19:47:08:davej@firewall:~)$ rpm -q selinux-policy selinux-policy-3.0.8-56.fc8 (19:47:27:root@firewall:~)# getenforce Permissive (19:47:33:root@firewall:~)# setenforce 1 (19:47:38:root@firewall:~)# getenforce Enforcing (19:47:39:root@firewall:~)# /etc/init.d/crond restart Stopping crond: [ OK ] Starting crond: /bin/bash: /usr/sbin/crond: Permission denied [FAILED] (19:47:48:root@firewall:~)# setenforce 0 (19:48:09:root@firewall:~)# /etc/init.d/crond restart Stopping crond: [FAILED] Starting crond: [ OK ] I did a full relabel a day or two ago too, didn't help. Try # semanage user -m -r s0-s0:c0.c1023 unconfined_u Then log out and log back in. All the way out not just the su. If it still does not work. Do an id -Z after login. # semanage user -m -r s0-s0:c0.c1023 unconfined_u Failed to translate booleans. [Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml' /usr/sbin/semanage: SELinux user unconfined_u is not defined This box was yum updated from f7 -> f8 Perhaps this was a problem during the upgrade ? After the semanage command above, does it work? no, probably because the command failed ? I found that selinux-policy-devel wasn't installed, so I installed it and retried the command, different output this time.. semanage user -m -r s0-s0:c0.c1023 unconfined_u /usr/sbin/semanage: SELinux user unconfined_u is not defined logged out & back in, tried to restart cron in enforcing mode still fails. These commands should have happened on upgrade semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u semanage login -m -s "unconfined_u" __default__ 2> /dev/null semanage login -m -s "system_u" root 2> /dev/null semanage user -a -P guest -R guest_r guest_u semanage user -a -P xguest -R xguest_r xguest_u restorecon -R /root /var/log /var/run 2> /dev/null You seem to be logging in as the default user user_u instead of unconfined_u. awesome. that makes it work again. I wonder why that never triggered when I did the yum update from f7 -> f8. whoops. it allowed me to restart cron, but it then stopped me from logging in again afterwards (both by ssh and on the console). rebooted to single-user and relabelled, which fixed that, but now this is odd.. $ ll -Z .ssh/ lrwxrwxrwx davej davej unconfined_u:object_r:unconfined_home_t authorized_keys -> /home/davej/.ssh/id_dsa.pub -rw------- davej davej unconfined_u:object_r:unconfined_home_t id_dsa -rw-r--r-- davej davej unconfined_u:object_r:unconfined_home_t id_dsa.pub -rw------- davej davej unconfined_u:object_r:unconfined_home_t identity -rw-r--r-- davej davej unconfined_u:object_r:unconfined_home_t identity.pub -rw-r--r-- davej davej unconfined_u:object_r:unconfined_home_t known_hosts restorecon .ssh/* doesn't set them back to user_u:object_r:user_home_ssh_t This means I'm asked for a password every time I ssh, instead of it doing key-auth. Help me obi-wan. What is your ssh-agent running as ps -eZ | grep ssh # ps -eZ | grep ssh system_u:system_r:sshd_t:SystemLow-SystemHigh 1702 ? 00:00:00 sshd system_u:system_r:sshd_t:SystemLow-SystemHigh 2067 ? 00:00:00 sshd system_u:system_r:sshd_t:SystemLow-SystemHigh 2071 ? 00:00:00 sshd So ssh-agent is not running? Have you updated to selinux-policy-3.0.8-62? selinux-policy-3.0.8-64.fc8 no ssh-agent, but sshd is running. (And restarting it makes no difference) Fixed in selinux-policy-3.0.8-69.fc8 Bulk closing a old selinux policy bugs that were in the modified state. If the bug is still not fixed. Please reopen. |