Bug 388001

Summary: selinux preventing cron from starting.
Product: [Fedora] Fedora Reporter: Dave Jones <davej>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 8CC: pfrields
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 19:05:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dave Jones 2007-11-17 01:48:51 UTC 
service crond restart fails, and there are these messages in audit.log ..

type=SELINUX_ERR msg=audit(1195262426.448:2102): security_compute_sid:  invalid
context user_u:system_r:crond_t:s0-s0:c0.c1023 for
scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:crond_exec_t:s0
tclass=process
type=SYSCALL msg=audit(1195262426.448:2102): arch=40000003 syscall=11 success=no
exit=-13 a0=9589958 a1=95897b8 a2=9589c98 a3=0 items=0 ppid=7493 pid=7494
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3
comm="bash" exe="/bin/bash" subj=user_u:system_r:initrc_t:s0 key=(null)
Comment 1 Daniel Walsh 2007-11-17 11:56:12 UTC 
Have you updated to the latest policy version?

This should have been fixed in 
selinux-policy-3.0.8-47?
Comment 2 Dave Jones 2007-11-20 00:48:38 UTC 
still broken for me.

(19:47:08:davej@firewall:~)$ rpm -q selinux-policy
selinux-policy-3.0.8-56.fc8
(19:47:27:root@firewall:~)# getenforce 
Permissive
(19:47:33:root@firewall:~)# setenforce 1
(19:47:38:root@firewall:~)# getenforce 
Enforcing
(19:47:39:root@firewall:~)# /etc/init.d/crond restart
Stopping crond:                                            [  OK  ]
Starting crond: /bin/bash: /usr/sbin/crond: Permission denied
                                                           [FAILED]


(19:47:48:root@firewall:~)# setenforce 0
(19:48:09:root@firewall:~)# /etc/init.d/crond restart
Stopping crond:                                            [FAILED]
Starting crond:                                            [  OK  ]


I did a full relabel a day or two ago too, didn't help.
Comment 3 Daniel Walsh 2007-11-20 13:21:54 UTC 
Try 
# semanage user -m -r s0-s0:c0.c1023 unconfined_u

Then log out and log back in.  All the way  out not just the su.

If it still does not work.  Do an id -Z after login.
Comment 4 Dave Jones 2007-11-20 20:00:01 UTC 
# semanage user -m -r s0-s0:c0.c1023 unconfined_u
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'
/usr/sbin/semanage: SELinux user unconfined_u is not defined


This box was yum updated from f7 -> f8
Perhaps this was a problem during the upgrade ?
Comment 5 Daniel Walsh 2007-11-26 16:58:28 UTC 
After the semanage command above, does it work?
Comment 6 Dave Jones 2007-11-26 19:17:45 UTC 
no, probably because the command failed ?
Comment 7 Dave Jones 2007-11-26 19:27:31 UTC 
I found that selinux-policy-devel wasn't installed, so I installed it and
retried the command, different output this time..

semanage user -m -r s0-s0:c0.c1023 unconfined_u
/usr/sbin/semanage: SELinux user unconfined_u is not defined

logged out & back in, tried to restart cron in enforcing mode still fails.
Comment 8 Daniel Walsh 2007-11-26 21:02:13 UTC 
These commands should have happened on upgrade

semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023
unconfined_u 
semanage login -m -s "unconfined_u" __default__ 2> /dev/null
semanage login -m -s "system_u" root 2> /dev/null
semanage user -a -P guest -R guest_r guest_u
semanage user -a -P xguest -R xguest_r xguest_u 
restorecon -R /root /var/log /var/run 2> /dev/null

You seem to be logging in as the default user user_u  instead of unconfined_u.
Comment 9 Dave Jones 2007-11-27 23:53:43 UTC 
awesome. that makes it work again.
I wonder why that never triggered when I did the yum update from f7 -> f8.
Comment 10 Dave Jones 2007-11-28 06:27:08 UTC 
whoops.  it allowed me to restart cron, but it then stopped me from logging in
again afterwards (both by ssh and on the console).  rebooted to single-user and
relabelled, which fixed that, but now this is odd..

$ ll -Z .ssh/
lrwxrwxrwx  davej davej unconfined_u:object_r:unconfined_home_t authorized_keys
-> /home/davej/.ssh/id_dsa.pub
-rw-------  davej davej unconfined_u:object_r:unconfined_home_t id_dsa
-rw-r--r--  davej davej unconfined_u:object_r:unconfined_home_t id_dsa.pub
-rw-------  davej davej unconfined_u:object_r:unconfined_home_t identity
-rw-r--r--  davej davej unconfined_u:object_r:unconfined_home_t identity.pub
-rw-r--r--  davej davej unconfined_u:object_r:unconfined_home_t known_hosts

restorecon .ssh/* doesn't set them back to user_u:object_r:user_home_ssh_t
This means I'm asked for a password every time I ssh, instead of it doing
key-auth.  Help me obi-wan.
Comment 11 Daniel Walsh 2007-11-28 10:30:01 UTC 
What is your ssh-agent running as 

ps -eZ | grep ssh
Comment 12 Dave Jones 2007-12-03 06:07:25 UTC 
# ps -eZ | grep ssh
system_u:system_r:sshd_t:SystemLow-SystemHigh 1702 ? 00:00:00 sshd
system_u:system_r:sshd_t:SystemLow-SystemHigh 2067 ? 00:00:00 sshd
system_u:system_r:sshd_t:SystemLow-SystemHigh 2071 ? 00:00:00 sshd
Comment 13 Daniel Walsh 2007-12-03 18:01:50 UTC 
So ssh-agent is not running?

Have you updated to selinux-policy-3.0.8-62?
Comment 14 Dave Jones 2007-12-10 21:36:13 UTC 
selinux-policy-3.0.8-64.fc8

no ssh-agent, but sshd is running. (And restarting it makes no difference)
Comment 15 Daniel Walsh 2007-12-12 21:51:37 UTC 
Fixed in selinux-policy-3.0.8-69.fc8
Comment 16 Daniel Walsh 2008-01-30 19:05:32 UTC 
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.