Bug 518345
| Summary: | CROND fails with Unauthorized SELinux context | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Seramal <seramal> |
| Component: | crontabs | Assignee: | Marcela Mašláňová <mmaslano> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 11 | CC: | mgrepl, mmaslano, tmraz |
| Target Milestone: | --- | Keywords: | SELinux |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-09-21 12:16:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Please try to update to the latest selinux-policy. In case the problem is still reproducible attach the problematic part of avc messages from /var/log/audit/audit.log I have the latest selinux-policy from fc11: selinux-policy-3.6.12-72.fc11.noarch selinux-policy-targeted-3.6.12-72.fc11.noarch About AVG, there is no error, otherwise I would audit2allow it. I also tried semodule -DB and nothing pops up in audit.log. Some other things: -rwsr-sr-x. root root system_u:object_r:crontab_exec_t:s0 /usr/bin/crontab # semodule -l|grep -i cron # Thanks for replying! I just did:
# touch /.autorelabel
# reboot
and still get
(testing) Unauthorized SELinux context (cron/testing)
I was searching for this bug and located the file that generates the message: security.c (Implement Red Hat crond security context transitions, Jason Vas Dias <jvdias> January 2006):
function cron_authorize_context() has:
/*
* Since crontab files are not directly executed,
* crond must ensure that the crontab file has
* a context that is appropriate for the context of
* the user cron job. It performs an entrypoint
* permission check for this purpose.
*/
retval = security_compute_av(scontext, file_context,
SECCLASS_FILE, bit, &avd);
if (retval || ((bit & avd.allowed) != bit))
return 0;
#endif
return 1;
then,
if (!cron_authorize_context( scontext, file_context)) {
freecon(scontext);
freecon(file_context);
if (security_getenforce() > 0) {
log_it(name, getpid(), "Unauthorized SELinux context", tabname);
return -1;
}
If security_compute_av() fails, the message is generated, meaning the scontext is not allowed by the policy to access the file_context.
Still, no AVG messages
Could you run the job which isn't executed from crontab again and attach log from /var/audit/audit.log which will be generated? I don't see any problematic jobs in my crontabs. If you have so complicated setting for different group with different permission there is also possibility of mistake in your setting. Are sure the job which you are trying is executable for user in your group? I suppose your fixed your problem which is hardly in cron. Closing as notabug. |
Description of problem: crond won't run crontab of user_u:user_r:user_t:s0 in fedora core 11. It fails to do a * * * * * /usr/bin/id > /tmp/TEST (root crontabs run successfully) /var/log/cron says: Aug 20 02:45:01 ic21 crond[1733]: (testing) Unauthorized SELinux context (cron/testing) Version-Release number of selected component (if applicable): crontabs-1.10-30.fc11.noarch anacron-2.3-78.fc11.i586 How reproducible: Just add a user as user_u, login with ssh, and crontab -e a new entry. Additional info: semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0-s0:c0.c1023 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u user s0 s0 xguest_r semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 testing user_u s0 My crontab file in /var/spool/cron/ -rw-------. testing root user_u:object_r:user_cron_spool_t:s0 testing Help, please?