Bug 625016

Summary: crond requires a restart if mcstransd is stopped
Product: Red Hat Enterprise Linux 5 Reporter: Peter Bieringer <pb>
Component: vixie-cronAssignee: Marcela Mašláňová <mmaslano>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: low    
Version: 5.5CC: azelinka, dwalsh, katzj, ovasik, psklenar
Target Milestone: rcKeywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 625009 Environment:
Last Closed: 2012-02-21 03:13:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Bieringer 2010-08-18 11:13:42 UTC 
if mcstransd was stopped manually or per accident (crash), suddenly crond logs:

Aug 18 10:50:01 system crond[23750]: CRON (*system*) ERROR:Could not set exec context to user_u:system_r:unconfined_t for user
Aug 18 10:50:01 system crond[23750]: CRON (root) ERROR: failed to change SELinux context
Aug 18 10:50:01 system crond[23750]: CRON (root) ERROR: cannot set security context
Aug 18 10:50:01 system crond[23751]: CRON (*system*) ERROR:Could not set exec context to user_u:system_r:unconfined_t for user
Aug 18 10:50:01 system crond[23751]: CRON (root) ERROR: failed to change SELinux context
Aug 18 10:50:01 system crond[23751]: CRON (root) ERROR: cannot set security context
Aug 18 10:55:01 system crond[23927]: CRON (*system*) ERROR:Could not set exec context to user_u:system_r:unconfined_t for user
Aug 18 10:55:01 system crond[23927]: CRON (root) ERROR: failed to change SELinux context
Aug 18 10:55:01 system crond[23927]: CRON (root) ERROR: cannot set security context

No cron jobs are executed anymore on a SELinux enforced systems.

only restart of crond helps, if crond is not restarted, this messages appear forever.
Comment 1 RHEL Program Management 2011-01-11 20:17:40 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 2 RHEL Program Management 2011-01-12 15:18:23 UTC 
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.
Comment 3 RHEL Program Management 2011-05-31 13:17:07 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 4 Miroslav Grepl 2011-09-14 10:51:31 UTC 
Could you add me outputs of

# rpm -q selinux-policy

# sestatus
Comment 5 Daniel Walsh 2011-09-15 14:47:05 UTC 
This is one reason we do not run mcstransd in RHEL6. The problem here is the real label on the files was

user_u:system_r:unconfined_t:s0

But crond got this label when mcstransd was running which was substituting :s0 with "".

Now when crond tries to use this label and mcstransd is not running it gets the wrong label.  The solution to the problem is that crond should always use raw labels and not translated labels.
Comment 11 errata-xmlrpc 2012-02-21 03:13:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0304.html