Bug 1263328 - rawhide selinux policy prevents /var/spool/cron/root from working
rawhide selinux policy prevents /var/spool/cron/root from working
Status: CLOSED DUPLICATE of bug 1298192
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
Unspecified Unspecified
urgent Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-15 10:41 EDT by Kevin Fenzi
Modified: 2016-02-12 23:04 EST (History)
34 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-15 09:36:47 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kevin Fenzi 2015-09-15 10:41:37 EDT
I have a backup job defined in /var/spool/cron/root via crontab -e.

It's stopped working recently. 

Upon editing I see in the journal: 

Sep 15 08:28:01 voldemort.scrye.com crond[1165]: (root) FAILED (loading cron table)

If I setenforce 0 and reedit: 

Sep 15 08:30:01 voldemort.scrye.com crond[1165]: (root) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/root)
Sep 15 08:30:01 voldemort.scrye.com crond[1165]: (root) SELinux in permissive mode, continuing (/var/spool/cron/root)

restorecon -Rv /var/spool/cron gives: 

restorecon -Rv /var/spool/cron/
restorecon:  Warning no default label for /var/spool/cron/root

There's no AVC's that I can see on the failure. 

cronie-1.5.0-3.fc23.x86_64
selinux-policy-targeted-3.13.1-147.fc24.noarch
Comment 1 Simon Guest 2015-11-09 15:12:54 EST
Hi,

This problem is now in Fedora 23 (so probably should update the header fields).  I am using the official release, with these package versions:

cronie-1.5.0-3.fc23.x86_64
selinux-policy-targeted-3.13.1-152.fc23.noarch

On creating a brand new cron job, running crontab -e as root (for the first time), I get this in the journal:

Nov 10 08:57:01 kiai.tesujimath.org crond[1524]: (root) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/root)
Nov 10 08:57:01 kiai.tesujimath.org crond[1524]: (root) FAILED (loading cron table)
Comment 2 Simon Guest 2015-11-09 15:20:16 EST
My attempted work-around, to install the job as a normal user, fails to work, also because of SELinux.  After installing the cron job running crontab -e as sjg, I get this in the journal:

Nov 10 09:18:01 kiai.tesujimath.org crond[1524]: (sjg) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/sjg)
Nov 10 09:18:01 kiai.tesujimath.org crond[1524]: (sjg) FAILED (loading cron table)
Comment 3 Jacek Pawlyta 2015-11-15 07:17:36 EST
I see the problem for Fedora 23 and user crontab also. My automatic backup with the help of BackinTime is not working anymore after upgrading from F22 to F23
Comment 4 Jacek Pawlyta 2015-11-15 07:25:38 EST
Nov 15 13:01:46 jacek crond[4958]: (ja) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/ja)
Nov 15 13:01:46 ja crond[4958]: (ja) FAILED (loading cron table)
Comment 5 Jacek Pawlyta 2015-11-15 07:27:41 EST
#cat /var/spool/cron/ja 
#Back In Time system entry, this will be edited by the gui:
0 * * * * /bin/nice -n 19 /bin/ionice -c2 -n7 /bin/backintime --backup-job >/dev/null 2>&1
Comment 6 Miroslav Grepl 2015-12-11 03:31:14 EST
There are upstream fixes for this issue.
Comment 7 Bojan Smojver 2016-01-07 15:57:06 EST
Just bumped into this today on F-23:
-------------------
Jan  8 07:54:45 beauty crond[5167]: (root) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=system_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/root)
Jan  8 07:54:45 beauty crond[5167]: (root) FAILED (loading cron table)
-------------------

Changed absolutely nothing, except for applying updates. It just stopped working.
Comment 8 Daniel Lehrner 2016-01-13 02:56:22 EST
I have the same bug in Fedora 23 with the latest updates:

Jan 13 08:54:07 daniel-laptop crond[1320]: (daniel) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/daniel)
Jan 13 08:54:07 daniel-laptop crond[1320]: (daniel) FAILED (loading cron table)

So could somebody change the version from rawhide to 23?
Comment 9 Dmitry Burstein 2016-01-13 04:55:23 EST
Can confirm the same.
Is there a workaround for the meanwhile - besides disabling the selinux?
Comment 10 Benjamin Xiao 2016-01-13 14:18:07 EST
When can we expect the upstream fixes to go into F23? I just ran into this issue on my server today.
Comment 11 Benjamin Xiao 2016-01-13 15:24:42 EST
@Dmitry Burstein

I've had to put selinux into permissive mode and then restart crond. Isn't a very suitable workaround in terms of security but at least my cron jobs are running.

I tried using semanage to only put crond_t into permissive mode, but that didn't seem to work.
Comment 12 Michael Altizer 2016-01-13 19:43:10 EST
Switching back to kernel 4.2.8-300.fc23.x86_64 worked around the issue for me.
Comment 13 Jonathan Wakely 2016-01-13 20:45:48 EST
This is definitely affecting F23 now, and is a pretty major bug. Is there any progress towards fixing it?
Comment 14 Lukas Vrabec 2016-01-14 08:45:08 EST
Could anyone test this issue with these scratch builds? 

F23: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-158.2.fc23.1/
Rawhide: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-166.fc24.1/

Thank you.
Comment 15 Jonathan Wakely 2016-01-14 08:53:22 EST
(In reply to Lukas Vrabec from comment #14)
> Could anyone test this issue with these scratch builds? 
> 
> F23: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-158.2.fc23.1/
> Rawhide: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-166.fc24.1/

I installed the F23 selinux-policy and selinux-policy-targeted packages on F23, didn't reboot, still using kernel-4.3.3-300.fc23.x86_64. I edited my user's crontab, and it still gets blocked by selinux. So the scratch build doesn't seem to help.
Comment 16 Jonathan Wakely 2016-01-14 08:55:04 EST
To be clear, I edited the crontab to add:

*/1 * * * * date > /tmp/date

Then waited for the top of the minute, and then /var/log/cron shows the job isn't permitted to run:


(jwakely) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/jwakely)
Comment 17 Daniel Lehrner 2016-01-14 09:11:44 EST
I installed the scratch builds from comment #(In reply to Lukas Vrabec from comment #14)
> Could anyone test this issue with these scratch builds? 
> 
> F23: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-158.2.fc23.1/
> Rawhide: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-166.fc24.1/
> 
> Thank you.

I have installed F23 selinux-policy and selinux-policy-targeted as well. After a restart it still doesn't work and I get the same error message as before.
Comment 18 Miroslav Grepl 2016-01-15 04:12:53 EST
*** Bug 1298192 has been marked as a duplicate of this bug. ***
Comment 19 Miroslav Grepl 2016-01-15 09:28:21 EST
Folks,
could you please to use the following local policy

$ cat mycron.cil
(allow unconfined_t user_cron_spool_t( file ( entrypoint)))

and run

# semodule -i mycron.cil

and reload crond as a workaround for now.
Comment 20 Andrea Bolognani 2016-01-15 09:35:30 EST
Does that workaround persist reboots?

If so, how to remove it once the bug has been properly fixed?
Comment 21 Miroslav Grepl 2016-01-15 09:36:13 EST
(In reply to Andrea Bolognani from comment #20)
> Does that workaround persist reboots?
> 
> If so, how to remove it once the bug has been properly fixed?

Yes, it persists.

semodule -r mycron

to remove it. Or you can boot with older kernel.
Comment 22 Miroslav Grepl 2016-01-15 09:36:47 EST

*** This bug has been marked as a duplicate of bug 1298192 ***
Comment 23 Jonathan Wakely 2016-01-15 10:47:05 EST
The workaround in comment 19 works, thanks.
Comment 24 Miroslav Grepl 2016-01-15 11:07:45 EST
(In reply to Jonathan Wakely from comment #23)
> The workaround in comment 19 works, thanks.

Thank you for testing.
Comment 25 Daniel Lehrner 2016-01-16 13:25:40 EST
(In reply to Miroslav Grepl from comment #19)
> Folks,
> could you please to use the following local policy
> 
> $ cat mycron.cil
> (allow unconfined_t user_cron_spool_t( file ( entrypoint)))
> 
> and run
> 
> # semodule -i mycron.cil
> 
> and reload crond as a workaround for now.

Works for me as well. Thanks!
Comment 26 René van Dorst 2016-01-20 04:01:14 EST
comment #19 is working for me as well.
Comment 27 Davoid 2016-01-26 04:19:56 EST
comment #19 ok for me too, thanks

Note You need to log in before you can comment on or make changes to this bug.