Bug 1321614 - cronie does not load system crontabs under mls policy
Summary: cronie does not load system crontabs under mls policy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Stefan Dordevic
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-28 15:40 UTC by Dustin C. Hatch
Modified: 2016-11-04 02:45 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-80.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 02:45:47 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 13:36:25 UTC

Description Dustin C. Hatch 2016-03-28 15:40:15 UTC 
Description of problem:
When the MLS SELinux policy is in use, cronie fails to load system crontabs (/etc/crontab, /etc/cron.d/*) because it cannot find a security context for them:

Mar 28 13:55:45 ip-10-61-65-63 crond[26357]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 58% if used.)
Mar 28 13:55:45 ip-10-61-65-63 crond[26357]: ((null)) No SELinux security context (/etc/crontab)
Mar 28 13:55:45 ip-10-61-65-63 crond[26357]: (root) FAILED (loading cron table)
Mar 28 13:55:45 ip-10-61-65-63 crond[26357]: ((null)) No SELinux security context (/etc/cron.d/0hourly)
Mar 28 13:55:45 ip-10-61-65-63 crond[26357]: (root) FAILED (loading cron table)
Mar 28 13:55:45 ip-10-61-65-63 crond[26357]: (CRON) INFO (running with inotify support)
Mar 28 13:55:45 ip-10-61-65-63 crond[26357]: (CRON) INFO (@reboot jobs will be run at computer's startup.)

selinuxdefcon reports an error in the same vein:

[dhatch@authgate01 ~]$ selinuxdefcon system_u system_u:system_r:crond_t:s0-s0:c0.c1023
selinuxdefcon: Invalid argument

Compared with the same command on a system running targeted:
[dhatch@build-el7-64 ~]$ selinuxdefcon system_u system_u:system_r:crond_t:s0-s0:c0.c1023
system_u:system_r:system_cronjob_t:s0-s0:c0.c1023

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.13.1-60.el7_2.3.noarch

How reproducible:
I have encountered this issue on all of my systems using the mls policy

Steps to Reproduce:
1. Install and switch to selinux-policy-mls
2. Ensure SELinux is enforcing
3. Start crond

Actual results:
cron does not run ANY system tasks (including logrotate!) on MLS systems


Expected results:
cron should run system jobs in the system_cronjob_t domain like it does on targeted systems
Comment 2 gf578 2016-05-20 10:57:25 UTC 
works for me.

diff /etc/selinux/mls/contexts/default_contexts*
1c1
< system_r:crond_t:s0 system_r:system_cronjob_t:s0
---
> system_r:crond_t:s0 system_r:system_crond_t:s0

btw: it took few hours, not few weeks
Comment 3 Lukas Vrabec 2016-06-15 11:00:06 UTC 
gf578, 
Thank you for testing.
Comment 9 errata-xmlrpc 2016-11-04 02:45:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html
Note You need to log in before you can comment on or make changes to this bug.