1547368 – Unable to run cron jobs from /etc/crontab due to selinux

Bug 1547368 - Unable to run cron jobs from /etc/crontab due to selinux

Summary: Unable to run cron jobs from /etc/crontab due to selinux

Keywords:
Status:	CLOSED DUPLICATE of bug 1625645
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	27
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-21 07:20 UTC by Robin
Modified:	2018-09-17 11:27 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-09-05 15:45:25 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1625645	0	unspecified	CLOSED	selinux prevents loading of anything inside /etc/cron.d	2021-02-22 00:41:40 UTC

Internal Links: 1625645

Description Robin 2018-02-21 07:20:31 UTC

Description of problem:
Unable to run cron jobs.


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-283.24.fc27.noarch
cronie-1.5.1-8.fc27.x86_64
crontabs-1.11-15.20150630git.fc27.noarch
cronie-anacron-1.5.1-8.fc27.x86_64

How reproducible: 5 out of 5 so far.


Steps to Reproduce:
1. Add "* * * * * root touch /tmp/cron-test" to /etc/crontab


Actual results: Cron job not run.

$ systemctl status crond
crond[1458]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=system_u:object_r:etc_t:s0 (/etc/crontab)


Expected results: Cron jobs should run.


Additional info:

Comment 1 Lukas Vrabec 2018-03-10 13:49:45 UTC

Robin, 

Hi, 

Avc msgs is not complete. Could you reproduce it and attach output of: 

# ausearch -m AVC -m USER_AVC -ts recent 

Thanks,
Lukas.

Comment 2 Robin 2018-03-20 12:03:48 UTC

So... Running ausearch doesn't produce any information just after cron should have run the job. I am on the other hand very sure it's selinux causing this issue since running `setenforce 0` makes the problem go away.

Any other way I can provide useful information?

Comment 3 Lukas Vrabec 2018-09-05 15:43:04 UTC

Robin, 

Could you change parameter "-ts today" and send me logs? 


# ausearch -m AVC -m USER_AVC -ts today


THanks,
Lukas.

Comment 4 Lukas Vrabec 2018-09-05 15:45:25 UTC

Could we continue with solving this in rhbz#1625645 ? Closing this as duplicate

*** This bug has been marked as a duplicate of bug 1625645 ***

Comment 5 Tomas Mraz 2018-09-10 07:49:16 UTC

Robin, did you try to restorecon -Fv /etc/crontab ? It seems it has a wrong context.

Comment 6 Robin 2018-09-17 11:27:49 UTC

Thanks Tomas! That solved the issue!

Note You need to log in before you can comment on or make changes to this bug.