Bug 220907 - LSPP: Cron does not run as root user
LSPP: Cron does not run as root user
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: crontabs (Show other bugs)
5.0
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Marcela Mašláňová
Brock Organ
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-28 13:31 EST by Camilo Y. Campo
Modified: 2007-11-30 17:07 EST (History)
10 users (show)

See Also:
Fixed In Version: 5.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-23 15:56:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Logs when cron is working as non-root. (3.72 KB, text/plain)
2006-12-29 06:07 EST, Jose Plans
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 30589 None None None Never

  None (edit)
Description Camilo Y. Campo 2006-12-28 13:31:17 EST
Description of problem:
Cron does not run as root user

Version-Release number of selected component (if applicable):
vixie-cron-4.1-66.el5
2.6.18-1.2840.2.1.el5.lspp.57
ppc64 ppc64 ppc64 GNU/Linux

How reproducible:
1. log in RHEL5 as staff_u user.
2. change Linux user typing "/bin/su -"
3. create a file with the following content:
MLS_LEVEL=SystemHigh
* * * * * id -Z > /tmp/crontest
4. add this job to cron typing "crontab <file>"
5. wait a moment please (about 60 seconds)
6. change MLS level typing "newrole -l SystemHigh"
7. nothing in /tmp :-(

Steps to Reproduce:
1. log in RHEL5 as staff_u user.
2. change Linux user typing "/bin/su -"
3. create a file with the following content:
MLS_LEVEL=SystemHigh
* * * * * id -Z > /tmp/crontest
4. add this job to cron typing "crontab <file>"
5. wait a moment please (about 60 seconds)
6. change MLS level typing "newrole -l SystemHigh"
7. nothing in /tmp :-(
  
Actual results:
looking at /var/log/cron:
Dec 27 11:14:01 zaphod crond[1344]: (root) Unauthorized SELinux context (cron/root)
and nothing in /tmp directory

Expected results:
a file in tmp directory created by crond and the cron added when typing "crontab
-l" as root

Additional info:
Comment 1 Jose Plans 2006-12-29 06:04:10 EST
More informations, using root, no logs are generated, just cron logging on
/var/log/cron :
--
Dec 28 22:30:32 zaphod crontab[2509]: (root) REPLACE (root)
Dec 28 22:30:35 zaphod crontab[2510]: (root) LIST (root)
Dec 28 22:31:02 zaphod crond[1344]: (root) Unauthorized SELinux context (cron/root)
--
Comment 2 Jose Plans 2006-12-29 06:05:43 EST
When using a non-root user, everything seems to work as expected.
--
Audit log when cron is working properly (not as root user)

In this file I put the audit log when crons is working properly(as ealuser):
-bash-3.1$ id
uid=500(ealuser) gid=500(ealuser) groups=10(wheel),500(ealuser)
context=staff_u:staff_r:staff_t:SystemLow-SystemHigh
-bash-3.1$ cat ct
MLS_LEVEL=SystemHigh
* * * * * id -Z > /tmp/crontest
-bash-3.1$ crontab ct
-bash-3.1$ crontab -l
MLS_LEVEL=SystemHigh
* * * * * id -Z > /tmp/crontest

/var/log/cron:
Dec 28 22:41:25 zaphod crontab[2541]: (ealuser) REPLACE (ealuser)
Dec 28 22:41:29 zaphod crontab[2542]: (ealuser) LIST (ealuser)
Dec 28 22:42:01 zaphod crond[2553]: (ealuser) CMD (id -Z > /tmp/crontest)
--
Comment 3 Jose Plans 2006-12-29 06:07:17 EST
Created attachment 144532 [details]
Logs when cron is working as non-root.
Comment 6 Daniel Walsh 2006-12-30 13:17:32 EST
Fixed in vixie-cron-4.1-66.1.el5

Available on http://people.redhat.com/dwalsh/SELinux/RHEL5
Comment 8 Camilo Y. Campo 2007-01-02 13:28:32 EST
The new vixie is still not working properly:

[root@zaphod /]# rpm -qa | grep vixie
vixie-cron-4.1-66.1.el5

cron log:
Jan  2 10:31:43 zaphod crontab[5373]: (root) REPLACE (root)
Jan  2 10:32:01 zaphod crond[5277]: (root) RELOAD (cron/root)
Jan  2 10:32:01 zaphod crond[5277]: (root) No SELinux security context (cron/root)
Comment 10 Daniel Walsh 2007-01-04 12:35:04 EST
This works for me.  With the latest policy selinux-policy-2.4.6-22.

With vixie-cron-4.1-66.1.el5

I do not use polyinstatiation on root logins.
I login as root on the machine.
# newrole -r sysadm_r
# mkdir /tmp/SystemHigh
# chcon -l SystemHigh /tmp/SystemHigh
# crontab -e
MLS_LEVEL=SystemHigh
0-59 * * * * id -Z > /tmp/SystemHigh/crontest

And it works fine.   New policy is necessary to chon -l.
Now if I log in as a normal user with polyinstatiation.  

And do the exact same thing, it will not work because when cron runs it will use
the default /tmp and there will not be a SystemHigh directory.  

You should be getting email on this as root.
Comment 11 Marcela Mašláňová 2007-01-05 03:24:40 EST
Agree, works for me.
Comment 12 Jay Turner 2007-01-05 11:08:31 EST
The newer vixie-cron along with the updated selinux-policy will be available in
Snapshot 6 . . . I suspect that the new selinux-policy is needed along with the
vixie-cron for this to work.
Comment 13 Camilo Y. Campo 2007-01-05 13:11:32 EST
Agree too. the problem was when I created the directory as root (staff user +
/bin/su -) and the context was root root
staff_u:object_r:sysadm_tmp_t:SystemHigh and not root root
root:object_r:sysadm_tmp_t:SystemHigh.

Thanks.
Comment 15 Jay Turner 2007-01-23 15:54:21 EST
selinux-policy-2.4.6-24.el5 and vixie-cron-4.1-66.1.el5 are included in
20070111.1 and 20070112.3.

Note You need to log in before you can comment on or make changes to this bug.