Bug 220907 - LSPP: Cron does not run as root user
Summary: LSPP: Cron does not run as root user
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: crontabs (Show other bugs)
(Show other bugs)
Version: 5.0
Hardware: All Linux
medium
urgent
Target Milestone: ---
: ---
Assignee: Marcela Mašláňová
QA Contact: Brock Organ
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-12-28 18:31 UTC by Camilo Y. Campo
Modified: 2007-11-30 22:07 UTC (History)
10 users (show)

Fixed In Version: 5.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-23 20:56:03 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Logs when cron is working as non-root. (3.72 KB, text/plain)
2006-12-29 11:07 UTC, Jose Plans
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 30589 None None None Never

Description Camilo Y. Campo 2006-12-28 18:31:17 UTC
Description of problem:
Cron does not run as root user

Version-Release number of selected component (if applicable):
vixie-cron-4.1-66.el5
2.6.18-1.2840.2.1.el5.lspp.57
ppc64 ppc64 ppc64 GNU/Linux

How reproducible:
1. log in RHEL5 as staff_u user.
2. change Linux user typing "/bin/su -"
3. create a file with the following content:
MLS_LEVEL=SystemHigh
* * * * * id -Z > /tmp/crontest
4. add this job to cron typing "crontab <file>"
5. wait a moment please (about 60 seconds)
6. change MLS level typing "newrole -l SystemHigh"
7. nothing in /tmp :-(

Steps to Reproduce:
1. log in RHEL5 as staff_u user.
2. change Linux user typing "/bin/su -"
3. create a file with the following content:
MLS_LEVEL=SystemHigh
* * * * * id -Z > /tmp/crontest
4. add this job to cron typing "crontab <file>"
5. wait a moment please (about 60 seconds)
6. change MLS level typing "newrole -l SystemHigh"
7. nothing in /tmp :-(
  
Actual results:
looking at /var/log/cron:
Dec 27 11:14:01 zaphod crond[1344]: (root) Unauthorized SELinux context (cron/root)
and nothing in /tmp directory

Expected results:
a file in tmp directory created by crond and the cron added when typing "crontab
-l" as root

Additional info:

Comment 1 Jose Plans 2006-12-29 11:04:10 UTC
More informations, using root, no logs are generated, just cron logging on
/var/log/cron :
--
Dec 28 22:30:32 zaphod crontab[2509]: (root) REPLACE (root)
Dec 28 22:30:35 zaphod crontab[2510]: (root) LIST (root)
Dec 28 22:31:02 zaphod crond[1344]: (root) Unauthorized SELinux context (cron/root)
--

Comment 2 Jose Plans 2006-12-29 11:05:43 UTC
When using a non-root user, everything seems to work as expected.
--
Audit log when cron is working properly (not as root user)

In this file I put the audit log when crons is working properly(as ealuser):
-bash-3.1$ id
uid=500(ealuser) gid=500(ealuser) groups=10(wheel),500(ealuser)
context=staff_u:staff_r:staff_t:SystemLow-SystemHigh
-bash-3.1$ cat ct
MLS_LEVEL=SystemHigh
* * * * * id -Z > /tmp/crontest
-bash-3.1$ crontab ct
-bash-3.1$ crontab -l
MLS_LEVEL=SystemHigh
* * * * * id -Z > /tmp/crontest

/var/log/cron:
Dec 28 22:41:25 zaphod crontab[2541]: (ealuser) REPLACE (ealuser)
Dec 28 22:41:29 zaphod crontab[2542]: (ealuser) LIST (ealuser)
Dec 28 22:42:01 zaphod crond[2553]: (ealuser) CMD (id -Z > /tmp/crontest)
--

Comment 3 Jose Plans 2006-12-29 11:07:17 UTC
Created attachment 144532 [details]
Logs when cron is working as non-root.

Comment 6 Daniel Walsh 2006-12-30 18:17:32 UTC
Fixed in vixie-cron-4.1-66.1.el5

Available on http://people.redhat.com/dwalsh/SELinux/RHEL5

Comment 8 Camilo Y. Campo 2007-01-02 18:28:32 UTC
The new vixie is still not working properly:

[root@zaphod /]# rpm -qa | grep vixie
vixie-cron-4.1-66.1.el5

cron log:
Jan  2 10:31:43 zaphod crontab[5373]: (root) REPLACE (root)
Jan  2 10:32:01 zaphod crond[5277]: (root) RELOAD (cron/root)
Jan  2 10:32:01 zaphod crond[5277]: (root) No SELinux security context (cron/root)

Comment 10 Daniel Walsh 2007-01-04 17:35:04 UTC
This works for me.  With the latest policy selinux-policy-2.4.6-22.

With vixie-cron-4.1-66.1.el5

I do not use polyinstatiation on root logins.
I login as root on the machine.
# newrole -r sysadm_r
# mkdir /tmp/SystemHigh
# chcon -l SystemHigh /tmp/SystemHigh
# crontab -e
MLS_LEVEL=SystemHigh
0-59 * * * * id -Z > /tmp/SystemHigh/crontest

And it works fine.   New policy is necessary to chon -l.
Now if I log in as a normal user with polyinstatiation.  

And do the exact same thing, it will not work because when cron runs it will use
the default /tmp and there will not be a SystemHigh directory.  

You should be getting email on this as root.

Comment 11 Marcela Mašláňová 2007-01-05 08:24:40 UTC
Agree, works for me.

Comment 12 Jay Turner 2007-01-05 16:08:31 UTC
The newer vixie-cron along with the updated selinux-policy will be available in
Snapshot 6 . . . I suspect that the new selinux-policy is needed along with the
vixie-cron for this to work.

Comment 13 Camilo Y. Campo 2007-01-05 18:11:32 UTC
Agree too. the problem was when I created the directory as root (staff user +
/bin/su -) and the context was root root
staff_u:object_r:sysadm_tmp_t:SystemHigh and not root root
root:object_r:sysadm_tmp_t:SystemHigh.

Thanks.

Comment 15 Jay Turner 2007-01-23 20:54:21 UTC
selinux-policy-2.4.6-24.el5 and vixie-cron-4.1-66.1.el5 are included in
20070111.1 and 20070112.3.


Note You need to log in before you can comment on or make changes to this bug.