Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 220907

Summary: LSPP: Cron does not run as root user
Product: Red Hat Enterprise Linux 5 Reporter: Camilo Y. Campo <camilo>
Component: crontabsAssignee: Marcela Mašláňová <mmaslano>
Status: CLOSED CURRENTRELEASE QA Contact: Brock Organ <borgan>
Severity: urgent Docs Contact:
Priority: medium    
Version: 5.0CC: dwalsh, iboverma, james.antill, jplans, klaus, krisw, linda.knippers, sglass, sgrubb, toml
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 5.0.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-23 20:56:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Logs when cron is working as non-root. none

Description Camilo Y. Campo 2006-12-28 18:31:17 UTC 
Description of problem:
Cron does not run as root user

Version-Release number of selected component (if applicable):
vixie-cron-4.1-66.el5
2.6.18-1.2840.2.1.el5.lspp.57
ppc64 ppc64 ppc64 GNU/Linux

How reproducible:
1. log in RHEL5 as staff_u user.
2. change Linux user typing "/bin/su -"
3. create a file with the following content:
MLS_LEVEL=SystemHigh
* * * * * id -Z > /tmp/crontest
4. add this job to cron typing "crontab <file>"
5. wait a moment please (about 60 seconds)
6. change MLS level typing "newrole -l SystemHigh"
7. nothing in /tmp :-(

Steps to Reproduce:
1. log in RHEL5 as staff_u user.
2. change Linux user typing "/bin/su -"
3. create a file with the following content:
MLS_LEVEL=SystemHigh
* * * * * id -Z > /tmp/crontest
4. add this job to cron typing "crontab <file>"
5. wait a moment please (about 60 seconds)
6. change MLS level typing "newrole -l SystemHigh"
7. nothing in /tmp :-(
  
Actual results:
looking at /var/log/cron:
Dec 27 11:14:01 zaphod crond[1344]: (root) Unauthorized SELinux context (cron/root)
and nothing in /tmp directory

Expected results:
a file in tmp directory created by crond and the cron added when typing "crontab
-l" as root

Additional info:
Comment 1 Jose Plans 2006-12-29 11:04:10 UTC 
More informations, using root, no logs are generated, just cron logging on
/var/log/cron :
--
Dec 28 22:30:32 zaphod crontab[2509]: (root) REPLACE (root)
Dec 28 22:30:35 zaphod crontab[2510]: (root) LIST (root)
Dec 28 22:31:02 zaphod crond[1344]: (root) Unauthorized SELinux context (cron/root)
--
Comment 2 Jose Plans 2006-12-29 11:05:43 UTC 
When using a non-root user, everything seems to work as expected.
--
Audit log when cron is working properly (not as root user)

In this file I put the audit log when crons is working properly(as ealuser):
-bash-3.1$ id
uid=500(ealuser) gid=500(ealuser) groups=10(wheel),500(ealuser)
context=staff_u:staff_r:staff_t:SystemLow-SystemHigh
-bash-3.1$ cat ct
MLS_LEVEL=SystemHigh
* * * * * id -Z > /tmp/crontest
-bash-3.1$ crontab ct
-bash-3.1$ crontab -l
MLS_LEVEL=SystemHigh
* * * * * id -Z > /tmp/crontest

/var/log/cron:
Dec 28 22:41:25 zaphod crontab[2541]: (ealuser) REPLACE (ealuser)
Dec 28 22:41:29 zaphod crontab[2542]: (ealuser) LIST (ealuser)
Dec 28 22:42:01 zaphod crond[2553]: (ealuser) CMD (id -Z > /tmp/crontest)
--
Comment 3 Jose Plans 2006-12-29 11:07:17 UTC 
Created attachment 144532 [details]
Logs when cron is working as non-root.
Comment 6 Daniel Walsh 2006-12-30 18:17:32 UTC 
Fixed in vixie-cron-4.1-66.1.el5

Available on http://people.redhat.com/dwalsh/SELinux/RHEL5
Comment 8 Camilo Y. Campo 2007-01-02 18:28:32 UTC 
The new vixie is still not working properly:

[root@zaphod /]# rpm -qa | grep vixie
vixie-cron-4.1-66.1.el5

cron log:
Jan  2 10:31:43 zaphod crontab[5373]: (root) REPLACE (root)
Jan  2 10:32:01 zaphod crond[5277]: (root) RELOAD (cron/root)
Jan  2 10:32:01 zaphod crond[5277]: (root) No SELinux security context (cron/root)
Comment 10 Daniel Walsh 2007-01-04 17:35:04 UTC 
This works for me.  With the latest policy selinux-policy-2.4.6-22.

With vixie-cron-4.1-66.1.el5

I do not use polyinstatiation on root logins.
I login as root on the machine.
# newrole -r sysadm_r
# mkdir /tmp/SystemHigh
# chcon -l SystemHigh /tmp/SystemHigh
# crontab -e
MLS_LEVEL=SystemHigh
0-59 * * * * id -Z > /tmp/SystemHigh/crontest

And it works fine.   New policy is necessary to chon -l.
Now if I log in as a normal user with polyinstatiation.  

And do the exact same thing, it will not work because when cron runs it will use
the default /tmp and there will not be a SystemHigh directory.  

You should be getting email on this as root.
Comment 11 Marcela Mašláňová 2007-01-05 08:24:40 UTC 
Agree, works for me.
Comment 12 Jay Turner 2007-01-05 16:08:31 UTC 
The newer vixie-cron along with the updated selinux-policy will be available in
Snapshot 6 . . . I suspect that the new selinux-policy is needed along with the
vixie-cron for this to work.
Comment 13 Camilo Y. Campo 2007-01-05 18:11:32 UTC 
Agree too. the problem was when I created the directory as root (staff user +
/bin/su -) and the context was root root
staff_u:object_r:sysadm_tmp_t:SystemHigh and not root root
root:object_r:sysadm_tmp_t:SystemHigh.

Thanks.
Comment 15 Jay Turner 2007-01-23 20:54:21 UTC 
selinux-policy-2.4.6-24.el5 and vixie-cron-4.1-66.1.el5 are included in
20070111.1 and 20070112.3.