Bug 244990 - anacron does not start under targeted policy
anacron does not start under targeted policy
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2007-06-20 09:16 EDT by Tomasz Ostrowski
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: 2.6.4-22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-07-20 05:52:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomasz Ostrowski 2007-06-20 09:16:21 EDT
Description of problem:
Anacron could not start under targeted policy.

This is logged to /var/log/cron:
Jun 20 14:59:17 pancernik anacron[3090]: Anacron 2.3 started on 2007-06-20
Jun 20 14:59:17 pancernik anacron[3090]: Can't open timestamp file for job
cron.daily: Permission denied
Jun 20 14:59:17 pancernik anacron[3090]: Aborted

Under permissive policy there're following denials reported by audit2allow, when
/var/spool/anacron/ is empty:
allow crond_t var_spool_t:dir { write add_name };
allow crond_t var_spool_t:file { write create setattr };

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. service anacron start
2. service anacron status
Actual results:
anacron is stopped

Expected results:
anacron (pid 3167) is running...

Additional info:
This is current updates-testing policy.

This is 3rd time in FC7 a basic system service is not working because of
selinux. Is there any chance of an automatic basic functionality testing for
policy changes? If it is possible to log in by ssh using password or key, does
essential daemons like dovecot, httpd, cron, bind, etc. still work and reply to

For most services upstream often do have regression tests. We do need these for
Comment 1 Daniel Walsh 2007-06-20 09:30:14 EDT
restorecon -R -v /var/spool

Should fix.
Comment 2 Tomasz Ostrowski 2007-06-20 09:40:35 EDT
Does not.

# restorecon -R -v /var/spool/
# service anacron start
# service anacron status
Starting anacron:                                          [  OK  ]
anacron is stopped

# ls -lZ /var/spool/anacron
-rw-------  root root user_u:object_r:var_spool_t      cron.daily
-rw-------  root root user_u:object_r:var_spool_t      cron.monthly
-rw-------  root root user_u:object_r:var_spool_t      cron.weekly
Comment 3 Daniel Walsh 2007-06-20 09:57:10 EDT
Ok, Looks like this is missing from fc7.

chcon -R -t cron_spool_t /var/spool/anacron

Should fix this problem, and I will put the fix in build 22.

Note You need to log in before you can comment on or make changes to this bug.