Description of problem: Anacron could not start under targeted policy. This is logged to /var/log/cron: Jun 20 14:59:17 pancernik anacron[3090]: Anacron 2.3 started on 2007-06-20 Jun 20 14:59:17 pancernik anacron[3090]: Can't open timestamp file for job cron.daily: Permission denied Jun 20 14:59:17 pancernik anacron[3090]: Aborted Under permissive policy there're following denials reported by audit2allow, when /var/spool/anacron/ is empty: allow crond_t var_spool_t:dir { write add_name }; allow crond_t var_spool_t:file { write create setattr }; Version-Release number of selected component (if applicable): selinux-policy-targeted-2.6.4-20.fc7 How reproducible: Always Steps to Reproduce: 1. service anacron start 2. service anacron status Actual results: anacron is stopped Expected results: anacron (pid 3167) is running... Additional info: This is current updates-testing policy. This is 3rd time in FC7 a basic system service is not working because of selinux. Is there any chance of an automatic basic functionality testing for policy changes? If it is possible to log in by ssh using password or key, does essential daemons like dovecot, httpd, cron, bind, etc. still work and reply to requests? For most services upstream often do have regression tests. We do need these for policy...
restorecon -R -v /var/spool Should fix.
Does not. # restorecon -R -v /var/spool/ # service anacron start # service anacron status Starting anacron: [ OK ] anacron is stopped # ls -lZ /var/spool/anacron -rw------- root root user_u:object_r:var_spool_t cron.daily -rw------- root root user_u:object_r:var_spool_t cron.monthly -rw------- root root user_u:object_r:var_spool_t cron.weekly
Ok, Looks like this is missing from fc7. chcon -R -t cron_spool_t /var/spool/anacron Should fix this problem, and I will put the fix in build 22.