Bug 330321 - crond doesn't run jobs in /var/spool/cron/root
crond doesn't run jobs in /var/spool/cron/root
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-12 21:16 EDT by Michael Carney
Modified: 2008-01-30 14:18 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:18:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Carney 2007-10-12 21:16:42 EDT
Description of problem: crond doesn't run any job specified in root's crontab.
From the looks of log, it only runs /etc/crontab jobs. One line hints at SELinux
as a possible problem:
Oct 10 13:54:10 oliver crond[1390]: (CRON) STARTUP (4.2)
Oct 10 13:54:15 oliver anacron[1474]: Anacron 2.3 started on 2007-10-10
Oct 10 13:54:15 oliver anacron[1474]: Will run job `cron.daily' in 65 min.
Oct 10 13:54:15 oliver anacron[1474]: Will run job `cron.weekly' in 70 min.
Oct 10 13:54:15 oliver anacron[1474]: Will run job `cron.monthly' in 75 min.
Oct 10 13:54:15 oliver anacron[1474]: Jobs will be executed sequentially
Oct 10 13:56:41 oliver crontab[1599]: (root) BEGIN EDIT (root)
Oct 10 13:57:17 oliver crontab[1599]: (root) END EDIT (root)
Oct 10 13:58:33 oliver crontab[1612]: (root) BEGIN EDIT (root)
Oct 10 13:58:48 oliver crontab[1612]: (root) REPLACE (root)
Oct 10 13:58:48 oliver crontab[1612]: (root) END EDIT (root)
Oct 10 13:58:50 oliver crontab[1617]: (root) LIST (root)
Oct 10 13:59:01 oliver crond[1390]: (root) Unauthorized SELinux context (cron/root)
Oct 10 14:01:02 oliver CROND[1666]: (root) CMD (run-parts /etc/cron.hourly)
Oct 10 14:59:15 oliver anacron[1474]: Job `cron.daily' started
Oct 10 15:01:01 oliver CROND[1889]: (root) CMD (run-parts /etc/cron.hourly)
Oct 10 15:53:31 oliver anacron[1977]: Updated timestamp for job `cron.daily' to
2007-10-10
Oct 10 16:01:02 oliver CROND[17492]: (root) CMD (run-parts /etc/cron.hourly)
Oct 10 16:22:24 oliver anacron[1474]: Job `cron.daily' terminated (mailing output)
Oct 10 16:22:24 oliver anacron[1474]: Job `cron.weekly' started
Oct 10 17:01:02 oliver CROND[19642]: (root) CMD (run-parts /etc/cron.hourly)
Oct 10 17:16:40 oliver anacron[19672]: Updated timestamp for job `cron.weekly'
to 2007-10-10
Oct 10 17:25:25 oliver anacron[1474]: Job `cron.weekly' terminated
Oct 10 17:25:25 oliver anacron[1474]: Job `cron.monthly' started
Oct 10 18:01:02 oliver CROND[14999]: (root) CMD (run-parts /etc/cron.hourly)
Oct 10 18:19:41 oliver anacron[1474]: Job `cron.monthly' terminated
Oct 10 18:19:41 oliver anacron[1474]: Normal exit (3 jobs run)
Oct 10 18:19:41 oliver anacron[15033]: Updated timestamp for job `cron.monthly'
to 2007-10-10
Oct 10 19:01:01 oliver CROND[15105]: (root) CMD (run-parts /etc/cron.hourly)
Oct 10 20:01:01 oliver CROND[15207]: (root) CMD (run-parts /etc/cron.hourly)

91# ls -lZ /var/spool/cron/root
-rw-------  root root system_u:object_r:cron_spool_t:s0 /var/spool/cron/root
92#

audit2allow output for crond related items:

#============= crond_t ==============
allow crond_t hi_reserved_port_t:tcp_socket name_bind;
allow crond_t kernel_t:fd use;
allow crond_t portmap_port_t:tcp_socket name_connect;
allow crond_t var_yp_t:dir search;

97# rpm -q -a 'selinux*'
selinux-policy-3.0.8-20.fc8
selinux-policy-targeted-3.0.8-20.fc8
98#

Version-Release number of selected component (if applicable): vixie-cron-4.2-3.fc8

How reproducible: Always
Comment 1 Marcela Mašláňová 2007-10-15 03:10:32 EDT
Please try to relabel your system. I had this problem on some installation of
rawhide, some are fine. The selinux policy looks ok.

relabel:
touch /.autorelabel; reboot
Comment 2 Marcela Mašláňová 2007-10-15 06:18:29 EDT
I tried update and relabel whole system, but the problem is still occurring. 

Crontab for user is fine. In the previous version in F-7 were crontabs
functional with selinux enforcing.
Comment 3 Marcela Mašláňová 2007-10-15 06:24:21 EDT
Target Context:  system_u:system_r:unconfined_t
Target Objects:  None [ key ]
Affected RPM Packages:  vixie-cron-4.1-82.fc7 [application]
Policy RPM:  selinux-policy-3.0.8-22.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall
Host Name:  dhcp-lab-135.englab.brq.redhat.com
Platform:  Linux dhcp-lab-135.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct
11 14:54:16 EDT 2007 i686 i686
Alert Count:  42
First Seen:  Mon 15 Oct 2007 12:03:01 PM CEST
Last Seen:  Mon 15 Oct 2007 12:22:01 PM CEST
Local ID:  0cb9a53c-9d6a-4896-9043-abda1a35e299
Line Numbers:  
Raw Audit Messages :
avc: denied { search } for comm=crond egid=0 euid=0 exe=/usr/sbin/crond exit=-13
fsgid=0 fsuid=0 gid=500 items=0 pid=5852
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 suid=0 tclass=key
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500 
Comment 4 Daniel Walsh 2007-10-15 09:13:27 EDT
Do you have the allow_ypbind boolean turned on?

getseboola allow_ypbind

Turn it on via:

setsebool -P allow_ypbind 1 
Comment 5 Michael Carney 2007-10-15 09:35:04 EDT
121# getsebool allow_ypbind
allow_ypbind --> on
122#

I didn't touch this setting.
Comment 6 Marcela Mašláňová 2007-10-15 10:45:31 EDT
This bug should be solved by the newest selinux-policy.

In the meantime you can find out context with: semanage login -l | grep root
The second word should be system_u. If it isn't, you can fix it by:
semanage login -m -s system_u root

Comment 7 Michael Carney 2007-10-15 10:57:28 EDT
Your suggested workaround solved the problem. Thanks!
Comment 8 Marcela Mašláňová 2007-10-17 03:42:04 EDT
Problem still persist in selinux-policy-targeted-3.0.8-22.fc8.

semanage login -l | grep root show context root and crontab -e doesn't work.
Comment 9 Daniel Walsh 2007-10-17 14:27:23 EDT
Try selinux-policy-targeted-3.0.8-24.fc8

On a fresh install
Comment 10 Daniel Walsh 2008-01-30 14:18:41 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.