Description of problem: After upgrading to F8 from F7, my root crontab entries stopped working. I noted in the cron log: cron:Nov 11 09:37:16 yorky crond[1921]: (root) Unauthorized SELinux context (cron/root) cron:Nov 11 10:09:36 yorky crond[1923]: (root) Unauthorized SELinux context (cron/root) cron:Nov 12 06:14:01 yorky crond[1923]: (root) Unauthorized SELinux context (cron/root) cron:Nov 12 06:16:01 yorky crond[1923]: (root) Unauthorized SELinux context (cron/root) cron:Nov 12 15:33:01 yorky crond[1923]: (root) Unauthorized SELinux context (cron/root) /var/spool/cron shows: ls -lZ -rw------- dmobrien root user_u:object_r:cron_spool_t dmobrien -rw------- root root system_u:object_r:unconfined_cron_spool_t root And nothing runs. Version-Release number of selected component (if applicable): selinux-policy-3.0.8-47.fc8 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
I see something very similar on Fedora 8 systems, although this is with selinux-policy-targeted-3.0.8- 53.fc8. On one system I get exactly the same error: Nov 18 11:42:01 cowbell crond[1890]: (root) Unauthorized SELinux context (cron/root) I can work around this, however, by putting my root crontab in /etc/cron.d/ instead. Notably, non-root crontabs work just fine. On another system, root crontabs work OK, but crond complains about /etc/crontab and /etc/cron.d/ instead: Nov 18 11:32:57 organ crond[2437]: (system_u) Unauthorized SELinux context (/etc/crontab) Nov 18 11:32:57 organ crond[2437]: (system_u) Unauthorized SELinux context (/etc/cron.d/backup) On other systems, both /etc/cron.d/ and root crontabs work fine. All of these systems are F8 upgraded from F7, starting from very similar installs, on x86_64, so I'm at a loss to explain why they behave so differently. File contexts seem to be OK, and 'restorecon -v' on these files reports no changes. Nor does removing and reinstalling the vixie-cron and crontabs RPMs change the symptoms. File contexts on the system with broken root crontab: [root@cowbell ~]# ls -lZ /etc/crontab /etc/cron.d/subversion-local /var/spool/cron/root /var/spool/cron/ben -rw-r--r-- root root system_u:object_r:system_cron_spool_t /etc/cron.d/subversion-local -rw-r--r-- root root system_u:object_r:system_cron_spool_t /etc/crontab -rw------- ben root system_u:object_r:unconfined_cron_spool_t /var/spool/cron/ben -rw------- root root root:object_r:unconfined_cron_spool_t /var/spool/cron/root and on the system with broken /etc/crontab and /etc/cron.d/: [root@organ ~]# ls -lZ /etc/crontab /etc/cron.d/backup /var/spool/cron/root -rw-r--r-- root root root:object_r:system_cron_spool_t /etc/cron.d/backup -rw-r--r-- root root system_u:object_r:system_cron_spool_t /etc/crontab -rw------- root root root:object_r:unconfined_cron_spool_t /var/spool/cron/root
Fixed in selinux-policy-3.0.8-56.fc8
It doesn't fix my problem: [root@organ ~]# service crond restart Stopping crond: [ OK ] Starting crond: [ OK ] [root@organ ~]# rpm -q selinux-policy-targeted selinux-policy-targeted-3.0.8-56.fc8 [root@organ ~]# tail -3 /var/log/cron Nov 19 15:16:23 organ crond[3326]: (CRON) STARTUP (4.2) Nov 19 15:16:23 organ crond[3326]: (system_u) Unauthorized SELinux context (/etc/crontab) Nov 19 15:16:23 organ crond[3326]: (system_u) Unauthorized SELinux context (/etc/cron.d/backup) [root@organ ~]# ls -lZ /etc/crontab -rw-r--r-- root root system_u:object_r:system_cron_spool_t /etc/crontab
Could you log out and log back in. And then try it.
This is a headless server, so there is rarely anybody logged in, but I just tried it again with a new ssh login and selinux-policy-targeted-3.0.8-56.fc8; same deal (file contexts are as in #3): [root@organ ~]# service crond restart Stopping crond: [ OK ] Starting crond: [ OK ] [root@organ ~]# tail -3 /var/log/cron Nov 21 01:12:35 organ crond[4744]: (CRON) STARTUP (4.2) Nov 21 01:12:35 organ crond[4744]: (system_u) Unauthorized SELinux context (/etc/crontab) Nov 21 01:12:35 organ crond[4744]: (system_u) Unauthorized SELinux context (/etc/cron.d/backup)
*** This bug has been marked as a duplicate of 393261 ***