Description of problem: The running of crond is denied by selinux Version-Release number of selected component (if applicable): vixie-cron-4.2-5.fc8 selinux-policy-3.0.8-47.fc8 How reproducible: Completely Steps to Reproduce: 1. Make a crontab entry as per below 2. Sit and wait till the entry should be run 3. Actual results: A message from sealert and no running of entry Expected results: Running of crontab entry Additional info: This could be related to Bug 384821, but I gave it a new bug report as I wasn't sure. The output from sealert is: Summary SELinux is preventing the /usr/sbin/crond from using potentially mislabeled files (). Detailed Description SELinux has denied /usr/sbin/crond access to potentially mislabeled file(s) (). This means that SELinux will not allow /usr/sbin/crond to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access If you want /usr/sbin/crond to access this files, you need to relabel them using restorecon -v . You might want to relabel the entire directory using restorecon -R -v . Additional Information Source Context: system_u:system_r:crond_t:s0-s0:c0.c1023 Target Context: root:object_r:user_home_t:s0 Target Objects: None [ dir ] Affected RPM Packages: vixie-cron-4.2-5.fc8 [application] Policy RPM: selinux-policy-3.0.8-47.fc8 Selinux Enabled: True Policy Type: targeted MLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: plugins.home_tmp_bad_labels Host Name: homealone.math.su.se Platform: Linux homealone.math.su.se 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007 i686 i686 Alert Count: 1 First Seen: Fri 16 Nov 2007 06:02:01 AM CET Last Seen: Fri 16 Nov 2007 06:02:01 AM CET Local ID: 3866406c-70a6-48b2-9151-94b16c4927f4 Line Numbers: Raw Audit Messages : avc: denied { search } for comm=crond dev=dm-0 egid=200 euid=509 exe=/usr/sbin/crond exit=-13 fsgid=200 fsuid=509 gid=200 items=0 name=teke pid=4035 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 sgid=200 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 suid=509 tclass=dir tcontext=root:object_r:user_home_t:s0 tty=(none) uid=509
Fixed in selinux-policy-3.0.8-57.fc8
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp
Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen.