388001 – selinux preventing cron from starting.

Bug 388001 - selinux preventing cron from starting.

Summary: selinux preventing cron from starting.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	8
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-11-17 01:48 UTC by Dave Jones
Modified:	2015-01-04 22:30 UTC (History)
CC List:	1 user (show)
Fixed In Version:	Current
Clone Of:
Environment:
Last Closed:	2008-01-30 19:05:32 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dave Jones 2007-11-17 01:48:51 UTC

service crond restart fails, and there are these messages in audit.log ..

type=SELINUX_ERR msg=audit(1195262426.448:2102): security_compute_sid:  invalid
context user_u:system_r:crond_t:s0-s0:c0.c1023 for
scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:crond_exec_t:s0
tclass=process
type=SYSCALL msg=audit(1195262426.448:2102): arch=40000003 syscall=11 success=no
exit=-13 a0=9589958 a1=95897b8 a2=9589c98 a3=0 items=0 ppid=7493 pid=7494
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3
comm="bash" exe="/bin/bash" subj=user_u:system_r:initrc_t:s0 key=(null)

Comment 1 Daniel Walsh 2007-11-17 11:56:12 UTC

Have you updated to the latest policy version?

This should have been fixed in 
selinux-policy-3.0.8-47?

Comment 2 Dave Jones 2007-11-20 00:48:38 UTC

still broken for me.

(19:47:08:davej@firewall:~)$ rpm -q selinux-policy
selinux-policy-3.0.8-56.fc8
(19:47:27:root@firewall:~)# getenforce 
Permissive
(19:47:33:root@firewall:~)# setenforce 1
(19:47:38:root@firewall:~)# getenforce 
Enforcing
(19:47:39:root@firewall:~)# /etc/init.d/crond restart
Stopping crond:                                            [  OK  ]
Starting crond: /bin/bash: /usr/sbin/crond: Permission denied
                                                           [FAILED]


(19:47:48:root@firewall:~)# setenforce 0
(19:48:09:root@firewall:~)# /etc/init.d/crond restart
Stopping crond:                                            [FAILED]
Starting crond:                                            [  OK  ]


I did a full relabel a day or two ago too, didn't help.

Comment 3 Daniel Walsh 2007-11-20 13:21:54 UTC

Try 
# semanage user -m -r s0-s0:c0.c1023 unconfined_u

Then log out and log back in.  All the way  out not just the su.

If it still does not work.  Do an id -Z after login.

Comment 4 Dave Jones 2007-11-20 20:00:01 UTC

# semanage user -m -r s0-s0:c0.c1023 unconfined_u
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'
/usr/sbin/semanage: SELinux user unconfined_u is not defined


This box was yum updated from f7 -> f8
Perhaps this was a problem during the upgrade ?

Comment 5 Daniel Walsh 2007-11-26 16:58:28 UTC

After the semanage command above, does it work?

Comment 6 Dave Jones 2007-11-26 19:17:45 UTC

no, probably because the command failed ?

Comment 7 Dave Jones 2007-11-26 19:27:31 UTC

I found that selinux-policy-devel wasn't installed, so I installed it and
retried the command, different output this time..

semanage user -m -r s0-s0:c0.c1023 unconfined_u
/usr/sbin/semanage: SELinux user unconfined_u is not defined

logged out & back in, tried to restart cron in enforcing mode still fails.

Comment 8 Daniel Walsh 2007-11-26 21:02:13 UTC

These commands should have happened on upgrade

semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023
unconfined_u 
semanage login -m -s "unconfined_u" __default__ 2> /dev/null
semanage login -m -s "system_u" root 2> /dev/null
semanage user -a -P guest -R guest_r guest_u
semanage user -a -P xguest -R xguest_r xguest_u 
restorecon -R /root /var/log /var/run 2> /dev/null

You seem to be logging in as the default user user_u  instead of unconfined_u.

Comment 9 Dave Jones 2007-11-27 23:53:43 UTC

awesome. that makes it work again.
I wonder why that never triggered when I did the yum update from f7 -> f8.

Comment 10 Dave Jones 2007-11-28 06:27:08 UTC

whoops.  it allowed me to restart cron, but it then stopped me from logging in
again afterwards (both by ssh and on the console).  rebooted to single-user and
relabelled, which fixed that, but now this is odd..

$ ll -Z .ssh/
lrwxrwxrwx  davej davej unconfined_u:object_r:unconfined_home_t authorized_keys
-> /home/davej/.ssh/id_dsa.pub
-rw-------  davej davej unconfined_u:object_r:unconfined_home_t id_dsa
-rw-r--r--  davej davej unconfined_u:object_r:unconfined_home_t id_dsa.pub
-rw-------  davej davej unconfined_u:object_r:unconfined_home_t identity
-rw-r--r--  davej davej unconfined_u:object_r:unconfined_home_t identity.pub
-rw-r--r--  davej davej unconfined_u:object_r:unconfined_home_t known_hosts

restorecon .ssh/* doesn't set them back to user_u:object_r:user_home_ssh_t
This means I'm asked for a password every time I ssh, instead of it doing
key-auth.  Help me obi-wan.

Comment 11 Daniel Walsh 2007-11-28 10:30:01 UTC

What is your ssh-agent running as 

ps -eZ | grep ssh

Comment 12 Dave Jones 2007-12-03 06:07:25 UTC

# ps -eZ | grep ssh
system_u:system_r:sshd_t:SystemLow-SystemHigh 1702 ? 00:00:00 sshd
system_u:system_r:sshd_t:SystemLow-SystemHigh 2067 ? 00:00:00 sshd
system_u:system_r:sshd_t:SystemLow-SystemHigh 2071 ? 00:00:00 sshd

Comment 13 Daniel Walsh 2007-12-03 18:01:50 UTC

So ssh-agent is not running?

Have you updated to selinux-policy-3.0.8-62?

Comment 14 Dave Jones 2007-12-10 21:36:13 UTC

selinux-policy-3.0.8-64.fc8

no ssh-agent, but sshd is running. (And restarting it makes no difference)

Comment 15 Daniel Walsh 2007-12-12 21:51:37 UTC

Fixed in selinux-policy-3.0.8-69.fc8

Comment 16 Daniel Walsh 2008-01-30 19:05:32 UTC

Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.