Bug 388001 - selinux preventing cron from starting.
selinux preventing cron from starting.
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-11-16 20:48 EST by Dave Jones
Modified: 2015-01-04 17:30 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:05:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dave Jones 2007-11-16 20:48:51 EST
service crond restart fails, and there are these messages in audit.log ..

type=SELINUX_ERR msg=audit(1195262426.448:2102): security_compute_sid:  invalid
context user_u:system_r:crond_t:s0-s0:c0.c1023 for
scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:crond_exec_t:s0
type=SYSCALL msg=audit(1195262426.448:2102): arch=40000003 syscall=11 success=no
exit=-13 a0=9589958 a1=95897b8 a2=9589c98 a3=0 items=0 ppid=7493 pid=7494
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3
comm="bash" exe="/bin/bash" subj=user_u:system_r:initrc_t:s0 key=(null)
Comment 1 Daniel Walsh 2007-11-17 06:56:12 EST
Have you updated to the latest policy version?

This should have been fixed in 
Comment 2 Dave Jones 2007-11-19 19:48:38 EST
still broken for me.

(19:47:08:davej@firewall:~)$ rpm -q selinux-policy
(19:47:27:root@firewall:~)# getenforce 
(19:47:33:root@firewall:~)# setenforce 1
(19:47:38:root@firewall:~)# getenforce 
(19:47:39:root@firewall:~)# /etc/init.d/crond restart
Stopping crond:                                            [  OK  ]
Starting crond: /bin/bash: /usr/sbin/crond: Permission denied

(19:47:48:root@firewall:~)# setenforce 0
(19:48:09:root@firewall:~)# /etc/init.d/crond restart
Stopping crond:                                            [FAILED]
Starting crond:                                            [  OK  ]

I did a full relabel a day or two ago too, didn't help.
Comment 3 Daniel Walsh 2007-11-20 08:21:54 EST
# semanage user -m -r s0-s0:c0.c1023 unconfined_u

Then log out and log back in.  All the way  out not just the su.

If it still does not work.  Do an id -Z after login.
Comment 4 Dave Jones 2007-11-20 15:00:01 EST
# semanage user -m -r s0-s0:c0.c1023 unconfined_u
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'
/usr/sbin/semanage: SELinux user unconfined_u is not defined

This box was yum updated from f7 -> f8
Perhaps this was a problem during the upgrade ?
Comment 5 Daniel Walsh 2007-11-26 11:58:28 EST
After the semanage command above, does it work?
Comment 6 Dave Jones 2007-11-26 14:17:45 EST
no, probably because the command failed ?
Comment 7 Dave Jones 2007-11-26 14:27:31 EST
I found that selinux-policy-devel wasn't installed, so I installed it and
retried the command, different output this time..

semanage user -m -r s0-s0:c0.c1023 unconfined_u
/usr/sbin/semanage: SELinux user unconfined_u is not defined

logged out & back in, tried to restart cron in enforcing mode still fails.
Comment 8 Daniel Walsh 2007-11-26 16:02:13 EST
These commands should have happened on upgrade

semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023
semanage login -m -s "unconfined_u" __default__ 2> /dev/null
semanage login -m -s "system_u" root 2> /dev/null
semanage user -a -P guest -R guest_r guest_u
semanage user -a -P xguest -R xguest_r xguest_u 
restorecon -R /root /var/log /var/run 2> /dev/null

You seem to be logging in as the default user user_u  instead of unconfined_u.

Comment 9 Dave Jones 2007-11-27 18:53:43 EST
awesome. that makes it work again.
I wonder why that never triggered when I did the yum update from f7 -> f8.
Comment 10 Dave Jones 2007-11-28 01:27:08 EST
whoops.  it allowed me to restart cron, but it then stopped me from logging in
again afterwards (both by ssh and on the console).  rebooted to single-user and
relabelled, which fixed that, but now this is odd..

$ ll -Z .ssh/
lrwxrwxrwx  davej davej unconfined_u:object_r:unconfined_home_t authorized_keys
-> /home/davej/.ssh/id_dsa.pub
-rw-------  davej davej unconfined_u:object_r:unconfined_home_t id_dsa
-rw-r--r--  davej davej unconfined_u:object_r:unconfined_home_t id_dsa.pub
-rw-------  davej davej unconfined_u:object_r:unconfined_home_t identity
-rw-r--r--  davej davej unconfined_u:object_r:unconfined_home_t identity.pub
-rw-r--r--  davej davej unconfined_u:object_r:unconfined_home_t known_hosts

restorecon .ssh/* doesn't set them back to user_u:object_r:user_home_ssh_t
This means I'm asked for a password every time I ssh, instead of it doing
key-auth.  Help me obi-wan.
Comment 11 Daniel Walsh 2007-11-28 05:30:01 EST
What is your ssh-agent running as 

ps -eZ | grep ssh
Comment 12 Dave Jones 2007-12-03 01:07:25 EST
# ps -eZ | grep ssh
system_u:system_r:sshd_t:SystemLow-SystemHigh 1702 ? 00:00:00 sshd
system_u:system_r:sshd_t:SystemLow-SystemHigh 2067 ? 00:00:00 sshd
system_u:system_r:sshd_t:SystemLow-SystemHigh 2071 ? 00:00:00 sshd
Comment 13 Daniel Walsh 2007-12-03 13:01:50 EST
So ssh-agent is not running?

Have you updated to selinux-policy-3.0.8-62?
Comment 14 Dave Jones 2007-12-10 16:36:13 EST

no ssh-agent, but sshd is running. (And restarting it makes no difference)
Comment 15 Daniel Walsh 2007-12-12 16:51:37 EST
Fixed in selinux-policy-3.0.8-69.fc8
Comment 16 Daniel Walsh 2008-01-30 14:05:32 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.