Bug 393261 - Cron daemon complains about unauthorized SELinux contexts
Cron daemon complains about unauthorized SELinux contexts
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
: 378701 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-20 17:04 EST by Bojan Smojver
Modified: 2008-01-30 14:19 EST (History)
6 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:19:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bojan Smojver 2007-11-20 17:04:25 EST
Description of problem:
Since the upgrade from F7 to F8, I'm getting this in /var/log/cron:
---------
Nov 20 18:29:01 beauty crond[2184]: (system_u) Unauthorized SELinux context
(/etc/cron.d/clamav-update)
Nov 20 18:29:01 beauty crond[2184]: (system_u) Unauthorized SELinux context
(/etc/cron.d/sa-update)
Nov 20 18:29:01 beauty crond[2184]: (ldap) Unauthorized SELinux context (cron/ldap)
Nov 20 18:29:01 beauty crond[2184]: (root) Unauthorized SELinux context (cron/root)
---------
In permissive mode, this turns into:
---------
Nov 21 08:29:31 beauty crond[6384]: (system_u) Unauthorized SELinux context, but
SELinux in permissive mode, continuing (/etc/crontab)
Nov 21 08:29:31 beauty crond[6384]: (system_u) Unauthorized SELinux context, but
SELinux in permissive mode, continuing (/etc/cron.d/mailman)
Nov 21 08:29:31 beauty crond[6384]: (system_u) Unauthorized SELinux context, but
SELinux in permissive mode, continuing (/etc/cron.d/clamav-update)
Nov 21 08:29:31 beauty crond[6384]: (system_u) Unauthorized SELinux context, but
SELinux in permissive mode, continuing (/etc/cron.d/sa-update)
Nov 21 08:29:31 beauty crond[6384]: (ldap) Unauthorized SELinux context, but
SELinux in permissive mode, continuing (cron/ldap)
---------

Version-Release number of selected component (if applicable):
4.2-5.fc8

How reproducible:
Always.

Steps to Reproduce:
1. Start cron under targeted SELinux policy.
  
Actual results:
Cron complains and eventually doesn't run jobs.

Expected results:
Worked fine in F7, should work fine in F8.

Additional info:
Googled the errors, but the only results pointed to a broken vixie-cron in FC6.
Comment 1 Marcela Mašláňová 2007-11-21 02:32:46 EST
The policy for selinux is in selinux-policy, that's not problem of cron.
At first please try to update on the latter selinux-policy-3.0.8-56.fc8.
Comment 2 Bojan Smojver 2007-11-21 02:42:41 EST
OK, upped. Let see what happens...
Comment 3 Bojan Smojver 2007-11-21 02:51:19 EST
Nope, still the same:
------------
Nov 21 18:50:05 beauty crond[15050]: (system_u) Unauthorized SELinux context,
but SELinux in permissive mode, continuing (/etc/crontab)
Nov 21 18:50:05 beauty crond[15050]: (system_u) Unauthorized SELinux context,
but SELinux in permissive mode, continuing (/etc/cron.d/mailman)
Nov 21 18:50:05 beauty crond[15050]: (system_u) Unauthorized SELinux context,
but SELinux in permissive mode, continuing (/etc/cron.d/clamav-update)
Nov 21 18:50:05 beauty crond[15050]: (system_u) Unauthorized SELinux context,
but SELinux in permissive mode, continuing (/etc/cron.d/sa-update)
Nov 21 18:50:05 beauty crond[15050]: (ldap) Unauthorized SELinux context, but
SELinux in permissive mode, continuing (cron/ldap)
------------

This is with selinux-policy-targeted-3.0.8-56.fc8.
Comment 4 Bojan Smojver 2007-11-21 03:03:31 EST
I don't see anything related to this in the changelog of -58 policy either
(updates-testing).
Comment 5 Daniel Walsh 2007-11-21 09:17:18 EST
Please attach avc messages from /var/log/audit/audit.log or /var/log/messages

Or do you see any SELINUX_ERR in /var/log/audit/audit.log.

After you install the update, could you log out and log back in, and 
service cron restart

Finally please show the process context of cron

# ps -eZ | grep cron
# id -Z
Comment 6 Daniel Walsh 2007-11-21 09:19:20 EST
*** Bug 378701 has been marked as a duplicate of this bug. ***
Comment 7 Daniel Walsh 2007-11-21 09:21:14 EST
# semanage user -l | grep system_u
Comment 8 Dan O'Brien 2007-11-21 09:45:48 EST
/var/log: /etc/init.d/crond restart
Stopping crond:                                            [  OK  ]
Starting crond:                                            [  OK  ]
/var/log: tail cron
Nov 21 04:02:01 yorky CROND[14216]: (root) CMD (run-parts /etc/cron.daily)
Nov 21 04:59:07 yorky anacron[15342]: Updated timestamp for job `cron.daily' to 
2007-11-21
Nov 21 05:01:02 yorky CROND[15732]: (root) CMD (run-parts /etc/cron.hourly)
Nov 21 06:01:01 yorky CROND[19330]: (root) CMD (run-parts /etc/cron.hourly)
Nov 21 07:01:01 yorky CROND[19836]: (root) CMD (run-parts /etc/cron.hourly)
Nov 21 08:00:01 yorky CROND[20422]: (root) CMD (/usr/bin/rsnapshot hourly)
Nov 21 08:01:01 yorky CROND[20438]: (root) CMD (run-parts /etc/cron.hourly)
Nov 21 09:01:01 yorky CROND[21045]: (root) CMD (run-parts /etc/cron.hourly)
Nov 21 09:39:56 yorky crond[21519]: (CRON) STARTUP (4.2)
Nov 21 09:39:56 yorky crond[21519]: (root) Unauthorized SELinux context (cron/ro
ot)
/var/log: rpm -q selinux-policy-targeted
selinux-policy-targeted-3.0.8-56.fc8
/var/log: ps -eZ | grep cron
system_u:system_r:crond_t:SystemLow-SystemHigh 1967 ? 00:00:00 atd
system_u:system_r:crond_t:SystemLow-SystemHigh 21519 ? 00:00:00 crond
/var/log: id -Z
system_u:system_r:unconfined_t

/var/log: /usr/sbin/semanage user -l | grep system_u
/var/log: 
Comment 9 Daniel Walsh 2007-11-21 10:20:28 EST
On my machine.

# /usr/sbin/semanage user -l | grep system_u
system_u        user       s0         s0-s0:c0.c1023                 system_r


That is strange, that should be there.  You can add it with the following command.
# emanage user -a -P user -R system_r -r s0-s0:c0.c1023 system_u 
Comment 10 Daniel Walsh 2007-11-21 10:52:33 EST
Should be 

# semanage user -a -P user -R system_r -r s0-s0:c0.c1023 system_u 
Comment 11 Dan O'Brien 2007-11-21 10:56:35 EST
/home/dmobrien: sudo /usr/sbin/semanage user -a -P user -R system_r -r s0-s0:>
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'
/usr/sbin/semanage: SELinux user system_u is already defined

this was an upgraded f7->f8 system
Comment 12 Dan O'Brien 2007-11-21 11:04:42 EST
grep of semanage output seems to fail.

/home/dmobrien: sudo /usr/sbin/semanage user -l               
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         guest      s0         s0                             guest_r
root            sysadm     s0         SystemLow-SystemHigh           system_r
sysadm_r staff_r
staff_u         staff      s0         SystemLow-SystemHigh           sysadm_r
staff_r
sysadm_u        sysadm     s0         SystemLow-SystemHigh           sysadm_r
system_u        user       s0         SystemLow-SystemHigh           system_r
unconfined_u    unconfined s0         SystemLow-SystemHigh           system_r
unconfined_r
user_u          user       s0         s0                             system_r user_r
xguest_u        xguest     s0         s0                             xguest_r
/home/dmobrien: 

/home/dmobrien: sudo /usr/sbin/semanage user -l|grep system_u
/home/dmobrien: 

that's just weird
Comment 13 Daniel Walsh 2007-11-21 11:31:21 EST
Dan, Just out of curiosity,  

ls -lZ /etc/selinux/targeted/contexts/*rpm*
Comment 14 Dan O'Brien 2007-11-21 11:57:49 EST
/home/dmobrien: ls -lZ /etc/selinux/targeted/contexts/*rpm*
ls: cannot access /etc/selinux/targeted/contexts/*rpm*: No such file or director
y
/home/dmobrien: rpm -q --whatprovides /etc/selinux/targeted/
selinux-policy-targeted-3.0.8-56.fc8
/home/dmobrien: rpm -q --whatprovides /etc/selinux/targeted/contexts
selinux-policy-targeted-3.0.8-56.fc8
/home/dmobrien: ls /etc/selinux/targeted/contexts                         
customizable_types  default_contexts  failsafe_context  initrc_context     
removable_context  userhelper_context
dbus_contexts       default_type      files             netfilter_contexts 
securetty_types    users
/home/dmobrien: 
Comment 15 Ben Webb 2007-11-21 12:31:36 EST
Following up from bug #378701 here, it seems that I'm seeing the same problems.

[root@organ ~]# semanage user -l |grep system_u
system_u        user       s0         SystemLow-SystemHigh           system_r

[root@organ ~]# semanage user -l 
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'
...
RPM also gave me this same error on the last selinux-policy-targeted update (-58).
Comment 16 Bojan Smojver 2007-11-21 15:59:16 EST
On crond restart, I see this in audit.log:
----------------------------
type=AVC msg=audit(1195678331.994:2263): avc:  denied  { search } for  pid=15911
comm="crond" name="/" dev=proc ino=1
scontext=root:system_r:crond_t:s0-s0:c0.c1023
tcontext=system_u:object_r:named_conf_t:s0 tclass=dir
type=SYSCALL msg=audit(1195678331.994:2263): arch=40000003 syscall=5 success=yes
exit=6 a0=a02bee8 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=15911 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="crond"
exe="/usr/sbin/crond" subj=root:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1195678332.081:2264): avc:  denied  { search } for  pid=15911
comm="crond" name="/" dev=proc ino=1
scontext=root:system_r:crond_t:s0-s0:c0.c1023
tcontext=system_u:object_r:named_conf_t:s0 tclass=dir
type=SYSCALL msg=audit(1195678332.081:2264): arch=40000003 syscall=5 success=yes
exit=7 a0=a02d2e0 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=15911 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="crond"
exe="/usr/sbin/crond" subj=root:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1195678332.143:2265): avc:  denied  { search } for  pid=1668
comm="mcstransd" name="/" dev=proc ino=1
scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023
tcontext=system_u:object_r:named_conf_t:s0 tclass=dir
----------------------------

ps -eZ | grep cron gives:
----------------------------
system_u:system_r:crond_t:SystemLow-SystemHigh 2174 ? 00:00:00 atd
system_u:system_r:crond_t:SystemLow-SystemHigh 15178 ? 00:00:00 crond
root:system_r:crond_t:SystemLow-SystemHigh 15911 ? 00:00:00 crond
----------------------------

id -Z gives:
----------------------------
root:system_r:unconfined_t:-s0:c0.c255
----------------------------

semanage user -l | grep system_u gives:
----------------------------
system_u        user       s0         SystemLow-SystemHigh           system_r
----------------------------

When I run:

semanage user -a -P user -R system_r -r s0-s0:c0.c1023 system_u
----------------------------
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'
/usr/sbin/semanage: SELinux user system_u is already defined
----------------------------

Finally,

ls -lZ /etc/selinux/targeted/contexts/*rpm*
----------------------------
ls: cannot access /etc/selinux/targeted/contexts/*rpm*: No such file or directory
----------------------------

My system has been upgraded from F7 to F8 using yum upgrade.

An additional piece of info is that I've seen complaints about
/usr/share/selinux/devel/policy.xml missing during most recent yum update.
Comment 17 Daniel Walsh 2007-11-26 11:46:08 EST
Looks like the avc's are being generated because you did the service crond
restart while in a directory labeled named_conf_t.  This can safely be ignored. 

The policy.xml can be ignored,  the message should be gone on the next update,
or you could install selinux-policy-devel, to install
'/usr/share/selinux/devel/policy.xml'

I have added the cron maintainer to the list to see if he has any ideas?


Comment 18 Dan O'Brien 2007-11-26 12:35:07 EST
/var/spool/cron: ls -ldZ /var                    
drwxr-xr-x  root root system_u:object_r:var_t          /var
/var/spool/cron: ls -ldZ /var/spool
drwxr-xr-x  root root system_u:object_r:var_spool_t    /var/spool
/var/spool/cron: ls -ldZ /var/spool/cron
drwx------  root root system_u:object_r:cron_spool_t   /var/spool/cron
/var/spool/cron: ls -lZ /var/spool/cron/root
-rw-------  root root system_u:object_r:unconfined_cron_spool_t /var/spool/cron/root
/var/spool/cron: ls -lZ /var/spool/cron/dmobrien
-rw-------  dmobrien root user_u:object_r:cron_spool_t     /var/spool/cron/dmobrien

I restarted crond and there was no kernel SELinux message:

/var/spool/cron: /etc/init.d/crond restart
Stopping crond:                                            [  OK  ]
Starting crond:                                            [  OK  ]
/var/spool/cron: dmesg | tail -5
Bluetooth: RFCOMM TTY layer initialized
Bluetooth: RFCOMM ver 1.8
Bluetooth: BNEP (Ethernet Emulation) ver 1.2
Bluetooth: BNEP filters: protocol multicast
usb 1-1: reset high speed USB device using ehci_hcd and address 2
/var/spool/cron:

However, there was a complaint in cron log!

/var/spool/cron: tail /var/log/cron
Nov 26 08:00:01 yorky CROND[23667]: (root) CMD (/usr/bin/rsnapshot hourly)
Nov 26 08:01:01 yorky CROND[23689]: (root) CMD (run-parts /etc/cron.hourly)
Nov 26 09:01:01 yorky CROND[24172]: (root) CMD (run-parts /etc/cron.hourly)
Nov 26 10:01:01 yorky CROND[24656]: (root) CMD (run-parts /etc/cron.hourly)
Nov 26 11:01:01 yorky CROND[25182]: (root) CMD (run-parts /etc/cron.hourly)
Nov 26 12:00:01 yorky CROND[25662]: (root) CMD (/usr/bin/rsnapshot hourly)
Nov 26 12:01:01 yorky CROND[25684]: (root) CMD (run-parts /etc/cron.hourly)
Nov 26 12:27:35 yorky crontab[25926]: (root) LIST (root)
Nov 26 12:31:00 yorky crond[25980]: (CRON) STARTUP (4.2)
Nov 26 12:31:00 yorky crond[25980]: (root) Unauthorized SELinux context (cron/root)

Could the crond be checking for selinux attributes incorrectly?
Comment 19 Daniel Walsh 2007-11-26 12:53:54 EST
ls -lZ /var/spool/cron/root 
Comment 20 Daniel Walsh 2007-11-26 12:55:11 EST
 ls -lZ /var/spool/cron/root 
-rw-------  root root unconfined_u:object_r:unconfined_cron_spool_t:s0
/var/spool/cron/root

tail /var/log/cron
Nov 26 12:52:01 localhost CROND[20000]: (root) CMD (id -Z)
Nov 26 12:52:01 localhost CROND[19998]: (root) MAIL (mailed 46 bytes of output
but got status 0x0041#012)
Nov 26 12:52:06 localhost crontab[20008]: (root) BEGIN EDIT (root)
Nov 26 12:52:46 localhost crontab[20008]: (root) REPLACE (root)
Nov 26 12:52:46 localhost crontab[20008]: (root) END EDIT (root)
Nov 26 12:53:01 localhost crond[2397]: (root) RELOAD (cron/root)
Nov 26 12:53:01 localhost CROND[20055]: (root) CMD (id -Z)
Nov 26 12:53:01 localhost CROND[20053]: (root) MAIL (mailed 46 bytes of output
but got status 0x0041#012)

crontab -e
0-59 * * * * id -Z

Comment 21 Dan O'Brien 2007-11-26 13:28:11 EST
Ok, so that blows that theory.   But crond is emitting an error message on the
restart:

/home/dmobrien: id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=system_u:system_r:unconfined_t
/home/dmobrien: crontab -l
#
* * * * * id -a > /var/tmp/out.txt
/home/dmobrien: ls -l /var/tmp/out.txt
ls: cannot access /var/tmp/out.txt: No such file or directory
/home/dmobrien: 

I editted crontab and took out the stdout redirection

/home/dmobrien: crontab -l
#
* * * * * id -a 

Nov 26 13:01:01 yorky CROND[26234]: (root) CMD (run-parts /etc/cron.hourly)
Nov 26 13:25:02 yorky crontab[26467]: (root) LIST (root)
Nov 26 13:26:07 yorky crontab[26478]: (root) BEGIN EDIT (root)
Nov 26 13:26:11 yorky crontab[26478]: (root) REPLACE (root)
Nov 26 13:26:11 yorky crontab[26478]: (root) END EDIT (root)
Nov 26 13:27:01 yorky crond[25980]: (root) Unauthorized SELinux context (cron/root)

Comment 22 Daniel Walsh 2007-11-26 13:46:07 EST
Also if you log out and log back in,  What is your context?

id -Z


Please show the context of the cron file

ls -lZ /var/spool/cron/root 
-rw-------  root root unconfined_u:object_r:unconfined_cron_spool_t:s0
/var/spool/cron/root
Comment 23 Dan O'Brien 2007-11-26 15:16:34 EST
/OBrienDM: ssh home
Last login: Mon Nov 26 13:24:51 2007 from work.com
/home/dmobrien: sudo ksh
Password:
/home/dmobrien: ls -lZ /var/spool/cron/root
-rw-------  root root system_u:object_r:unconfined_cron_spool_t /var/spool/cron/
                                                     root
/home/dmobrien: 

I see that it is system_u instead of unconfined_u like yours
Comment 24 Bojan Smojver 2007-11-26 16:13:30 EST
Regarding comment #17, I restarted cron from different directories, got the same
message. But the main point is that if we're not in permissive mode, jobs don't run.

# ls -lZ /var/spool/cron/root 
-rw-------  root root root:object_r:cron_spool_t       /var/spool/cron/root

# id -Z
root:system_r:unconfined_t:-s0:c0.c255

PS. Isn't cron maintainer a she? :-)
Comment 25 Daniel Walsh 2007-11-26 22:33:13 EST
Bojan the context on your file is wrong, I believe.

Could either of both of you execute

semodule -DB 

And then check for avc messages the next time cron runs?

Steve do you have ideas?
Comment 26 Ben Webb 2007-11-26 23:29:44 EST
I just tried this:
[root@organ ~]# semodule -DB
[root@organ ~]# service crond restart
Stopping crond:                                            [  OK  ]
Starting crond:                                            [  OK  ]
[root@organ ~]# tail /var/log/cron
Nov 26 20:19:20 organ crond[9960]: (CRON) STARTUP (4.2)
Nov 26 20:19:20 organ crond[9960]: (system_u) Unauthorized SELinux context
(/etc/crontab)
Nov 26 20:19:20 organ crond[9960]: (system_u) Unauthorized SELinux context
(/etc/cron.d/backup)
[root@organ ~]# tail /var/log/messages
Nov 26 20:19:15 organ kernel: audit(1196137155.570:12): policy loaded
auid=4294967295
Nov 26 20:19:15 organ kernel: audit(1196137155.622:13): avc:  denied  { siginh }
for  pid=9941 comm="setfiles" scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=root:system_r:setfiles_t:s0-s0:c0.c255 tclass=process
Nov 26 20:19:15 organ kernel: audit(1196137155.622:14): avc:  denied  {
rlimitinh } for  pid=9941 comm="setfiles"
scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=root:system_r:setfiles_t:s0-s0:c0.c255 tclass=process
Nov 26 20:19:15 organ kernel: audit(1196137155.622:15): avc:  denied  {
noatsecure } for  pid=9941 comm="setfiles"
scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=root:system_r:setfiles_t:s0-s0:c0.c255 tclass=process
Nov 26 20:19:15 organ kernel: audit(1196137155.675:16): user pid=1851 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received
policyload notice (seqno=4)
Nov 26 20:19:15 organ kernel: : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'

I don't see anything cron related in there though.
Comment 27 Bojan Smojver 2007-11-27 00:18:22 EST
semodule -DB gives in /var/log/audit/audit.log
---------------------------------
type=AVC msg=audit(1196140595.056:19657): avc:  denied  { read } for  pid=2392
comm="rklogd" path="/proc/kmsg" dev=proc ino=4026531849
scontext=root:system_r:klogd_t:s0 tcontext=system_u:object_r:named_conf_t:s0
tclass=file
type=MAC_POLICY_LOAD msg=audit(1196140594.940:19658): policy loaded auid=0
type=SYSCALL msg=audit(1196140594.940:19658): arch=40000003 syscall=4
success=yes exit=2401565 a0=4 a1=b7cd4000 a2=24a51d a3=bfef6618 items=0
ppid=18905 pid=18906 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 comm="load_policy" exe="/usr/sbin/load_policy"
subj=root:system_r:load_policy_t:s0-s0:c0.c255 key=(null)
type=AVC msg=audit(1196140595.445:19659): avc:  denied  { siginh } for 
pid=18907 comm="setfiles" scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=root:system_r:setfiles_t:s0-s0:c0.c255 tclass=process
type=AVC msg=audit(1196140595.445:19659): avc:  denied  { rlimitinh } for 
pid=18907 comm="setfiles" scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=root:system_r:setfiles_t:s0-s0:c0.c255 tclass=process
type=AVC msg=audit(1196140595.445:19659): avc:  denied  { noatsecure } for 
pid=18907 comm="setfiles" scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=root:system_r:setfiles_t:s0-s0:c0.c255 tclass=process
type=SYSCALL msg=audit(1196140595.445:19659): arch=40000003 syscall=11
success=yes exit=0 a0=b9b03648 a1=bc6f1498 a2=0 a3=0 items=0 ppid=18905
pid=18907 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 comm="setfiles" exe="/sbin/setfiles"
subj=root:system_r:setfiles_t:s0-s0:c0.c255 key=(null)
---------------------------------

Cron restart gives this in /var/log/cron:
---------------------------------
Nov 27 16:17:53 beauty crond[18926]: (CRON) STARTUP (4.2)
Nov 27 16:17:53 beauty crond[18926]: (system_u) Unauthorized SELinux context,
but SELinux in permissive mode, continuing (/etc/crontab)
Nov 27 16:17:53 beauty crond[18926]: (system_u) Unauthorized SELinux context,
but SELinux in permissive mode, continuing (/etc/cron.d/mailman)
Nov 27 16:17:53 beauty crond[18926]: (system_u) Unauthorized SELinux context,
but SELinux in permissive mode, continuing (/etc/cron.d/clamav-update)
Nov 27 16:17:53 beauty crond[18926]: (system_u) Unauthorized SELinux context,
but SELinux in permissive mode, continuing (/etc/cron.d/sa-update)
Nov 27 16:17:53 beauty crond[18926]: (ldap) Unauthorized SELinux context, but
SELinux in permissive mode, continuing (cron/ldap)
---------------------------------
Comment 28 Bojan Smojver 2007-11-27 00:38:38 EST
In relation to the wrong context on /var/spool/cron/root, I don't have anything
manually set there (i.e. in file_contexts.local). Whatever setfiles did, that's
what it is.

Actually, my file_contexts files lists this:
---------------------------------
/var/spool/cron/[^/]*   --      <<none>>
---------------------------------

and
---------------------------------
/etc/cron.daily/.*      --      system_u:object_r:bin_t:s0
/etc/cron.weekly/.*     --      system_u:object_r:bin_t:s0
/etc/cron.hourly/.*     --      system_u:object_r:bin_t:s0
/etc/cron.monthly/.*    --      system_u:object_r:bin_t:s0
/etc/cron\.(daily|monthly)/acct --      system_u:object_r:acct_exec_t:s0
/etc/cron\.(daily|weekly)/sysklogd      --     
system_u:object_r:logrotate_exec_t:s0
/etc/cron\.(daily|monthly)/radiusd      --      system_u:object_r:radiusd_exec_t:s0
/etc/cron\.(daily|weekly)/ntp-server    --      system_u:object_r:ntpd_exec_t:s0
/etc/cron\.(daily|weekly)/ntp-simple    --      system_u:object_r:ntpd_exec_t:s0
/etc/cron\.(daily|weekly|monthly)/freeradius    --     
system_u:object_r:radiusd_exec_t:s0
/etc/cron\.d(/.*)?      system_u:object_r:system_cron_spool_t:s0
/etc/cron\.weekly/(c)?fingerd   --      system_u:object_r:fingerd_exec_t:s0
/etc/crontab    --      system_u:object_r:system_cron_spool_t:s0
/etc/cron\.monthly/proftpd      --      system_u:object_r:ftpd_exec_t:s0
/etc/cron\.daily/calamaris      --      system_u:object_r:calamaris_exec_t:s0
---------------------------------

rpm -qf -V file_contexts doesn't reveal anything out of the ordinary.
Comment 29 Stephen Smalley 2007-11-27 09:02:20 EST
The Unauthorized SELinux context message from crond means that the context for
the cron job process for that user is not allowed entrypoint permission to the
context on the crontab file.  That was a safeguard to prevent injection of
arbitrary commands by a lower privileged crontab into a more privileged cron job.

Points where this can go wrong:
- wrong context on the cron job process,
- wrong context on the crontab file (inherited from the parent directory if no
transition is defined; otherwise, defined by a type transition based on the
creating domain and the parent directory type),
- missing entrypoint permission in the policy for the context pair.


Comment 30 Marcela Mašláňová 2007-11-27 11:45:33 EST
Is there someone who have this problems on clean install? 

I've two computers, the first is rawhide updated on F-8 and everything is ok.
The second is FC-6 updated on F-8 and I've the same problems as users here
mentioned. I relabeled my system, because upgrade from FC-6 wasn't easy and the
"wrong" contexts remained.
Comment 31 Bojan Smojver 2007-11-27 16:01:48 EST
So, does anyone know what all those wrong contexts are _supposed_ to be?
Comment 32 Marcela Mašláňová 2007-11-28 02:44:27 EST
I tried uninstall and disable selinux and install it again with this message:
Running Transaction
  Installing: selinux-policy               ######################### [1/2]
  Installing: selinux-policy-targeted      ######################### [2/2]
/usr/sbin/semanage: range not supported on Non MLS machines
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'
/usr/sbin/semanage: SELinux user guest_u is already defined
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'
/usr/sbin/semanage: SELinux user xguest_u is already defined
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'

Installed: selinux-policy-targeted.noarch 0:3.0.8-56.fc8
Dependency Installed: selinux-policy.noarch 0:3.0.8-56.fc8
Complete!

This message can be also seen, when I type: semanage user -l but now is my
crontab working with selinux enforcing without any error message.
Comment 33 Marcela Mašláňová 2007-11-28 02:45:51 EST
And the contexts are:
ps -eZ | grep cron
system_u:system_r:crond_t:SystemLow-SystemHigh 2153 ? 00:00:00 crond
system_u:system_r:crond_t:SystemLow-SystemHigh 2196 ? 00:00:00 atd
id -Z
unconfined_u:system_r:unconfined_t
Comment 34 Bojan Smojver 2007-11-28 17:32:03 EST
I meant contexts of crontab files etc.

Anyhow, I'm trying a reinstall of selinux-policy RPMs. Let see if that does it.
Comment 35 Bojan Smojver 2007-11-28 17:36:58 EST
OK, I got the same error messages as you:
---------------------------------
Running Transaction
  Installing: selinux-policy               ######################### [1/2] 
  Installing: selinux-policy-targeted      ######################### [2/2] 
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'
Failed to translate booleans.
[Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml'

Installed: selinux-policy-targeted.noarch 0:3.0.8-56.fc8
Dependency Installed: selinux-policy.noarch 0:3.0.8-56.fc8
---------------------------------

However, restart of cron did not emit usual error messages. So, that looks like
a workaround.
Comment 36 Dan O'Brien 2007-11-28 19:19:55 EST
yum remove selinux-policy selinux-policy-targeted
yum install selinux-policy selinux-policy-targeted

worked for me, also.

I still have a laptop that I haven't done this one, if the maintainers want me
to try something else.

I'm surprised upgrade (F7->F8 and FC6->F8) didn't re-apply the context...
Comment 37 Daniel Walsh 2007-12-01 08:30:47 EST
Can you check for inconsistencies between
semanage user -l
semanage login -l

Comment 38 Dan O'Brien 2007-12-01 09:19:18 EST
I don't know what that means, but here's mine after removing and reapplying
selinux-policy*

/home/dmobrien: sudo semanage user -l
Password:
SELinux User    SELinux Roles

guest_u         guest_r
root            system_r sysadm_r staff_r
staff_u         sysadm_r staff_r
sysadm_u        sysadm_r
system_u        system_r
unconfined_u    system_r unconfined_r
user_u          system_r user_r
xguest_u        xguest_r
/home/dmobrien: sudo semanage login -l

Login Name                SELinux User             

__default__               unconfined_u             
root                      system_u                 
/home/dmobrien: 
Comment 39 Dan O'Brien 2007-12-01 09:21:12 EST
My laptop where I didn't reapply anything:

$ sudo semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

root            sysadm     s0         SystemLow-SystemHigh           system_r
sysadm_r staff_r
staff_u         staff      s0         SystemLow-SystemHigh           sysadm_r
staff_r
sysadm_u        sysadm     s0         SystemLow-SystemHigh           sysadm_r
system_u        user       s0         SystemLow-SystemHigh           system_r
user_u          user       s0         s0                             system_r user_r
$ sudo semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               user_u                    s0                       
root                      root                      SystemLow-SystemHigh     
system_u                  system_u                  SystemLow-SystemHigh     

$ rpm -q selinux-policy selinux-policy-targeted
selinux-policy-3.0.8-58.fc8
selinux-policy-targeted-3.0.8-58.fc8
$ 
Comment 40 Dan O'Brien 2007-12-01 09:22:29 EST
Curious why the output is different between the two systems.  My desktop has the
same selinux....

/home/dmobrien: rpm -q selinux-policy selinux-policy-targeted
selinux-policy-3.0.8-58.fc8
selinux-policy-targeted-3.0.8-58.fc8
Comment 41 Daniel Walsh 2007-12-02 22:16:15 EST
So if you change root selinux user to system_u does the cron problem go away?

semanage login -m -s system_u root
Comment 42 Dan O'Brien 2007-12-03 21:49:56 EST
Ok, after just rebooting my laptop, cron is now working correctly and the two
above commands show:

# /usr/sbin/semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

root            sysadm     s0         SystemLow-SystemHigh           system_r
sysadm_r staff_r
staff_u         staff      s0         SystemLow-SystemHigh           sysadm_r
staff_r
sysadm_u        sysadm     s0         SystemLow-SystemHigh           sysadm_r
system_u        user       s0         SystemLow-SystemHigh           system_r
user_u          user       s0         s0                             system_r user_r
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               user_u                    s0                       
root                      system_u                  SystemLow-SystemHigh     
system_u                  system_u                  SystemLow-SystemHigh     
# 
Comment 43 Daniel Walsh 2008-01-30 14:19:22 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.