Description of problem: Since the upgrade from F7 to F8, I'm getting this in /var/log/cron: --------- Nov 20 18:29:01 beauty crond[2184]: (system_u) Unauthorized SELinux context (/etc/cron.d/clamav-update) Nov 20 18:29:01 beauty crond[2184]: (system_u) Unauthorized SELinux context (/etc/cron.d/sa-update) Nov 20 18:29:01 beauty crond[2184]: (ldap) Unauthorized SELinux context (cron/ldap) Nov 20 18:29:01 beauty crond[2184]: (root) Unauthorized SELinux context (cron/root) --------- In permissive mode, this turns into: --------- Nov 21 08:29:31 beauty crond[6384]: (system_u) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/crontab) Nov 21 08:29:31 beauty crond[6384]: (system_u) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/cron.d/mailman) Nov 21 08:29:31 beauty crond[6384]: (system_u) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/cron.d/clamav-update) Nov 21 08:29:31 beauty crond[6384]: (system_u) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/cron.d/sa-update) Nov 21 08:29:31 beauty crond[6384]: (ldap) Unauthorized SELinux context, but SELinux in permissive mode, continuing (cron/ldap) --------- Version-Release number of selected component (if applicable): 4.2-5.fc8 How reproducible: Always. Steps to Reproduce: 1. Start cron under targeted SELinux policy. Actual results: Cron complains and eventually doesn't run jobs. Expected results: Worked fine in F7, should work fine in F8. Additional info: Googled the errors, but the only results pointed to a broken vixie-cron in FC6.
The policy for selinux is in selinux-policy, that's not problem of cron. At first please try to update on the latter selinux-policy-3.0.8-56.fc8.
OK, upped. Let see what happens...
Nope, still the same: ------------ Nov 21 18:50:05 beauty crond[15050]: (system_u) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/crontab) Nov 21 18:50:05 beauty crond[15050]: (system_u) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/cron.d/mailman) Nov 21 18:50:05 beauty crond[15050]: (system_u) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/cron.d/clamav-update) Nov 21 18:50:05 beauty crond[15050]: (system_u) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/cron.d/sa-update) Nov 21 18:50:05 beauty crond[15050]: (ldap) Unauthorized SELinux context, but SELinux in permissive mode, continuing (cron/ldap) ------------ This is with selinux-policy-targeted-3.0.8-56.fc8.
I don't see anything related to this in the changelog of -58 policy either (updates-testing).
Please attach avc messages from /var/log/audit/audit.log or /var/log/messages Or do you see any SELINUX_ERR in /var/log/audit/audit.log. After you install the update, could you log out and log back in, and service cron restart Finally please show the process context of cron # ps -eZ | grep cron # id -Z
*** Bug 378701 has been marked as a duplicate of this bug. ***
# semanage user -l | grep system_u
/var/log: /etc/init.d/crond restart Stopping crond: [ OK ] Starting crond: [ OK ] /var/log: tail cron Nov 21 04:02:01 yorky CROND[14216]: (root) CMD (run-parts /etc/cron.daily) Nov 21 04:59:07 yorky anacron[15342]: Updated timestamp for job `cron.daily' to 2007-11-21 Nov 21 05:01:02 yorky CROND[15732]: (root) CMD (run-parts /etc/cron.hourly) Nov 21 06:01:01 yorky CROND[19330]: (root) CMD (run-parts /etc/cron.hourly) Nov 21 07:01:01 yorky CROND[19836]: (root) CMD (run-parts /etc/cron.hourly) Nov 21 08:00:01 yorky CROND[20422]: (root) CMD (/usr/bin/rsnapshot hourly) Nov 21 08:01:01 yorky CROND[20438]: (root) CMD (run-parts /etc/cron.hourly) Nov 21 09:01:01 yorky CROND[21045]: (root) CMD (run-parts /etc/cron.hourly) Nov 21 09:39:56 yorky crond[21519]: (CRON) STARTUP (4.2) Nov 21 09:39:56 yorky crond[21519]: (root) Unauthorized SELinux context (cron/ro ot) /var/log: rpm -q selinux-policy-targeted selinux-policy-targeted-3.0.8-56.fc8 /var/log: ps -eZ | grep cron system_u:system_r:crond_t:SystemLow-SystemHigh 1967 ? 00:00:00 atd system_u:system_r:crond_t:SystemLow-SystemHigh 21519 ? 00:00:00 crond /var/log: id -Z system_u:system_r:unconfined_t /var/log: /usr/sbin/semanage user -l | grep system_u /var/log:
On my machine. # /usr/sbin/semanage user -l | grep system_u system_u user s0 s0-s0:c0.c1023 system_r That is strange, that should be there. You can add it with the following command. # emanage user -a -P user -R system_r -r s0-s0:c0.c1023 system_u
Should be # semanage user -a -P user -R system_r -r s0-s0:c0.c1023 system_u
/home/dmobrien: sudo /usr/sbin/semanage user -a -P user -R system_r -r s0-s0:> Failed to translate booleans. [Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml' /usr/sbin/semanage: SELinux user system_u is already defined this was an upgraded f7->f8 system
grep of semanage output seems to fail. /home/dmobrien: sudo /usr/sbin/semanage user -l Failed to translate booleans. [Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml' Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u guest s0 s0 guest_r root sysadm s0 SystemLow-SystemHigh system_r sysadm_r staff_r staff_u staff s0 SystemLow-SystemHigh sysadm_r staff_r sysadm_u sysadm s0 SystemLow-SystemHigh sysadm_r system_u user s0 SystemLow-SystemHigh system_r unconfined_u unconfined s0 SystemLow-SystemHigh system_r unconfined_r user_u user s0 s0 system_r user_r xguest_u xguest s0 s0 xguest_r /home/dmobrien: /home/dmobrien: sudo /usr/sbin/semanage user -l|grep system_u /home/dmobrien: that's just weird
Dan, Just out of curiosity, ls -lZ /etc/selinux/targeted/contexts/*rpm*
/home/dmobrien: ls -lZ /etc/selinux/targeted/contexts/*rpm* ls: cannot access /etc/selinux/targeted/contexts/*rpm*: No such file or director y /home/dmobrien: rpm -q --whatprovides /etc/selinux/targeted/ selinux-policy-targeted-3.0.8-56.fc8 /home/dmobrien: rpm -q --whatprovides /etc/selinux/targeted/contexts selinux-policy-targeted-3.0.8-56.fc8 /home/dmobrien: ls /etc/selinux/targeted/contexts customizable_types default_contexts failsafe_context initrc_context removable_context userhelper_context dbus_contexts default_type files netfilter_contexts securetty_types users /home/dmobrien:
Following up from bug #378701 here, it seems that I'm seeing the same problems. [root@organ ~]# semanage user -l |grep system_u system_u user s0 SystemLow-SystemHigh system_r [root@organ ~]# semanage user -l Failed to translate booleans. [Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml' ... RPM also gave me this same error on the last selinux-policy-targeted update (-58).
On crond restart, I see this in audit.log: ---------------------------- type=AVC msg=audit(1195678331.994:2263): avc: denied { search } for pid=15911 comm="crond" name="/" dev=proc ino=1 scontext=root:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:named_conf_t:s0 tclass=dir type=SYSCALL msg=audit(1195678331.994:2263): arch=40000003 syscall=5 success=yes exit=6 a0=a02bee8 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=15911 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="crond" exe="/usr/sbin/crond" subj=root:system_r:crond_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1195678332.081:2264): avc: denied { search } for pid=15911 comm="crond" name="/" dev=proc ino=1 scontext=root:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:named_conf_t:s0 tclass=dir type=SYSCALL msg=audit(1195678332.081:2264): arch=40000003 syscall=5 success=yes exit=7 a0=a02d2e0 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=15911 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="crond" exe="/usr/sbin/crond" subj=root:system_r:crond_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1195678332.143:2265): avc: denied { search } for pid=1668 comm="mcstransd" name="/" dev=proc ino=1 scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023 tcontext=system_u:object_r:named_conf_t:s0 tclass=dir ---------------------------- ps -eZ | grep cron gives: ---------------------------- system_u:system_r:crond_t:SystemLow-SystemHigh 2174 ? 00:00:00 atd system_u:system_r:crond_t:SystemLow-SystemHigh 15178 ? 00:00:00 crond root:system_r:crond_t:SystemLow-SystemHigh 15911 ? 00:00:00 crond ---------------------------- id -Z gives: ---------------------------- root:system_r:unconfined_t:-s0:c0.c255 ---------------------------- semanage user -l | grep system_u gives: ---------------------------- system_u user s0 SystemLow-SystemHigh system_r ---------------------------- When I run: semanage user -a -P user -R system_r -r s0-s0:c0.c1023 system_u ---------------------------- Failed to translate booleans. [Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml' /usr/sbin/semanage: SELinux user system_u is already defined ---------------------------- Finally, ls -lZ /etc/selinux/targeted/contexts/*rpm* ---------------------------- ls: cannot access /etc/selinux/targeted/contexts/*rpm*: No such file or directory ---------------------------- My system has been upgraded from F7 to F8 using yum upgrade. An additional piece of info is that I've seen complaints about /usr/share/selinux/devel/policy.xml missing during most recent yum update.
Looks like the avc's are being generated because you did the service crond restart while in a directory labeled named_conf_t. This can safely be ignored. The policy.xml can be ignored, the message should be gone on the next update, or you could install selinux-policy-devel, to install '/usr/share/selinux/devel/policy.xml' I have added the cron maintainer to the list to see if he has any ideas?
/var/spool/cron: ls -ldZ /var drwxr-xr-x root root system_u:object_r:var_t /var /var/spool/cron: ls -ldZ /var/spool drwxr-xr-x root root system_u:object_r:var_spool_t /var/spool /var/spool/cron: ls -ldZ /var/spool/cron drwx------ root root system_u:object_r:cron_spool_t /var/spool/cron /var/spool/cron: ls -lZ /var/spool/cron/root -rw------- root root system_u:object_r:unconfined_cron_spool_t /var/spool/cron/root /var/spool/cron: ls -lZ /var/spool/cron/dmobrien -rw------- dmobrien root user_u:object_r:cron_spool_t /var/spool/cron/dmobrien I restarted crond and there was no kernel SELinux message: /var/spool/cron: /etc/init.d/crond restart Stopping crond: [ OK ] Starting crond: [ OK ] /var/spool/cron: dmesg | tail -5 Bluetooth: RFCOMM TTY layer initialized Bluetooth: RFCOMM ver 1.8 Bluetooth: BNEP (Ethernet Emulation) ver 1.2 Bluetooth: BNEP filters: protocol multicast usb 1-1: reset high speed USB device using ehci_hcd and address 2 /var/spool/cron: However, there was a complaint in cron log! /var/spool/cron: tail /var/log/cron Nov 26 08:00:01 yorky CROND[23667]: (root) CMD (/usr/bin/rsnapshot hourly) Nov 26 08:01:01 yorky CROND[23689]: (root) CMD (run-parts /etc/cron.hourly) Nov 26 09:01:01 yorky CROND[24172]: (root) CMD (run-parts /etc/cron.hourly) Nov 26 10:01:01 yorky CROND[24656]: (root) CMD (run-parts /etc/cron.hourly) Nov 26 11:01:01 yorky CROND[25182]: (root) CMD (run-parts /etc/cron.hourly) Nov 26 12:00:01 yorky CROND[25662]: (root) CMD (/usr/bin/rsnapshot hourly) Nov 26 12:01:01 yorky CROND[25684]: (root) CMD (run-parts /etc/cron.hourly) Nov 26 12:27:35 yorky crontab[25926]: (root) LIST (root) Nov 26 12:31:00 yorky crond[25980]: (CRON) STARTUP (4.2) Nov 26 12:31:00 yorky crond[25980]: (root) Unauthorized SELinux context (cron/root) Could the crond be checking for selinux attributes incorrectly?
ls -lZ /var/spool/cron/root
ls -lZ /var/spool/cron/root -rw------- root root unconfined_u:object_r:unconfined_cron_spool_t:s0 /var/spool/cron/root tail /var/log/cron Nov 26 12:52:01 localhost CROND[20000]: (root) CMD (id -Z) Nov 26 12:52:01 localhost CROND[19998]: (root) MAIL (mailed 46 bytes of output but got status 0x0041#012) Nov 26 12:52:06 localhost crontab[20008]: (root) BEGIN EDIT (root) Nov 26 12:52:46 localhost crontab[20008]: (root) REPLACE (root) Nov 26 12:52:46 localhost crontab[20008]: (root) END EDIT (root) Nov 26 12:53:01 localhost crond[2397]: (root) RELOAD (cron/root) Nov 26 12:53:01 localhost CROND[20055]: (root) CMD (id -Z) Nov 26 12:53:01 localhost CROND[20053]: (root) MAIL (mailed 46 bytes of output but got status 0x0041#012) crontab -e 0-59 * * * * id -Z
Ok, so that blows that theory. But crond is emitting an error message on the restart: /home/dmobrien: id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t /home/dmobrien: crontab -l # * * * * * id -a > /var/tmp/out.txt /home/dmobrien: ls -l /var/tmp/out.txt ls: cannot access /var/tmp/out.txt: No such file or directory /home/dmobrien: I editted crontab and took out the stdout redirection /home/dmobrien: crontab -l # * * * * * id -a Nov 26 13:01:01 yorky CROND[26234]: (root) CMD (run-parts /etc/cron.hourly) Nov 26 13:25:02 yorky crontab[26467]: (root) LIST (root) Nov 26 13:26:07 yorky crontab[26478]: (root) BEGIN EDIT (root) Nov 26 13:26:11 yorky crontab[26478]: (root) REPLACE (root) Nov 26 13:26:11 yorky crontab[26478]: (root) END EDIT (root) Nov 26 13:27:01 yorky crond[25980]: (root) Unauthorized SELinux context (cron/root)
Also if you log out and log back in, What is your context? id -Z Please show the context of the cron file ls -lZ /var/spool/cron/root -rw------- root root unconfined_u:object_r:unconfined_cron_spool_t:s0 /var/spool/cron/root
/OBrienDM: ssh home Last login: Mon Nov 26 13:24:51 2007 from work.com /home/dmobrien: sudo ksh Password: /home/dmobrien: ls -lZ /var/spool/cron/root -rw------- root root system_u:object_r:unconfined_cron_spool_t /var/spool/cron/ root /home/dmobrien: I see that it is system_u instead of unconfined_u like yours
Regarding comment #17, I restarted cron from different directories, got the same message. But the main point is that if we're not in permissive mode, jobs don't run. # ls -lZ /var/spool/cron/root -rw------- root root root:object_r:cron_spool_t /var/spool/cron/root # id -Z root:system_r:unconfined_t:-s0:c0.c255 PS. Isn't cron maintainer a she? :-)
Bojan the context on your file is wrong, I believe. Could either of both of you execute semodule -DB And then check for avc messages the next time cron runs? Steve do you have ideas?
I just tried this: [root@organ ~]# semodule -DB [root@organ ~]# service crond restart Stopping crond: [ OK ] Starting crond: [ OK ] [root@organ ~]# tail /var/log/cron Nov 26 20:19:20 organ crond[9960]: (CRON) STARTUP (4.2) Nov 26 20:19:20 organ crond[9960]: (system_u) Unauthorized SELinux context (/etc/crontab) Nov 26 20:19:20 organ crond[9960]: (system_u) Unauthorized SELinux context (/etc/cron.d/backup) [root@organ ~]# tail /var/log/messages Nov 26 20:19:15 organ kernel: audit(1196137155.570:12): policy loaded auid=4294967295 Nov 26 20:19:15 organ kernel: audit(1196137155.622:13): avc: denied { siginh } for pid=9941 comm="setfiles" scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=root:system_r:setfiles_t:s0-s0:c0.c255 tclass=process Nov 26 20:19:15 organ kernel: audit(1196137155.622:14): avc: denied { rlimitinh } for pid=9941 comm="setfiles" scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=root:system_r:setfiles_t:s0-s0:c0.c255 tclass=process Nov 26 20:19:15 organ kernel: audit(1196137155.622:15): avc: denied { noatsecure } for pid=9941 comm="setfiles" scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=root:system_r:setfiles_t:s0-s0:c0.c255 tclass=process Nov 26 20:19:15 organ kernel: audit(1196137155.675:16): user pid=1851 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=4) Nov 26 20:19:15 organ kernel: : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' I don't see anything cron related in there though.
semodule -DB gives in /var/log/audit/audit.log --------------------------------- type=AVC msg=audit(1196140595.056:19657): avc: denied { read } for pid=2392 comm="rklogd" path="/proc/kmsg" dev=proc ino=4026531849 scontext=root:system_r:klogd_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file type=MAC_POLICY_LOAD msg=audit(1196140594.940:19658): policy loaded auid=0 type=SYSCALL msg=audit(1196140594.940:19658): arch=40000003 syscall=4 success=yes exit=2401565 a0=4 a1=b7cd4000 a2=24a51d a3=bfef6618 items=0 ppid=18905 pid=18906 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="load_policy" exe="/usr/sbin/load_policy" subj=root:system_r:load_policy_t:s0-s0:c0.c255 key=(null) type=AVC msg=audit(1196140595.445:19659): avc: denied { siginh } for pid=18907 comm="setfiles" scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=root:system_r:setfiles_t:s0-s0:c0.c255 tclass=process type=AVC msg=audit(1196140595.445:19659): avc: denied { rlimitinh } for pid=18907 comm="setfiles" scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=root:system_r:setfiles_t:s0-s0:c0.c255 tclass=process type=AVC msg=audit(1196140595.445:19659): avc: denied { noatsecure } for pid=18907 comm="setfiles" scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=root:system_r:setfiles_t:s0-s0:c0.c255 tclass=process type=SYSCALL msg=audit(1196140595.445:19659): arch=40000003 syscall=11 success=yes exit=0 a0=b9b03648 a1=bc6f1498 a2=0 a3=0 items=0 ppid=18905 pid=18907 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="setfiles" exe="/sbin/setfiles" subj=root:system_r:setfiles_t:s0-s0:c0.c255 key=(null) --------------------------------- Cron restart gives this in /var/log/cron: --------------------------------- Nov 27 16:17:53 beauty crond[18926]: (CRON) STARTUP (4.2) Nov 27 16:17:53 beauty crond[18926]: (system_u) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/crontab) Nov 27 16:17:53 beauty crond[18926]: (system_u) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/cron.d/mailman) Nov 27 16:17:53 beauty crond[18926]: (system_u) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/cron.d/clamav-update) Nov 27 16:17:53 beauty crond[18926]: (system_u) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/cron.d/sa-update) Nov 27 16:17:53 beauty crond[18926]: (ldap) Unauthorized SELinux context, but SELinux in permissive mode, continuing (cron/ldap) ---------------------------------
In relation to the wrong context on /var/spool/cron/root, I don't have anything manually set there (i.e. in file_contexts.local). Whatever setfiles did, that's what it is. Actually, my file_contexts files lists this: --------------------------------- /var/spool/cron/[^/]* -- <<none>> --------------------------------- and --------------------------------- /etc/cron.daily/.* -- system_u:object_r:bin_t:s0 /etc/cron.weekly/.* -- system_u:object_r:bin_t:s0 /etc/cron.hourly/.* -- system_u:object_r:bin_t:s0 /etc/cron.monthly/.* -- system_u:object_r:bin_t:s0 /etc/cron\.(daily|monthly)/acct -- system_u:object_r:acct_exec_t:s0 /etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t:s0 /etc/cron\.(daily|monthly)/radiusd -- system_u:object_r:radiusd_exec_t:s0 /etc/cron\.(daily|weekly)/ntp-server -- system_u:object_r:ntpd_exec_t:s0 /etc/cron\.(daily|weekly)/ntp-simple -- system_u:object_r:ntpd_exec_t:s0 /etc/cron\.(daily|weekly|monthly)/freeradius -- system_u:object_r:radiusd_exec_t:s0 /etc/cron\.d(/.*)? system_u:object_r:system_cron_spool_t:s0 /etc/cron\.weekly/(c)?fingerd -- system_u:object_r:fingerd_exec_t:s0 /etc/crontab -- system_u:object_r:system_cron_spool_t:s0 /etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t:s0 /etc/cron\.daily/calamaris -- system_u:object_r:calamaris_exec_t:s0 --------------------------------- rpm -qf -V file_contexts doesn't reveal anything out of the ordinary.
The Unauthorized SELinux context message from crond means that the context for the cron job process for that user is not allowed entrypoint permission to the context on the crontab file. That was a safeguard to prevent injection of arbitrary commands by a lower privileged crontab into a more privileged cron job. Points where this can go wrong: - wrong context on the cron job process, - wrong context on the crontab file (inherited from the parent directory if no transition is defined; otherwise, defined by a type transition based on the creating domain and the parent directory type), - missing entrypoint permission in the policy for the context pair.
Is there someone who have this problems on clean install? I've two computers, the first is rawhide updated on F-8 and everything is ok. The second is FC-6 updated on F-8 and I've the same problems as users here mentioned. I relabeled my system, because upgrade from FC-6 wasn't easy and the "wrong" contexts remained.
So, does anyone know what all those wrong contexts are _supposed_ to be?
I tried uninstall and disable selinux and install it again with this message: Running Transaction Installing: selinux-policy ######################### [1/2] Installing: selinux-policy-targeted ######################### [2/2] /usr/sbin/semanage: range not supported on Non MLS machines Failed to translate booleans. [Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml' Failed to translate booleans. [Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml' Failed to translate booleans. [Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml' /usr/sbin/semanage: SELinux user guest_u is already defined Failed to translate booleans. [Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml' /usr/sbin/semanage: SELinux user xguest_u is already defined Failed to translate booleans. [Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml' Installed: selinux-policy-targeted.noarch 0:3.0.8-56.fc8 Dependency Installed: selinux-policy.noarch 0:3.0.8-56.fc8 Complete! This message can be also seen, when I type: semanage user -l but now is my crontab working with selinux enforcing without any error message.
And the contexts are: ps -eZ | grep cron system_u:system_r:crond_t:SystemLow-SystemHigh 2153 ? 00:00:00 crond system_u:system_r:crond_t:SystemLow-SystemHigh 2196 ? 00:00:00 atd id -Z unconfined_u:system_r:unconfined_t
I meant contexts of crontab files etc. Anyhow, I'm trying a reinstall of selinux-policy RPMs. Let see if that does it.
OK, I got the same error messages as you: --------------------------------- Running Transaction Installing: selinux-policy ######################### [1/2] Installing: selinux-policy-targeted ######################### [2/2] Failed to translate booleans. [Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml' Failed to translate booleans. [Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml' Failed to translate booleans. [Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml' Failed to translate booleans. [Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml' Failed to translate booleans. [Errno 2] No such file or directory: '/usr/share/selinux/devel/policy.xml' Installed: selinux-policy-targeted.noarch 0:3.0.8-56.fc8 Dependency Installed: selinux-policy.noarch 0:3.0.8-56.fc8 --------------------------------- However, restart of cron did not emit usual error messages. So, that looks like a workaround.
yum remove selinux-policy selinux-policy-targeted yum install selinux-policy selinux-policy-targeted worked for me, also. I still have a laptop that I haven't done this one, if the maintainers want me to try something else. I'm surprised upgrade (F7->F8 and FC6->F8) didn't re-apply the context...
Can you check for inconsistencies between semanage user -l semanage login -l
I don't know what that means, but here's mine after removing and reapplying selinux-policy* /home/dmobrien: sudo semanage user -l Password: SELinux User SELinux Roles guest_u guest_r root system_r sysadm_r staff_r staff_u sysadm_r staff_r sysadm_u sysadm_r system_u system_r unconfined_u system_r unconfined_r user_u system_r user_r xguest_u xguest_r /home/dmobrien: sudo semanage login -l Login Name SELinux User __default__ unconfined_u root system_u /home/dmobrien:
My laptop where I didn't reapply anything: $ sudo semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles root sysadm s0 SystemLow-SystemHigh system_r sysadm_r staff_r staff_u staff s0 SystemLow-SystemHigh sysadm_r staff_r sysadm_u sysadm s0 SystemLow-SystemHigh sysadm_r system_u user s0 SystemLow-SystemHigh system_r user_u user s0 s0 system_r user_r $ sudo semanage login -l Login Name SELinux User MLS/MCS Range __default__ user_u s0 root root SystemLow-SystemHigh system_u system_u SystemLow-SystemHigh $ rpm -q selinux-policy selinux-policy-targeted selinux-policy-3.0.8-58.fc8 selinux-policy-targeted-3.0.8-58.fc8 $
Curious why the output is different between the two systems. My desktop has the same selinux.... /home/dmobrien: rpm -q selinux-policy selinux-policy-targeted selinux-policy-3.0.8-58.fc8 selinux-policy-targeted-3.0.8-58.fc8
So if you change root selinux user to system_u does the cron problem go away? semanage login -m -s system_u root
Ok, after just rebooting my laptop, cron is now working correctly and the two above commands show: # /usr/sbin/semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles root sysadm s0 SystemLow-SystemHigh system_r sysadm_r staff_r staff_u staff s0 SystemLow-SystemHigh sysadm_r staff_r sysadm_u sysadm s0 SystemLow-SystemHigh sysadm_r system_u user s0 SystemLow-SystemHigh system_r user_u user s0 s0 system_r user_r # /usr/sbin/semanage login -l Login Name SELinux User MLS/MCS Range __default__ user_u s0 root system_u SystemLow-SystemHigh system_u system_u SystemLow-SystemHigh #
Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen.