Description of problem: authentication service is denying access to run crontab due to pam configuration. Version-Release number of selected component (if applicable): pam.x86_64 1.0.1-5.fc10 pam_ccreds.x86_64 7-3.fc10 pam_krb5.x86_64 2.3.0-1 pam_passwdqc.x86_64 1.0.5-1 pam_pkcs11.x86_64 0.5.3-26 pam_sb.x86_64 1.1.7-8.2.2 crontabs.noarch 1.10-23.fc10 authconfig.x86_64 5.4.3-1.fc10 How reproducible: persistent Steps to Reproduce: 1. install 10-Alpha plus I updated following packages to latest build (8/9/08) tftp tftp-server httpd rsync dhcp vnc vnc-server hardlink\ kvm qemu bridge-utils nash gnash-plugin \ hplip hplip-gui libsane-hpaio\ xsane sane-backends cups system-config-printer \ gkrellm efax gnucash openoffice.org-base\ Miro kernel \ 2. run crontab Actual results: Authentication service cannot retrieve authentication info You (adm2) are not allowed to access to (crontab) because of pam configuration.
Can you please attach your /etc/pam.d/system-auth, /etc/pam.d/crontab. Do you have SELinux enforcing? Does it still happen with SELinux in permissive mode (setenforce 0) ? If not, do you see any related AVCs with ausearch -m AVC ?
Created attachment 313906 [details] system-auth
Created attachment 313907 [details] crond
Created attachment 313908 [details] ausearch -m AVC output
Under permissive mode (setenforce 0), I was able to execute crontab, but does not run the script at pre-set time (rsync -avH <remote_source> <to_local_source_directory>).
OK, I just reboot the system and reset the crontab under permissive mode. The script works at pre-defined time. By the way, /etc/pam.d/crontabs does not exist so I uploaded /etc/pam.d/crond instead. I'm not sure if it is an intended feature to block crontab by design. So I'm not whether to close this bug or not.
It is definitely not intended to block crontab. If setenforce 0 helps it means that the problem is in the selinux-policy or something else is broken on your system in regards to SELinux. Can you try to update selinux-policy package if there is new one in rawhide and see whether it helps (with setenforce 1).
Please test with selinux-policy-3.5.1-4.fc10.noarch. It's working for me in rawhide - enforcing mode, latest policy.
OK, I loaded the latest selinux-policy. I can execute crontab when I connect through remote viewer (vncviewer). But, it is still failing when executing from any local terminal (tty1-tty6), or when connected from remote ssh terminal. == error output Authentication service cannot retrieve authentication info You (adm2) are not allowed to access to (crontab) because of pam configuration. == I tried editing /etc/security/access.conf and added the following line: + : adm2 root : 127.0.0.1 tty1 tty2 tty3 tty4 tty5 tty6 Still failed. Anyway, at least it's working through vncviewer since that's how I always connect through this system.
This change shouldn't be needed. That's default state.
Crontabs are working also with selinux enforcing, but crontab can't be changed or print out. With selinux permissive is everything working ok. crontab -e failed -> audit.log: type=SELINUX_ERR msg=audit(1219676058.623:341): security_compute_sid: invalid context unconfined_u:unconfined_r:system_chkpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1219676058.623:341): arch=40000003 syscall=11 success=no exit=-13 a0=30d738 a1=bfbc464c a2=30f408 a3=400 items=0 ppid=2742 pid=2743 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=48 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 key=(null) type=USER_ACCT msg=audit(1219676058.641:342): user pid=2742 uid=500 auid=500 ses=48 subj=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="ferda" exe="/usr/bin/crontab" (hostname=?, addr=?, terminal=cron res=failed)'
Fixed in selinux-policy-3.5.5-2.fc10