Bug 461988 - cron.d entries aren't getting run.
cron.d entries aren't getting run.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
11
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened
: 466018 (view as bug list)
Depends On:
Blocks: F10Beta/F10BetaBlocker
  Show dependency treegraph
 
Reported: 2008-09-11 14:50 EDT by Dave Jones
Modified: 2015-01-04 17:30 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-06 15:20:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave Jones 2008-09-11 14:50:24 EDT
I noticed my mrtg graphs weren't getting updated.
They're done normally by /etc/cron.d/mrtg which looks like ..

* * * * * root LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /var/lib/mrtg/mrtg.ok

Running that command by hand works fine. The graphs update.

Looking in the logs, I see no mention of cron anywhere.
crond is running.  It wakes up once a minute, and does pretty much nothing...

nanosleep({60, 0}, {60, 0})             = 0
time(NULL)                              = 1221158821
time(NULL)                              = 1221158821
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0
select(6, [5], NULL, NULL, {0, 0})      = 0 (Timeout)
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0
time(NULL)                              = 1221158821
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {0x804a080, [], SA_RESTART}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
Comment 1 Marcela Mašláňová 2008-09-18 07:01:02 EDT
/var/log/cron:
Sep 17 19:22:01 vmware188 crond[2060]: ((null)) Unauthorized SELinux context (/etc/crontab)
Sep 17 19:22:01 vmware188 crond[2060]: ((null)) Unauthorized SELinux context (/etc/cron.d/mrtg)
Sep 17 19:22:01 vmware188 crond[2060]: ((null)) Unauthorized SELinux context (/etc/cron.d/smolt)

audit.log
CROND
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond"
CRONTAB
subj=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/bin/crontab"

The jobs created in 'crontab -e' are working.
Comment 2 John Poelstra 2008-09-19 15:59:35 EDT
setting blocker for beta... if that is too hardline change to F10Blocker, but seems like we would want this working in beta.
Comment 3 Daniel Walsh 2008-09-22 15:03:03 EDT
I believe this is a problem with cron.  Looks like it is choosing the wrong context?
Comment 4 Daniel Walsh 2008-09-22 16:08:07 EDT
Never mind, it is mine.

Fixed in selinux-policy-3.5.8-6.fc10
Comment 5 Marcela Mašláňová 2008-10-08 10:53:15 EDT
*** Bug 466018 has been marked as a duplicate of this bug. ***
Comment 6 Marcela Mašláňová 2008-10-08 10:55:53 EDT
It's probably still problem, see #466018
Comment 7 Daniel Walsh 2008-10-08 16:48:07 EDT
Dave are you still seeing the invalid context error?
Comment 8 Dave Jones 2008-10-08 17:00:26 EDT
no. I don't think I ever did see the errors Marcela points out above.
Comment 9 Daniel Walsh 2008-10-08 17:17:19 EDT
Are the jobs running in permissive mode.
Comment 10 Dave Jones 2008-10-08 17:48:47 EDT
I just noticed this in the cron log file which might explain it..

Oct  8 17:40:42 firewall crond[13870]: (root) BAD FILE MODE (/etc/cron.d/mrtg)

for some reason, that file had gained an +x bit.  Removing it seems to have solved this bug.
Comment 11 Nicolas MONNET 2009-07-27 03:13:01 EDT
I'm getting this right now in F11, with
cronie-1.3-2.fc11.x86_64
selinux-policy-3.6.12-62.fc11.noarch

in enforcing mode:

Jul 27 09:05:37 ws crond[15782]: (CRON) STARTUP (1.3)
Jul 27 09:05:37 ws crond[15782]: ((null)) Unauthorized SELinux context (/etc/crontab)
Jul 27 09:05:37 ws crond[15782]: ((null)) Unauthorized SELinux context (/etc/cron.d/clamav-update)
Jul 27 09:05:37 ws crond[15782]: ((null)) Unauthorized SELinux context (/etc/cron.d/0hourly)
Jul 27 09:05:37 ws crond[15782]: ((null)) Unauthorized SELinux context (/etc/cron.d/smolt)
Jul 27 09:05:37 ws crond[15782]: (CRON) INFO (running with inotify support)
Jul 27 09:05:37 ws crond[15782]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Comment 12 Daniel Walsh 2009-07-27 10:47:45 EDT
Are you seeing any AVC messages in /var/log/audit/audit.log?
Comment 13 Nicolas MONNET 2009-08-09 12:28:44 EDT
Sorry  for the delay,
No, I don't see any avc messages in audit.log. 

Do you need any other info?

Aug  9 18:16:54 ws crond[5592]: (CRON) STARTUP (1.3)
Aug  9 18:16:54 ws crond[5592]: ((null)) Unauthorized SELinux context (/etc/crontab)
Aug  9 18:16:54 ws crond[5592]: ((null)) Unauthorized SELinux context (/etc/cron.d/clamav-update)
Aug  9 18:16:54 ws crond[5592]: ((null)) Unauthorized SELinux context (/etc/cron.d/0hourly)
Aug  9 18:16:54 ws crond[5592]: ((null)) Unauthorized SELinux context (/etc/cron.d/smolt)
Aug  9 18:16:54 ws crond[5592]: (CRON) INFO (running with inotify support)
Aug  9 18:16:54 ws crond[5592]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Aug  9 18:17:09 ws crond[5618]: (CRON) STARTUP (1.3)
Aug  9 18:17:09 ws crond[5618]: ((null)) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/crontab)
Aug  9 18:17:09 ws crond[5618]: ((null)) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/cron.d/clamav-update)
Aug  9 18:17:09 ws crond[5618]: ((null)) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/cron.d/0hourly)
Aug  9 18:17:09 ws crond[5618]: ((null)) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/cron.d/smolt)
Aug  9 18:17:09 ws crond[5618]: (CRON) INFO (running with inotify support)
Aug  9 18:17:09 ws crond[5618]: (CRON) INFO (@reboot jobs will be run at computer's startup.)

root@ws audit # ls -Z /etc/crontab /etc/cron.d/clamav-update /etc/cron.d/0hourly /etc/cron.d/smolt
-rw-r--r--. root root system_u:object_r:system_cron_spool_t:s0 /etc/cron.d/0hourly
-rw-------. root root system_u:object_r:system_cron_spool_t:s0 /etc/cron.d/clamav-update
-rw-r--r--. root root system_u:object_r:system_cron_spool_t:s0 /etc/cron.d/smolt
-rw-r--r--. root root system_u:object_r:system_cron_spool_t:s0 /etc/crontab
Comment 14 Daniel Walsh 2009-08-10 10:02:54 EDT
What does the output of the following two commands show

semanage user -l
semanage login -l
Comment 15 Nicolas MONNET 2009-08-10 10:12:27 EDT
nico@ws ~ $ sudo semanage user -l
[sudo] password for nico: 

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
nico@ws ~ $ sudo semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              s0                       
emilio                    user_u                    s0                       
root                      unconfined_u              s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023           
tunnel                    guest_u                   s0
Comment 16 Daniel Walsh 2009-08-10 10:17:48 EDT
Ok, what about ps -eZ | grep cron
Comment 17 Nicolas MONNET 2009-08-10 10:29:00 EDT
nico@ws ~ $ ps -eZ|grep cron
system_u:system_r:crond_t:s0-s0:c0.c1023 2908 ? 00:00:00 atd
unconfined_u:system_r:crond_t:s0-s0:c0.c1023 5618 ? 00:00:00 crond
nico@ws ~ $
Comment 18 Daniel Walsh 2009-08-10 13:36:22 EDT
Steve, Any ideas?
Comment 19 Stephen Smalley 2009-08-10 13:48:26 EDT
Why isn't there an entry for unconfined_u in his semanage user -l output?
And why is his crond running in unconfined_u rather than system_u (likely restarted by hand; try restarting via run_init)?
Comment 20 Nicolas MONNET 2009-08-10 14:18:42 EDT
I have no idea why there's no unconfined_u in user -l. I have it on my F11 box at home. They both have 

selinux-policy-targeted-3.6.12-69.fc11.noarch
selinux-policy-3.6.12-69.fc11.noarch

I restarted crond with run_init:

root@ws targeted # ps -efZ |grep cron
system_u:system_r:crond_t:s0-s0:c0.c1023 root 2908 1  0 Aug09 ?        00:00:00 /usr/sbin/atd
system_u:system_r:crond_t:s0-s0:c0.c1023 root 16654 1  0 20:15 ?       00:00:00 crond

Same logs:

Aug 10 20:15:41 ws crond[16654]: (CRON) STARTUP (1.3)
Aug 10 20:15:41 ws crond[16654]: ((null)) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/crontab)
Aug 10 20:15:41 ws crond[16654]: ((null)) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/cron.d/clamav-update)
Aug 10 20:15:41 ws crond[16654]: ((null)) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/cron.d/0hourly)
Aug 10 20:15:41 ws crond[16654]: ((null)) Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/cron.d/smolt)
Aug 10 20:15:41 ws crond[16654]: (CRON) INFO (running with inotify support)
Aug 10 20:15:41 ws crond[16654]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Comment 21 Stephen Smalley 2009-08-10 14:26:46 EDT
semodule -l | grep unconfined
Comment 22 Nicolas MONNET 2009-08-10 14:45:42 EDT
On the machine with the problem:

root@ws targeted # semodule -l |grep unconfined
unconfined	3.0.1


On the machine without the problem:

root@santa ~ # semodule -l |grep unconfined
unconfined	3.0.1
unconfineduser	1.0.0
Comment 23 Daniel Walsh 2009-08-12 07:38:40 EDT
semodule -i /usr/share/selinux/targeted/unconfineduser.pp.bz2

There was an upgrade problem during the Beta on F11, that could have caused this.
Comment 24 Nicolas MONNET 2009-08-12 11:46:12 EDT
Yes indeed I remember having had issues after upgrade.

Unfortunately your command fails, something fishy in file_contexts:

 # semodule -i /usr/share/selinux/targeted/unconfineduser.pp.bz2

/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/spool/MailScanner(/.*)?  (system_u:object_r:mailscanner_spool_t:s0 and system_u:object_r:clamd_var_run_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/spool/MailScanner(/.*)?  (system_u:object_r:mailscanner_spool_t:s0 and system_u:object_r:clamd_var_run_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!

Any idea how to fix that? I tried removing the offending line by hand, or with semanage, but it fails.
Comment 25 Daniel Walsh 2009-08-12 15:51:17 EDT
Something went very wrong on your update.

Try this 


# setenforce 0
# rm -rf /etc/selinux/targeted
# yum -y reinstall selinux-policy-targeted
# restorecon -R -v /etc/selinux
# setenforce 1

Should fix your system.
Comment 26 Daniel Walsh 2009-08-21 16:56:44 EDT
Actually 

yum -y reinstall selinux-policy\*

Should be the correct thing to do.
Comment 27 Daniel Walsh 2009-09-04 09:14:29 EDT
Did this fix your problem?
Comment 28 Nicolas MONNET 2009-09-04 09:52:16 EDT
Yes this appears to have fixed it, thank you.

Note You need to log in before you can comment on or make changes to this bug.