Bug 518345 - CROND fails with Unauthorized SELinux context
Summary: CROND fails with Unauthorized SELinux context
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: crontabs
Version: 11
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Marcela Mašláňová
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-20 01:13 UTC by Seramal
Modified: 2009-09-21 12:16 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-21 12:16:01 UTC


Attachments (Terms of Use)

Description Seramal 2009-08-20 01:13:35 UTC
Description of problem:

crond won't run crontab of user_u:user_r:user_t:s0 in fedora core 11.
It fails to do a * * * * * /usr/bin/id > /tmp/TEST

(root crontabs run successfully)

/var/log/cron says: 
Aug 20 02:45:01 ic21 crond[1733]: (testing) Unauthorized SELinux context (cron/testing)

Version-Release number of selected component (if applicable):
crontabs-1.10-30.fc11.noarch
anacron-2.3-78.fc11.i586

How reproducible:
Just add a user as user_u, login with ssh, and crontab -e a new entry.

  
Additional info:
semanage user -l 
                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0-s0:c0.c1023                 guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r

semanage login -l 
Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              s0-s0:c0.c1023           
root                      unconfined_u              s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023           
testing                   user_u                    s0      

My crontab file in /var/spool/cron/
-rw-------. testing root user_u:object_r:user_cron_spool_t:s0 testing

Help, please?

Comment 1 Marcela Mašláňová 2009-08-20 07:15:42 UTC
Please try to update to the latest selinux-policy. In case the problem is still reproducible attach the problematic part of avc messages from /var/log/audit/audit.log

Comment 2 Seramal 2009-08-20 11:02:48 UTC
I have the latest selinux-policy from fc11:

selinux-policy-3.6.12-72.fc11.noarch
selinux-policy-targeted-3.6.12-72.fc11.noarch

About AVG, there is no error, otherwise I would audit2allow it. 

I also tried semodule -DB and nothing pops up in audit.log. 

Some other things:
-rwsr-sr-x. root root system_u:object_r:crontab_exec_t:s0 /usr/bin/crontab

# semodule -l|grep -i cron 
#

Thanks for replying!

Comment 3 Seramal 2009-08-20 11:17:23 UTC
I just did:
# touch /.autorelabel 
# reboot

and still get 
(testing) Unauthorized SELinux context (cron/testing)

I was searching for this bug and located the file that generates the message: security.c (Implement Red Hat crond security context transitions, Jason Vas Dias <jvdias@redhat.com> January 2006):

function cron_authorize_context() has:
        /*
         * Since crontab files are not directly executed,
         * crond must ensure that the crontab file has
         * a context that is appropriate for the context of
         * the user cron job.  It performs an entrypoint
         * permission check for this purpose.
         */
        retval = security_compute_av(scontext, file_context,
                                     SECCLASS_FILE, bit, &avd);
        if (retval || ((bit & avd.allowed) != bit))
                return 0;
#endif
        return 1;

then,

        if (!cron_authorize_context( scontext, file_context)) {
                freecon(scontext);
                freecon(file_context);
                if (security_getenforce() > 0) {
                        log_it(name, getpid(), "Unauthorized SELinux context", tabname);
                        return -1;
                }


If security_compute_av() fails, the message is generated, meaning the scontext is not allowed by the policy to access the file_context.

Still, no AVG messages

Comment 4 Marcela Mašláňová 2009-09-14 13:29:28 UTC
Could you run the job which isn't executed from crontab again and attach log from /var/audit/audit.log which will be generated? I don't see any problematic jobs in my crontabs.
If you have so complicated setting for different group with different permission there is also possibility of mistake in your setting. Are sure the job which you are trying is executable for user in your group?

Comment 5 Marcela Mašláňová 2009-09-21 12:16:01 UTC
I suppose your fixed your problem which is hardly in cron. Closing as notabug.


Note You need to log in before you can comment on or make changes to this bug.