Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] SELinux cron unauthorized
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
courage
n00b
n00b


Joined: 22 May 2007
Posts: 38

PostPosted: Sun Jul 02, 2017 9:59 am    Post subject: [SOLVED] SELinux cron unauthorized Reply with quote

Hi!

For a while I'm trying to fix my cron jobs with SELinux.
I can't seem to figure out where to change the context label and how should they be in order to run cron jobs from crontab, not even sure that this is the real problem though.

Each time when I restart my cron daemon (cronie, but have tried vixie-cron, fcron, dcron and maybe others too), I get this error message in /var/log/cron.log:
Code:
Jul  2 12:30:18 serveris crond[4433]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 20% if used.)
Jul  2 12:30:18 serveris crond[4433]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t file_context=system_u:object_r:user_cron_spool_t (/etc/crontab)
Jul  2 12:30:18 serveris crond[4433]: (root) FAILED (loading cron table)
Jul  2 12:30:18 serveris crond[4433]: (CRON) INFO (running with inotify support)


From the Gentoo SELinux Cron guide ( https://wiki.gentoo.org/wiki/SELinux/cron ) as much as I understood then the crontab should have the same context.
Code:
ls -laZ /etc | grep crontab
-rw-r--r--.  1 root     root     system_u:object_r:user_cron_spool_t     485 Jul  1 21:58 crontab


The /etc/crontab had a different context label, it was for user root, I did change it (but did not help):
Code:
chcon -u root /etc/crontab


I also have these booleans enabled:
Code:
getsebool -a | grep cron
cron_can_relabel --> on
cron_userdomain_transition --> on
fcron_crond --> on

Have changed these booleans, but also did not help (did try to enable allow_execmod too, but no luck).

The audit.log (/var/log/audit/audit.log) also does not have anything usefull: https://pastebin.com/EhBpFNka


By using the Gentoo SELinux installation guide ( https://wiki.gentoo.org/wiki/SELinux/Installation ) I was not able to add the SELinux root user:
Code:
semanage user -m -R "staff_r sysadm_r system_r" root
ValueError: SELinux user root is not defined

Do I need it...? Though:
Code:
semanage user -l
SELinux User    SELinux Roles

root            staff_r sysadm_r system_r
staff_u         staff_r sysadm_r system_r
sysadm_u        sysadm_r
system_u        system_r
unconfined_u    unconfined_r
user_u          user_r



Could someone please help me find the problem?

[EDIT]
I did manage to get cron working, but I still get the same error message.

[EDIT2]
Finnaly got cron to execute, context label issue:
Code:
-rw-r--r--. 1 root root root:object_r:system_cron_spool_t 608 Jul 12 21:19 /etc/crontab
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum