Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155184 - SELinux and Cron Daily Issue
Summary: SELinux and Cron Daily Issue
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-17 19:26 UTC by Ryan Skadberg
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-04-20 15:00:05 UTC


Attachments (Terms of Use)

Description Ryan Skadberg 2005-04-17 19:26:12 UTC
Installed FC3 cleanly and then did a yum update to development.  Now, I get this
in my e-mail:

From: root@machine (Cron Daemon)
To: root@machine
Subject: Cron <root@codewarrior> run-parts /etc/cron.hourly
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <HOME=/>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

execl: couldn't exec `/bin/bash'
execl: Permission denied

And see this in /var/log/messages:

Apr 17 15:01:01 machine kernel: audit(1113764461.774:0): avc:  denied  {
transition } for  pid=3559 exe=/usr/sbin/crond path=/bin/bash dev=dm-0 ino=1769565
scontext=user_u:system_r:initrc_t tcontext=system_u:system_r:unconfined_t
tclass=process

Comment 1 Ryan Skadberg 2005-04-17 20:13:32 UTC
Actually, seeing this in cron.hourly, cron.daily and cron.weekly

Comment 2 Daniel Walsh 2005-04-19 15:45:50 UTC
This looks like a labeling problem.  cron should be running under crond_t.

What is /usr/sbin/crond context?

ls -lZ /usr/sbin/crond
-rwxr-xr-x  root     root     system_u:object_r:crond_exec_t   /usr/sbin/crond

If it is not this, restorecon -v /usr/sbin/crond should fix it.  If you want to
relabel the system

touch /.autorelabel 
reboot
 

Comment 3 Ryan Skadberg 2005-04-19 23:50:07 UTC
This seems to have been the issue.  Doing the restorecon fixed things.  I did a
relabel just in case other things were broken and all seems well now.

Someone probably needs to look in to why this permission got changed for me.  Or
maybe any selinux upgrade should automatically add a /.autorelabel?


Comment 4 Daniel Walsh 2005-04-20 15:00:05 UTC
Did you ever turn off SELinux?



Comment 5 Ryan Skadberg 2005-04-20 15:06:04 UTC
Nope.  Process was:

Installed FC3
Yum Update to Development
Problem started

Comment 6 Daniel Walsh 2005-04-20 15:18:09 UTC
Well the rpm is supposed to figure out what requires a relabel and relabel on
the fly.  Something must have gone wrong during the upgrade.  Did you see lots
of restorecon messages during the upgrade?




Note You need to log in before you can comment on or make changes to this bug.