Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1263328 - rawhide selinux policy prevents /var/spool/cron/root from working
Summary: rawhide selinux policy prevents /var/spool/cron/root from working
Keywords:
Status: CLOSED DUPLICATE of bug 1298192
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-15 14:41 UTC by Kevin Fenzi
Modified: 2016-02-13 04:04 UTC (History)
34 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-15 14:36:47 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Kevin Fenzi 2015-09-15 14:41:37 UTC 
I have a backup job defined in /var/spool/cron/root via crontab -e.

It's stopped working recently. 

Upon editing I see in the journal: 

Sep 15 08:28:01 voldemort.scrye.com crond[1165]: (root) FAILED (loading cron table)

If I setenforce 0 and reedit: 

Sep 15 08:30:01 voldemort.scrye.com crond[1165]: (root) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/root)
Sep 15 08:30:01 voldemort.scrye.com crond[1165]: (root) SELinux in permissive mode, continuing (/var/spool/cron/root)

restorecon -Rv /var/spool/cron gives: 

restorecon -Rv /var/spool/cron/
restorecon:  Warning no default label for /var/spool/cron/root

There's no AVC's that I can see on the failure. 

cronie-1.5.0-3.fc23.x86_64
selinux-policy-targeted-3.13.1-147.fc24.noarch
Comment 1 Simon Guest 2015-11-09 20:12:54 UTC 
Hi,

This problem is now in Fedora 23 (so probably should update the header fields).  I am using the official release, with these package versions:

cronie-1.5.0-3.fc23.x86_64
selinux-policy-targeted-3.13.1-152.fc23.noarch

On creating a brand new cron job, running crontab -e as root (for the first time), I get this in the journal:

Nov 10 08:57:01 kiai.tesujimath.org crond[1524]: (root) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/root)
Nov 10 08:57:01 kiai.tesujimath.org crond[1524]: (root) FAILED (loading cron table)
Comment 2 Simon Guest 2015-11-09 20:20:16 UTC 
My attempted work-around, to install the job as a normal user, fails to work, also because of SELinux.  After installing the cron job running crontab -e as sjg, I get this in the journal:

Nov 10 09:18:01 kiai.tesujimath.org crond[1524]: (sjg) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/sjg)
Nov 10 09:18:01 kiai.tesujimath.org crond[1524]: (sjg) FAILED (loading cron table)
Comment 3 Jacek Pawlyta 2015-11-15 12:17:36 UTC 
I see the problem for Fedora 23 and user crontab also. My automatic backup with the help of BackinTime is not working anymore after upgrading from F22 to F23
Comment 4 Jacek Pawlyta 2015-11-15 12:25:38 UTC 
Nov 15 13:01:46 jacek crond[4958]: (ja) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/ja)
Nov 15 13:01:46 ja crond[4958]: (ja) FAILED (loading cron table)
Comment 5 Jacek Pawlyta 2015-11-15 12:27:41 UTC 
#cat /var/spool/cron/ja 
#Back In Time system entry, this will be edited by the gui:
0 * * * * /bin/nice -n 19 /bin/ionice -c2 -n7 /bin/backintime --backup-job >/dev/null 2>&1
Comment 6 Miroslav Grepl 2015-12-11 08:31:14 UTC 
There are upstream fixes for this issue.
Comment 7 Bojan Smojver 2016-01-07 20:57:06 UTC 
Just bumped into this today on F-23:
-------------------
Jan  8 07:54:45 beauty crond[5167]: (root) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=system_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/root)
Jan  8 07:54:45 beauty crond[5167]: (root) FAILED (loading cron table)
-------------------

Changed absolutely nothing, except for applying updates. It just stopped working.
Comment 8 Daniel Lehrner 2016-01-13 07:56:22 UTC 
I have the same bug in Fedora 23 with the latest updates:

Jan 13 08:54:07 daniel-laptop crond[1320]: (daniel) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/daniel)
Jan 13 08:54:07 daniel-laptop crond[1320]: (daniel) FAILED (loading cron table)

So could somebody change the version from rawhide to 23?
Comment 9 Dmitry Burstein 2016-01-13 09:55:23 UTC 
Can confirm the same.
Is there a workaround for the meanwhile - besides disabling the selinux?
Comment 10 Benjamin Xiao 2016-01-13 19:18:07 UTC 
When can we expect the upstream fixes to go into F23? I just ran into this issue on my server today.
Comment 11 Benjamin Xiao 2016-01-13 20:24:42 UTC 
@Dmitry Burstein

I've had to put selinux into permissive mode and then restart crond. Isn't a very suitable workaround in terms of security but at least my cron jobs are running.

I tried using semanage to only put crond_t into permissive mode, but that didn't seem to work.
Comment 12 Michael Altizer 2016-01-14 00:43:10 UTC 
Switching back to kernel 4.2.8-300.fc23.x86_64 worked around the issue for me.
Comment 13 Jonathan Wakely 2016-01-14 01:45:48 UTC 
This is definitely affecting F23 now, and is a pretty major bug. Is there any progress towards fixing it?
Comment 14 Lukas Vrabec 2016-01-14 13:45:08 UTC 
Could anyone test this issue with these scratch builds? 

F23: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-158.2.fc23.1/
Rawhide: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-166.fc24.1/

Thank you.
Comment 15 Jonathan Wakely 2016-01-14 13:53:22 UTC 
(In reply to Lukas Vrabec from comment #14)
> Could anyone test this issue with these scratch builds? 
> 
> F23: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-158.2.fc23.1/
> Rawhide: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-166.fc24.1/

I installed the F23 selinux-policy and selinux-policy-targeted packages on F23, didn't reboot, still using kernel-4.3.3-300.fc23.x86_64. I edited my user's crontab, and it still gets blocked by selinux. So the scratch build doesn't seem to help.
Comment 16 Jonathan Wakely 2016-01-14 13:55:04 UTC 
To be clear, I edited the crontab to add:

*/1 * * * * date > /tmp/date

Then waited for the top of the minute, and then /var/log/cron shows the job isn't permitted to run:


(jwakely) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/jwakely)
Comment 17 Daniel Lehrner 2016-01-14 14:11:44 UTC 
I installed the scratch builds from comment #(In reply to Lukas Vrabec from comment #14)
> Could anyone test this issue with these scratch builds? 
> 
> F23: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-158.2.fc23.1/
> Rawhide: https://lvrabec.fedorapeople.org/selinux-policy-3.13.1-166.fc24.1/
> 
> Thank you.

I have installed F23 selinux-policy and selinux-policy-targeted as well. After a restart it still doesn't work and I get the same error message as before.
Comment 18 Miroslav Grepl 2016-01-15 09:12:53 UTC 
*** Bug 1298192 has been marked as a duplicate of this bug. ***
Comment 19 Miroslav Grepl 2016-01-15 14:28:21 UTC 
Folks,
could you please to use the following local policy

$ cat mycron.cil
(allow unconfined_t user_cron_spool_t( file ( entrypoint)))

and run

# semodule -i mycron.cil

and reload crond as a workaround for now.
Comment 20 Andrea Bolognani 2016-01-15 14:35:30 UTC 
Does that workaround persist reboots?

If so, how to remove it once the bug has been properly fixed?
Comment 21 Miroslav Grepl 2016-01-15 14:36:13 UTC 
(In reply to Andrea Bolognani from comment #20)
> Does that workaround persist reboots?
> 
> If so, how to remove it once the bug has been properly fixed?

Yes, it persists.

semodule -r mycron

to remove it. Or you can boot with older kernel.
Comment 22 Miroslav Grepl 2016-01-15 14:36:47 UTC 

*** This bug has been marked as a duplicate of bug 1298192 ***
Comment 23 Jonathan Wakely 2016-01-15 15:47:05 UTC 
The workaround in comment 19 works, thanks.
Comment 24 Miroslav Grepl 2016-01-15 16:07:45 UTC 
(In reply to Jonathan Wakely from comment #23)
> The workaround in comment 19 works, thanks.

Thank you for testing.
Comment 25 Daniel Lehrner 2016-01-16 18:25:40 UTC 
(In reply to Miroslav Grepl from comment #19)
> Folks,
> could you please to use the following local policy
> 
> $ cat mycron.cil
> (allow unconfined_t user_cron_spool_t( file ( entrypoint)))
> 
> and run
> 
> # semodule -i mycron.cil
> 
> and reload crond as a workaround for now.

Works for me as well. Thanks!
Comment 26 René van Dorst 2016-01-20 09:01:14 UTC 
comment #19 is working for me as well.
Comment 27 Davoid 2016-01-26 09:19:56 UTC 
comment #19 ok for me too, thanks
Note You need to log in before you can comment on or make changes to this bug.