1306104 – Unauthorized SELinux context; FAILED loading cron table

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1306104 - Unauthorized SELinux context; FAILED loading cron table

Summary: Unauthorized SELinux context; FAILED loading cron table

Keywords:
Status:	CLOSED DUPLICATE of bug 1298192
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	cronie
Sub Component:
Version:	23
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-10 02:22 UTC by Michael Hampton
Modified:	2016-02-10 10:03 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-02-10 10:03:02 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Michael Hampton 2016-02-10 02:22:10 UTC

Description of problem:
crond refuses to load any user's crontabs from /var/spool/cron directory, and complains about the SELinux contexts.

Feb 09 20:33:33 saurok systemd[1]: Starting Command Scheduler...
Feb 09 20:33:33 saurok crond[30971]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 64% if used.)
Feb 09 20:33:33 saurok crond[30971]: (mirror) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/mirror)
Feb 09 20:33:33 saurok crond[30971]: (mirror) FAILED (loading cron table)
Feb 09 20:33:33 saurok crond[30971]: (root) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/root)
Feb 09 20:33:33 saurok crond[30971]: (root) FAILED (loading cron table)

crond seems to be running with the right context:

# ps axZ | grep crond
system_u:system_r:crond_t:s0-s0:c0.c1023 334 ? Ss     0:00 /usr/sbin/crond -n

The files themselves seem to have the right contexts:

# ls -aZ /var/spool/cron
    system_u:object_r:user_cron_spool_t:s0 .
          system_u:object_r:var_spool_t:s0 ..
unconfined_u:object_r:user_cron_spool_t:s0 mirror
unconfined_u:object_r:user_cron_spool_t:s0 root

Attempting to use restorecon had no effect:

# restorecon -r -v /var/spool/cron
restorecon:  Warning no default label for /var/spool/cron/mirror
restorecon:  Warning no default label for /var/spool/cron/root

No AVCs were logged.


Version-Release number of selected component (if applicable):
cronie-1.5.0-3.fc23.x86_64
selinux-policy-targeted-3.13.1-158.4.fc23.noarch


How reproducible:
Always


Steps to Reproduce:
1. crontab -e
2. systemctl restart crond


Actual results:
cron jobs fail to run; journal entries complain about Unauthorized SELinux context.


Expected results:
cron jobs run normally.


Additional info:
This appears to have begun immediately after upgrading from F22 to F23 a couple of weeks ago. No user cron jobs have run since the upgrade took place; only jobs in /etc/cron.* are being run.

Comment 1 Tomas Mraz 2016-02-10 10:03:02 UTC


*** This bug has been marked as a duplicate of bug 1298192 ***

Note You need to log in before you can comment on or make changes to this bug.