| View previous topic :: View next topic |
| Author |
Message |
Panard
n00b
Joined: 22 Apr 2003
Posts: 34
Location: France
|
 Posted: Tue Sep 21, 2004 11:58 am Post subject: selinux: vixie-cron not working |
 |
|
I'm using 2.6.7-hardened-r8 kernel with policy.17.
When starting vixie-cron, I've got this output in my /var/log/messages :
| Code: |
Sep 21 13:34:53 aragorn audit(1095766493.531:0): avc: denied { write } for pid=22081 exe=/usr/sbin/cron name=log dev=ramfs ino=5778 ipaddr=127.0.0.6 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:ramfs_t tclass=sock_file
Sep 21 13:34:53 aragorn cron[22081]: (CRON) STARTUP (fork ok)
Sep 21 13:34:53 aragorn cron[22081]: (root) ENTRYPOINT FAILED (crontabs/root)
|
My /etc/crontab
| Code: |
# for vixie cron
#
# $Header: /var/cvsroot/gentoo-x86/sys-apps/vixie-cron/files/crontab-3.0.1-r4,v 1.6 2004/07/18 04:40:50 dragonheart Exp $
#
#
# Global variables
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root@aragorn.home
HOME=/
# check scripts in cron.hourly, cron.daily, cron.weekly and cron.monthly
0 * * * * rm -f /var/spool/cron/lastrun/cron.hourly
1 3 * * * rm -f /var/spool/cron/lastrun/cron.daily
15 4 * * 6 rm -f /var/spool/cron/lastrun/cron.weekly
30 5 1 * * rm -f /var/spool/cron/lastrun/cron.monthly
*/10 * * * * test -x /usr/sbin/run-crons && /usr/sbin/run-crons
0 * * * * rdate -s -u ntp0.ncl.ac.uk >/dev/null 2>&1
0 1 * * * logwatch.pl >/dev/null
0 2 * * * webalizer >/dev/null
#45 23 * * * /etc/fwanalog/fwanalog.sh
#0 1 * * * fwlogwatch
|
when doing crontab /etc/crontab, /var/log/messages gives me this :
| Code: |
Sep 21 13:50:05 aragorn audit(1095767405.828:0): avc: denied { read } for pid=1753 exe=/usr/bin/crontab name=crontab dev=hda2 ino=1864146 ipaddr=127.0.0.6 scontext=panard:sysadm_r:sysadm_crontab_t tcontext=system_u:object_r:system_cron_spool_t tclass=file
Sep 21 13:50:05 aragorn audit(1095767405.828:0): avc: denied { getattr } for pid=1753 exe=/usr/bin/crontab path=/etc/crontabdev=hda2 ino=1864146 ipaddr=127.0.0.6 scontext=panard:sysadm_r:sysadm_crontab_t tcontext=system_u:object_r:system_cron_spool_t tclass=file
Sep 21 13:50:05 aragorn crontab[1753]: (root) REPLACE (root)
Sep 21 13:51:00 aragorn cron[22081]: (system_u) RELOAD (/etc/crontab)
Sep 21 13:51:00 aragorn cron[22081]: (system_u) ENTRYPOINT FAILED (/etc/crontab)
Sep 21 13:51:00 aragorn cron[22081]: (root) ENTRYPOINT FAILED (crontabs/root)
|
Am I doing something wrong ? |
|
| Back to top |
|
 |
AppleMasher
n00b
Joined: 09 Jul 2004
Posts: 11
Location: Chattanooga, TN
|
| Posted: Sun Jan 09, 2005 3:06 am Post subject: hi |
|
|
I'm wandering if you ever found a solution to this. I am running policy 17 with 2.6.7-hardened-r17
| Code: |
Jan 8 18:45:16 router /usr/sbin/cron[23390]: (CRON) STARTUP (V5.0)
Jan 8 18:45:16 router /usr/sbin/cron[23390]: (system_u) NO CONTEXT (/etc/crontab)
Jan 8 18:45:16 router /usr/sbin/cron[23390]: (root) ENTRYPOINT FAILED (crontabs/root
|
There are no relevant selinux permission errors in selinux.log (my selinux log file)
| Code: |
# ls -Z /etc/crontab && ls -Z /var/spool/cron/crontabs/root && ps x -Z | grep cron
-rw-r--r-- root root system_u:object_r:system_cron_spool_t /etc/crontab
-rw------- root root system_u:object_r:sysadm_cron_spool_t /var/spool/cron/crontabs/root
system_u:system_r:crond_t 23390 ? Ss 0:00 /usr/sbin/cron
|
|
|
| Back to top |
|
|
Panard
n00b
Joined: 22 Apr 2003
Posts: 34
Location: France
|
| Posted: Sun Jan 16, 2005 1:54 pm Post subject: |
|
|
If you want to use a root crontab (not system), you have to be in the staff_r context.
If you want to use a system crontab, do _not_ run crontab /etc/crontab (with vixie-cron) (if you have run crontab /etc/crontab before, run crontab -r to remove it), then :
| Code: |
$ chmod 0600 /etc/crontab
# Be sure that /etc/crontab is in the right format
# ( time user command )
$ setfiles /etc/security/selinux/file_context /etc/crontab
# Restart vixie-cron to be sure.
|
|
|
| Back to top |
|
|
AppleMasher
n00b
Joined: 09 Jul 2004
Posts: 11
Location: Chattanooga, TN
|
| Posted: Sun Jan 16, 2005 4:06 pm Post subject: |
|
|
| thanks, that solved it. I'm slowly getting the hang of selinux, time to do some more reading. |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Sat Sep 17, 2005 12:58 pm Post subject: |
|
|
I am in the same boat, cron will not run. I tried the above suggestions with no luck. Do you hav any other ideas?
I am still in permissive mode.
Thanks
_________________
write quit bang |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Thu Sep 29, 2005 3:53 pm Post subject: |
|
|
anyone?
_________________
write quit bang |
|
| Back to top |
|
|
pookey
Tux's lil' helper
Joined: 03 Sep 2003
Posts: 88
Location: UK
|
| Posted: Wed Nov 02, 2005 2:16 pm Post subject: |
|
|
I'm also having this issue
| Code: |
Nov 2 14:13:48 xian cron[6294]: (CRON) STARTUP (V5.0)
Nov 2 14:13:48 xian cron[6294]: (system_u) NO CONTEXT (/etc/crontab)
|
| Code: |
# ls -laZ /etc/crontab
-rw------- root root system_u:object_r:system_cron_spool_t /etc/crontab
|
Kind Regards,
Ian |
|
| Back to top |
|
|
pookey
Tux's lil' helper
Joined: 03 Sep 2003
Posts: 88
Location: UK
|
| Posted: Mon Nov 21, 2005 3:48 am Post subject: |
|
|
has anyone managed to solve this issue?
At the moment I'm having to manually run things when I remember to do it... which is not as frequently as it should be  |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Tue Nov 22, 2005 1:18 pm Post subject: |
|
|
| pookey wrote: | has anyone managed to solve this issue?
At the moment I'm having to manually run things when I remember to do it... which is not as frequently as it should be |
I sure as hell have not. I wish we could get some help on this issue.
_________________
write quit bang |
|
| Back to top |
|
|
vladgrigorescu
Guru
Joined: 11 Jan 2005
Posts: 360
|
| Posted: Sat Jan 07, 2006 2:51 pm Post subject: |
|
|
| A reboot did the trick for me. |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Mon Jan 09, 2006 2:16 pm Post subject: |
|
|
I found my error was partly related to ssh-ing into the box. I was not getting the correct context when starting daemons. So Logging into the console and restarting services fixed it a bit... However roots crontab will not run. Things in cron.d* run fine.
Still Stuck.
_________________
write quit bang |
|
| Back to top |
|
|
njlg
Tux's lil' helper
Joined: 03 Jul 2003
Posts: 98
Location: Portland, OR, USA
|
| Posted: Tue Jan 23, 2007 2:48 pm Post subject: |
|
|
I found that relabel allowed /etc/crontab to work:
or at least, I did not get the following error in the vixie-cron log when I restarted the daemon:
| Quote: | | (system_u) ENTRYPOINT FAILED (/etc/crontab) |
|
|
| Back to top |
|
|
HydraSwitch
n00b
Joined: 18 Oct 2007
Posts: 7
|
| Posted: Wed Jun 25, 2008 4:26 pm Post subject: Try the user role |
|
|
It works for me when I'm in the user_r role and not otherwise.
Login as the user you want your crontab to work as and run crontab -e
as that user. You can see what role you're in with the 'id' command.
su to the user from root doesn't work. |
|
| Back to top |
|
|
fixinko
n00b
Joined: 23 Jun 2007
Posts: 16
Location: Bratislava, Slovakia
|
| Posted: Thu Jun 26, 2008 8:12 am Post subject: |
|
|
| You must starting/stopping/restarting apps when you are staff_u:sysadm_r:sysadm_t, otherwise you'll be not able to start/stop them correctly, also if you selinux is in permissive mode. |
|
| Back to top |
|
|
mizery de aria
Guru
Joined: 07 Dec 2003
Posts: 309
|
| Posted: Fri Sep 17, 2010 8:37 am Post subject: |
|
|
I tried this and it didn't resolve the issue for me.
| Code: | # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) context=root:sysadm_r:sysadm_t |
| co je Jidda Sha Ti'l wrote: | I found that relabel allowed /etc/crontab to work:
or at least, I did not get the following error in the vixie-cron log when I restarted the daemon:
| Quote: | | (system_u) ENTRYPOINT FAILED (/etc/crontab) |
|
| Panard wrote: | If you want to use a root crontab (not system), you have to be in the staff_r context.
If you want to use a system crontab, do _not_ run crontab /etc/crontab (with vixie-cron) (if you have run crontab /etc/crontab before, run crontab -r to remove it), then :
| Code: |
$ chmod 0600 /etc/crontab
# Be sure that /etc/crontab is in the right format
# ( time user command )
$ setfiles /etc/security/selinux/file_context /etc/crontab
# Restart vixie-cron to be sure.
|
|
| Code: | # locate file_context|grep "^/etc/.*texts$"
/etc/selinux/targeted/modules/active/file_contexts
/etc/selinux/targeted/contexts/files/file_contexts
/etc/selinux/strict/modules/active/file_contexts
/etc/selinux/strict/contexts/files/file_contexts |
Are there other steps to take to correctly resolve this issue?
still in my /var/log/cron.log:
| Code: | | cron[10573]: (system_u) ENTRYPOINT FAILED (/etc/crontab) |
Where does "system_u" come from?
| Code: | # ls -alZ /etc/init.d/vixie-cron
-rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 530 Sep 14 12:31 /etc/init.d/vixie-cron
# for i in `equery files vixie-cron`;do if test -f "$i";then ls -alZ $i;fi;done
-rw-r--r--. 1 root root system_u:object_r:system_cron_spool_t 0 Sep 14 12:31 /etc/cron.d/.keep_sys-process_vixie-cron-0
-rw-r--r--. 1 root root system_u:object_r:etc_t 220 Sep 14 12:31 /etc/cron.deny
-rw-------. 1 root root system_u:object_r:system_cron_spool_t 611 Sep 14 12:31 /etc/crontab
-rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 530 Sep 14 12:31 /etc/init.d/vixie-cron
-rw-r--r--. 1 root root system_u:object_r:etc_t 123 Sep 14 12:31 /etc/pam.d/cron
-rwxr-s--x. 1 root crontab system_u:object_r:crontab_exec_t 39272 Sep 14 12:31 /usr/bin/crontab
-rwxr-x---. 1 root wheel system_u:object_r:crond_exec_t 47400 Sep 14 12:31 /usr/sbin/cron
-rw-r--r--. 1 root root system_u:object_r:usr_t 4100 Sep 14 12:31 /usr/share/doc/vixie-cron-4.1-r10/CHANGES.bz2
-rw-r--r--. 1 root root system_u:object_r:usr_t 1721 Sep 14 12:31 /usr/share/doc/vixie-cron-4.1-r10/CONVERSION.bz2
-rw-r--r--. 1 root root system_u:object_r:usr_t 2045 Sep 14 12:31 /usr/share/doc/vixie-cron-4.1-r10/FEATURES.bz2
-rw-r--r--. 1 root root system_u:object_r:usr_t 8246 Sep 14 12:31 /usr/share/doc/vixie-cron-4.1-r10/MAIL.bz2
-rw-r--r--. 1 root root system_u:object_r:usr_t 1735 Sep 14 12:31 /usr/share/doc/vixie-cron-4.1-r10/README.bz2
-rw-r--r--. 1 root root system_u:object_r:usr_t 949 Sep 14 12:31 /usr/share/doc/vixie-cron-4.1-r10/THANKS.bz2
-rw-r--r--. 1 root root system_u:object_r:usr_t 367 Sep 14 12:31 /usr/share/doc/vixie-cron-4.1-r10/crontab.bz2
-rw-r--r--. 1 root root system_u:object_r:man_t 1655 Sep 14 12:31 /usr/share/man/man1/crontab.1.bz2
-rw-r--r--. 1 root root system_u:object_r:man_t 3700 Sep 14 12:31 /usr/share/man/man5/crontab.5.bz2
-rw-r--r--. 1 root root system_u:object_r:man_t 1916 Sep 14 12:31 /usr/share/man/man8/cron.8.bz2
-rw-r--r--. 1 root root unconfined_u:object_r:file_t 0 Sep 14 12:31 /var/spool/cron/crontabs/.keep_sys-process_vixie-cron-0
# ls -alZ /etc/crontab
-rw-------. 1 root root system_u:object_r:system_cron_spool_t 611 Sep 14 12:31 /etc/crontab |
What can I do to give correct access/permission?
_________________
Do not repIy to or othErwise communicate with me if you use religious, spiritual or similar terminologies or references in your typings. |
|
| Back to top |
|
|
|
Networking & Security
