CentOS

The Community ENTerprise Operating System
https://forums.centos.org/

SELinux Preventing root cron jobs from running

https://forums.centos.org/viewtopic.php?f=51&t=55894

Page 1 of 1

SELinux Preventing root cron jobs from running

Posted: 2016/01/12 11:05:05
by dtpsupplies
I am having a problem running cron jobs as the root user. Cron jobs as a normal user work without problem.

The problem appears to be connected with SELinux as the jobs run perfectly when this is disabled. The cron log shows the following errors.

Jan 12 10:19:01 thinkserver crond[1561]: (root) Unauthorized SELinux context=uonfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:oect_r:user_cron_spool_t:s0 (/var/spool/cron/root)
Jan 12 10:19:01 thinkserver crond[1561]: (root) FAILED (loading cron table)

I assume that I have to use chcon to change the context but have not been able to work out what would be correct. Could somebody point me in the right direction?

Thanks very much.

Re: SELinux Preventing root cron jobs from running

Posted: 2016/01/12 12:05:51
by TrevorH
The context on the target appears to be ok, it's the context on the running process that looks odd. What does rpm -V cronie say? How about the output of ls -laZ /usr/sbin/crond ?

Re: SELinux Preventing root cron jobs from running

Posted: 2016/01/12 16:57:44
by dtpsupplies
Thanks very much for your reply. The output from the two commands is below.

[root@thinkserver ~]# rpm -V cronie
[root@thinkserver ~]# ls -laZ /usr/sbin/crond
-rwxr-xr-x. root root system_u:object_r:crond_exec_t:s0 /usr/sbin/crond

Re: SELinux Preventing root cron jobs from running

Posted: 2016/01/12 19:13:49
by TrevorH
Make sure that selinux is enabled, set it to permissive mode using setenforce 0 then clear the audit logs and try your cron job again. That should now work and create a full set of logs detailing what the problem(s) were. If you use aureport -a then it will list the events in the audit log and each line will have a number at the right hand end of it. Take that number and plug it into ausearch -a nnnn where nnnn is the number. Do that for the events in the aureport output that have a timestamp around the time the cronjob ran. Post the ausearch output here if it doesn't make sense.

Re: SELinux Preventing root cron jobs from running

Posted: 2016/01/13 13:55:39
by Sheepykins
Sometimes its worth putting SELinux into a more verbose logging mode, i find that sometimes the audit logs dont capture everything they should:

Clear or rotate auditlog
semodule --disable_dontaudit --build
setenforce 0
Do your cron job, it should now output to audit log
setenforce 1
semodule --build

Re: SELinux Preventing root cron jobs from running

Posted: 2016/01/13 14:24:03
by dtpsupplies
I have done as suggested. As soon as setenforce is set to 0 the cron jobs run.

There are no messages in the aureport log at the time the jobs ran. This is true whether setenforce is 0 or 1.

Thanks again for your help.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited