I'm trying to create a crontab entry for the user "apache" from a CGI script executed by the Apache web server with SELinux enabled.
The command I try to execute is something like:
/bin/echo '01 01 * * * echo "TEST"' | /bin/crontab -
CentOS Linux release 8.1.1911 (Core) - fresh install (older version are also affected).
SELinux policy was adapted - no deny messages in the audit.log
With SELinux disabled it is working, the crontab entry is correctly created.
The return message from the crontab command is:
You (apache) are not allowed to access to (crontab) because of pam configuration
I already tried the following without success:
1) Adding the following line to /etc/security/access.conf
+ : apache : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
2) setsebool -P allow_httpd_mod_auth_pam 1
3) Changes in /etc/pam.d/cron
Here some additional information:
In /var/log/cron appears the following message:
Jun 7 09:46:30 centos8 crontab[17059]: (apache) PAM ERROR (System error)
$ sudo chage -l apache
Last password change : Jun 07, 2020
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : -1
Maximum number of days between password change : -1
Number of days of warning before password expires : -1
$ sudo grep apache /etc/shadow
apache:!!
:::::From a CLI I can execute the command crontab for apache:
$ sudo crontab -u apache -l
no crontab for apache
/etc/cron.deny has not entries
/etc/cron.allow does not exist
$ sudo getenforce
Enforcing
$ sudo cat /var/log/audit/audit.log | audit2allow -m test > test.te
$ cat test.te
module test 1.0;
$
I also tried on Fedora 32. Same problem.
On Fedora there appear this messages in the cron log:
Jun 2 20:38:16 fedora32 crontab[6951]: PAM audit_log_acct_message() failed: Permission denied
Jun 2 20:38:16 fedora32 crontab[6951]: (apache) PAM ERROR (System error)