[Solved] SELinux Error for root cron jobs

Issues related to applications and software problems
dunwell
Posts: 116
Joined: 2010/12/20 18:49:52
Location: Colorado
Contact:

[Solved] SELinux Error for root cron jobs

Post by dunwell » 2016/03/03 18:59:26

I've exceeded my SEL knowledge and hope that some guru can advise.

I have the /var/spool/cron/root job running two perl scripts. I am running in permissive right now so they run but throw an error in my logwatch and in /var/log/cron of the form

Code: Select all

Mar  3 08:30:01 dunwellguitar3 crond[8463]: (root) NULL security context for user, but SELinux in permissive mode, continuing ()
Mar  3 08:30:01 dunwellguitar3 CROND[8468]: (root) CMD (/usr/local/solar-web_monitor/cgi-bin/fronius_daily_logger.pl)
Current SEL status for the perl files is

Code: Select all

43 dunwellguitar3:/usr/local/solar-web_monitor/cgi-bin 
> ls -laZ fronius_daily_logger.pl
-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 fronius_daily_logger.pl*
44 dunwellguitar3:/usr/local/solar-web_monitor/cgi-bin 
> ls -laZ fronius_totals_logger.pl
-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 fronius_totals_logger.pl*
and for the cron job

Code: Select all

55 dunwellguitar3:/var/spool/cron 
> ls -laZ
drwx------. root root system_u:object_r:httpd_sys_script_exec_t:s0 ./
drwxr-xr-x. root root system_u:object_r:var_spool_t:s0 ../
-rw-------. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 root
The root cron file looks like

Code: Select all

60 dunwellguitar3:/var/spool/cron 
> cat root
00,10,20,30,40,50       *       *       *       *       /usr/local/solar-web_monitor/cgi-bin/fronius_daily_logger.pl
00,10,20,30,40,50      15-20      *       *       *       /usr/local/solar-web_monitor/cgi-bin/fronius_totals_logger.pl
00      21      *       *       *       /usr/local/solar-web_monitor/cgi-bin/fronius_totals_writer.pl
05	5	*	*	*	/root/backup2usb.sh
and all four of the commands throw the errror. So it is probably not something specific to the solar-web area.

If I run the scripts from the command line they throw no SEL errors so I assume it is related to the "cron"-ness.
I'm trying to be a good SEL camper here and work through the messages that come up but this one has got me stumped. I could find nothing that applied in on-line fora or other webness so I'm hoping someone here has some idea of which form of SEL command I should use either for the cron job or for the cgi-bin area where the perl files live. Any suggestions appreciated.

Alan D.
Last edited by dunwell on 2016/03/10 23:32:45, edited 1 time in total.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: SELinux Error for root cron jobs

Post by aks » 2016/03/04 16:55:10

Cron is supposed to be labelled: unconfined_u:object_r:user_cron_spool_t:s0
HTTP executable content: unconfined_u:object_r:httpd_sys_script_exec_t

I guess you could dynamically relabel with cron (although the selinux boolean cron_can_relabel is off by default).

It might just be easier to use audit2allow or the equivalent to allow the operation(s). There's an entry in the CentOS FAQ for this.

dunwell
Posts: 116
Joined: 2010/12/20 18:49:52
Location: Colorado
Contact:

Re: SELinux Error for root cron jobs

Post by dunwell » 2016/03/04 18:27:36

aks wrote:Cron is supposed to be labelled: unconfined_u:object_r:user_cron_spool_t:s0
HTTP executable content: unconfined_u:object_r:httpd_sys_script_exec_t

I guess you could dynamically relabel with cron (although the selinux boolean cron_can_relabel is off by default).

It might just be easier to use audit2allow or the equivalent to allow the operation(s). There's an entry in the CentOS FAQ for this.
Many thanks for the followup aks. I think I found the FAQ but it is a bit opaque to me as a SEL beginner so I'll have to work through that and understand about the audit.log and audit2allow. In the mean time, if you would be so kind, can you suggest the actual commands I could use to reset the cron label back to what you suggest. I can do that as a starter and then view the log and try the audit2allow to clear override if necessary.

Thanks,
Alan D.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: SELinux Error for root cron jobs

Post by aks » 2016/03/05 07:59:52

but it is a bit opaque to me
Okay, look at https://wiki.centos.org/HowTos/SELinux
can you suggest the actual commands
audit2allow, checkmodule & semodule*

It's all very simple, you extract the problems from audit.log and pass those through to audit2allow, which creates the semodule. You check the semodule (checkmodule and also with a text editor as it's still text), to ensure you're happy with what's being enabled and the checkmodule checks the syntax. You then "compile" that to a selinux module via semodule_package and then load it into the selinux system.

dunwell
Posts: 116
Joined: 2010/12/20 18:49:52
Location: Colorado
Contact:

Re: SELinux Error for root cron jobs

Post by dunwell » 2016/03/05 16:04:29

Thanks aks, the bit at the bottom of the FAQ is helpful too. I'll give it a whirl. and report back later. The bit that was puzzling to me was that there were not any actual failures or denials in the audit.log, only things that end with "success" since I'm in permissive mode. The only actual SEL error type messages are in the /var/log/cron file. I'll see what the audit2allow does though.
Alan D.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: SELinux Error for root cron jobs

Post by aks » 2016/03/06 10:48:05

Eh? I seem to have missed that. You're running SELinux in permissive mode? If so then the problem should not be SELinux.
I suppose what you call "cron"-ness could come into play. Now this depends on your script and what it does (would it be possible to post the script?) Basically cron doesn't run with a "full" environment so if your script depends on things related to the environment, they won't work. Post the script and I'll try it on one of my machines (assuming it's not some really bad idea of course).

dunwell
Posts: 116
Joined: 2010/12/20 18:49:52
Location: Colorado
Contact:

Re: SELinux Error for root cron jobs

Post by dunwell » 2016/03/07 03:04:14

OK, adding one of the files that the cron job runs. Note that in an earlier message I mention that all the jobs in the the root cron list throw the error. There are three of them related to the taking/saving of solar data and a forth that executes a backup job to a USB mounted disk. I'm including the latter because it is the shortest with no cgi stuff or open/close of databases files etc. Just a simple mount of the USB drive and xfsdunp . This forum would not allow the upload of a .sh file so I just changed the name to be .txt, so change it back to .sh before using if you need to do that.

I did think about the environment vars and such but could not come up with any specific paths for example that might be missing. It was my understanding that cron jobs do run with some minimalist list of the /bin:/usr/bin:Again, this backup2usb.sh script is the simplest, the others have the explicit paths included in the scripts where necessary. Note also that I am using full explicit paths in the cron commands of the scripts to run.

Any thoughts appreciated, and thanks for your perseverance.

Just an aside, the message that is thrown is pretty strange when you think about it a bit? What has the "(root) NULL security context for user," got to do with anything? :?: :?: SELinux errors seem to be of this flavour, not very informative. They might as well have said "(root) green hair not allowed." or some such :lol:
Alan D.
Attachments
backup2usb.txt
(4.3 KiB) Downloaded 169 times

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: SELinux Error for root cron jobs

Post by aks » 2016/03/07 18:11:51

What has the "(root) NULL security context for user," got to do with anything?
Perhaps, although we're in Permissive mode so it should not fail - to me it suggests you desperately need to re-label. Perhaps you should do that anyway (although the message suggests it's not an issue - it may really be).
"(root) green hair not allowed."
No, no, it's root with red, yellow, green hair .... :lol:

Okay, so this is a shell script, not a Perl script (I thought we where talking about Perl)?

Anyway I had to change quite a few things to get it to work.

1) Took out all references to /media/ as this is 7 and it's no longer relevant, that's really about simplifying.
2) Inserted a flush statement before the unmount (line 53) - that could be cause I was doing this quite quick and buffering can be a real pain.
3) My XFS filesystem wasn't a "real" USB rather a bit of a lie (no USB storage to hand).
4) I changed the if !(xfs) to:
a) Test that xfsdump is available.
b) Test that the source is an XFS source.
c) Execute the backup.
d) Read the return from xfsdump and make a decision about the email message based on that (increased verbosity of xfsdump for that as well).
5) My xfsdump didn't seem to like the -u argument.
6) I changed the limit of blocks used (-z).
7) The destination (-f) did not exist (i.e.: /boot.lev${LEVEL}.${YYMMDD}.dump) so I manually created it.
8) Changed -{LEVEL} to -l ${LEVEL}
9) Changed the source of the backup (sda1/md126/md127) as appropriate.
10) Took out the sleep 60 and replaced with a flush, 'cause I don't like waiting!

Also I changed large parts of it to use the "modern" bash things of ${variable} rather than $variable and $() rather than `` - but that's just me.

Otherwise it worked for me. Anything in your logs (${BKP_PART}/dumplog)?

dunwell
Posts: 116
Joined: 2010/12/20 18:49:52
Location: Colorado
Contact:

Re: SELinux Error for root cron jobs

Post by dunwell » 2016/03/08 16:29:45

Wow! Thanks for the lessons in script programming! Appreciated. Never claimed I was a guru ;)

Yes, some of the cron jobs are perl scripts, three of them in fact. I chose the backup shell script because it was shorter. Note that, despite your really good tips on programming, I don't think that the scripts per se are the issue but the fact that they are running from the cron job as noted by the disparate types. I can attach one of the perl scripts if you need it but again, I think the issue, what ever it is, is related to running as root from cron.

Yes again, I am seeing some error messages coming to me email of the form

Code: Select all

/etc/cron.hourly/0yum-hourly.cron:

Not using downloaded repomd.xml because it is older than what we have:
  Current   : Fri Mar  4 19:55:29 2016
  Downloaded: Fri Mar  4 13:27:17 2016
Yet another issue with going to 7 that I have not had a chance to run down yet. Related?

I do not see any other error messages related to the perl or bash scripts run from cron. They run and complete just fine. Just the originally mentioned message about "(root) NULL security context for user,..."

Also, a while back when I was first attacking this issue and some related things I did a complete "disable" of SEL and later turned it back on. This did at least some relabel and I further did a

Code: Select all

touch ./autorelabel
followed by a reboot.
Alan D.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: SELinux Error for root cron jobs

Post by aks » 2016/03/08 17:24:47

Yes, some of the cron jobs are perl scripts, three of them in fact. I chose the backup shell script because it was shorter.
Okay, so all the cron jobs are failing?
Yet another issue with going to 7 that I have not had a chance to run down yet. Related?
It shouldn't be, but it's bad, updating software is very important. It's probably a cron job from yum-cron to update the available YUM repository software and check for new software and/or updates.
originally mentioned message about "(root) NULL security context for user,..."
As I think I've said before, that suggests to me the file doesn't have a label (ls -lhZ <full_path_to_file> to confirm that) and it says it's continuing (which could be misleading)
touch ./autorelabel
I think that's wrong, isn't it meant to be touch /.autolabel? Would possibly explain the (seemingly) fact that the cronjob file not labeled.

Let's start again. Suggest you insert statements (use the shell script, it's shorter) along the lines of:

echo -n 'Started at: ' > /tmp/log
date >> /tmp/log

echo -e 'Completed mount checks' >> /tmp/log

and so in in various places as appropriate. Then check /tmp/log.

The idea is to verify:

1) The script actually fires.
2) The script continues through the various echo commands we have in place.

Also as root please type this:

echo "* * * * * echo 'HELLO' >> /root/log" > cronjob
cat cronjob | crontab
crontab -l # you should see the cron job printed.
rm -f cronjob

What this'll do is fire a cron job (as root's cron) every minute, always, putting HELLO into the file /root/log. This will serve to verify that root's cron tab (NOT ones in /etc/cron.d/*) fire as well.
Wait for the file to be generated and then use the following to remove cronjob:
crontab -e
That will open the cron job in vi by default (unless you have a different ${EDITOR} environment variable).
Use the vi command dd to delete the entry we created (the echo statement above) and then use the vi command :x to save the file and exit the program.
Make sense?

So the point here is:
1) I doubt we've re-labeled SELinux and that could be the source of problems - despite the continue message.
2) We need to verify that cron (whatever cron you are using - 'cause it certainly doesn't look like you're using root's cron, just system cron) is firing jobs.
3) Root's cron works.

Please post back questions, results etc....

Post Reply