Fedora 40 crontab selinux

Ask Fedora
, ,
1

No idea how to stop the massice bold text, bewildered.

Similar to 1547368 – Unable to run cron jobs from /etc/crontab due to selinux

It appears to show this behaviour after I adjust /etc/crontab or a crojob is run reload being the culprit from what I can see.

systemctl status crond
 crond.service - Command Scheduler
     Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Mon 2024-07-22 08:20:46 IST; 12min ago
   Main PID: 3560 (crond)
      Tasks: 1 (limit: 37317)
     Memory: 1.0M (peak: 4.4M)
        CPU: 29ms
     CGroup: /system.slice/crond.service
             └─3560 /usr/sbin/crond -n -m /usr/local/bin/mailxtocron

Jul 22 08:20:46 fedora-01.family systemd[1]: Starting crond.service - Command Scheduler...
Jul 22 08:20:46 fedora-01.family crond[3560]: (CRON) STARTUP (1.7.1)
Jul 22 08:20:46 fedora-01.family crond[3560]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 33% if used.)
Jul 22 08:20:46 fedora-01.family crond[3560]: (CRON) INFO (running with inotify support)
Jul 22 08:20:46 fedora-01.family crond[3560]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Jul 22 08:20:46 fedora-01.family systemd[1]: Started crond.service - Command Scheduler.
Jul 22 08:26:00 fedora-01.family crond[3560]: (*system*) RELOAD (/etc/crontab)
Jul 22 08:26:00 fedora-01.family crond[3560]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:etc_t:s0 (/etc/cront>
Jul 22 08:26:00 fedora-01.family crond[3560]: (root) FAILED (loading cron table)

Following the advice from the bug :-

ausearch -m AVC -m USER_AVC -ts today

time->Mon Jul 22 03:21:02 2024
type=AVC msg=audit(1721614862.078:365): avc:  denied  { dac_read_search } for  pid=10134 comm="sendmail" capability=2  scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tclass=capability permissive=0
----
time->Mon Jul 22 03:21:02 2024
type=AVC msg=audit(1721614862.686:366): avc:  denied  { read } for  pid=10209 comm="uptime" name="sessions" dev="tmpfs" ino=85 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir permissive=0

Ran them a few minutes ago about 08:30, no avc against cron*

Have placed the following in /usr/lib/systemd/system/crond.service
ExecStartPost=/usr/sbin/restorecon -Fv /etc/crontab

sudo  systemctl status crond                                                                                                                                                   
crond.service - Command Scheduler
     Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Mon 2024-07-22 08:33:33 IST; 16min ago
    Process: 4213 ExecStartPost=/usr/sbin/restorecon -Fv /etc/crontab (code=exited, status=0/SUCCESS)
    Process: 4553 ExecReload=/bin/kill -URG $MAINPID (code=exited, status=0/SUCCESS)
   Main PID: 4212 (crond)
      Tasks: 1 (limit: 37317)
     Memory: 1.1M (peak: 4.5M)
        CPU: 41ms
     CGroup: /system.slice/crond.service
             └─4212 /usr/sbin/crond -n -m /usr/local/bin/mailxtocron

Jul 22 08:33:33 fedora-01.family crond[4212]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 55% if used.)
Jul 22 08:33:33 fedora-01.family crond[4212]: (CRON) INFO (running with inotify support)
Jul 22 08:33:33 fedora-01.family crond[4212]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:etc_t:s0 (/etc/cront>
Jul 22 08:33:33 fedora-01.family crond[4212]: (root) FAILED (loading cron table)
Jul 22 08:33:33 fedora-01.family crond[4212]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Jul 22 08:33:33 fedora-01.family restorecon[4213]: Relabeled /etc/crontab from unconfined_u:object_r:etc_t:s0 to system_u:object_r:system_cron_spool_t:s0
Jul 22 08:33:33 fedora-01.family systemd[1]: Started crond.service - Command Scheduler.
Jul 22 08:34:00 fedora-01.family crond[4212]: (*system*) RELOAD (/etc/crontab)
Jul 22 08:49:32 fedora-01.family systemd[1]: Reloading crond.service - Command Scheduler...
Jul 22 08:49:32 fedora-01.family systemd[1]: Reloaded crond.service - Command Scheduler.

sudo ls -LZ /etc/crontab
system_u:object_r:system_cron_spool_t:s0 /etc/crontab

It appears to work, or is there a more appropriate way of doing it? Is there any test that can be run to make sure problem a fix doesn’t cause problem b?

1 Like
2

I edited your post to use pre-formatted text.

```
pre formatted   text      preserves    spaces
```
1 Like
3

Added cron, f40