SELinux Preventing root cron jobs from running

Support for security such as Firewalls and securing linux
Post Reply
dtpsupplies
Posts: 3
Joined: 2016/01/12 10:47:57
Location: United Kingdom
Contact:

SELinux Preventing root cron jobs from running

Post by dtpsupplies » 2016/01/12 11:05:05

I am having a problem running cron jobs as the root user. Cron jobs as a normal user work without problem.

The problem appears to be connected with SELinux as the jobs run perfectly when this is disabled. The cron log shows the following errors.

Jan 12 10:19:01 thinkserver crond[1561]: (root) Unauthorized SELinux context=uonfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:oect_r:user_cron_spool_t:s0 (/var/spool/cron/root)
Jan 12 10:19:01 thinkserver crond[1561]: (root) FAILED (loading cron table)

I assume that I have to use chcon to change the context but have not been able to work out what would be correct. Could somebody point me in the right direction?

Thanks very much.

User avatar
TrevorH
Forum Moderator
Posts: 26590
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux Preventing root cron jobs from running

Post by TrevorH » 2016/01/12 12:05:51

The context on the target appears to be ok, it's the context on the running process that looks odd. What does rpm -V cronie say? How about the output of ls -laZ /usr/sbin/crond ?
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

dtpsupplies
Posts: 3
Joined: 2016/01/12 10:47:57
Location: United Kingdom
Contact:

Re: SELinux Preventing root cron jobs from running

Post by dtpsupplies » 2016/01/12 16:57:44

Thanks very much for your reply. The output from the two commands is below.

[root@thinkserver ~]# rpm -V cronie
[root@thinkserver ~]# ls -laZ /usr/sbin/crond
-rwxr-xr-x. root root system_u:object_r:crond_exec_t:s0 /usr/sbin/crond

User avatar
TrevorH
Forum Moderator
Posts: 26590
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux Preventing root cron jobs from running

Post by TrevorH » 2016/01/12 19:13:49

Make sure that selinux is enabled, set it to permissive mode using setenforce 0 then clear the audit logs and try your cron job again. That should now work and create a full set of logs detailing what the problem(s) were. If you use aureport -a then it will list the events in the audit log and each line will have a number at the right hand end of it. Take that number and plug it into ausearch -a nnnn where nnnn is the number. Do that for the events in the aureport output that have a timestamp around the time the cronjob ran. Post the ausearch output here if it doesn't make sense.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

Sheepykins
Posts: 26
Joined: 2015/06/25 15:41:23

Re: SELinux Preventing root cron jobs from running

Post by Sheepykins » 2016/01/13 13:55:39

Sometimes its worth putting SELinux into a more verbose logging mode, i find that sometimes the audit logs dont capture everything they should:

Clear or rotate auditlog
semodule --disable_dontaudit --build
setenforce 0
Do your cron job, it should now output to audit log
setenforce 1
semodule --build

dtpsupplies
Posts: 3
Joined: 2016/01/12 10:47:57
Location: United Kingdom
Contact:

Re: SELinux Preventing root cron jobs from running

Post by dtpsupplies » 2016/01/13 14:24:03

I have done as suggested. As soon as setenforce is set to 0 the cron jobs run.

There are no messages in the aureport log at the time the jobs ran. This is true whether setenforce is 0 or 1.

Thanks again for your help.

Post Reply

Return to “CentOS 7 - Security Support”