Re: cron is failing to run for selinux context, but everything looks fine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 30 Jul 2020 02:47:22 +0800
Ed Greshko <ed.greshko@xxxxxxxxxxx> wrote:

> 
> In the above, is PID 5954 the crond process?  If you run ps with the
> -Z option do you get something like
> 
> [egreshko@f31k ~]$ ps p 821 -Z
> LABEL                               PID TTY      STAT   TIME COMMAND
> system_u:system_r:crond_t:s0-s0:c0.c1023 821 ?   Ss     0:00
> /usr/sbin/crond -n

LABEL                               PID TTY      STAT   TIME COMMAND
system_u:system_r:crond_t:s0-s0:c0.c1023 3167 ?  Ss     0:00
/usr/sbin/crond -n

> Do you happen to have another F31 system which doesn't have dwatch
> installed?  All of my F31 systems are running cron jobs just fine and
> they are all fully updated.

No, but I removed dwatch from /etc/cron.d, and the behavior persists.
I think I have something installed that you do not, though it is good
to see that your systems are running fine.

> Jul 30 02:01:01 f31k.greshko.com CROND[2417]: (root) CMD (run-parts
> /etc/cron.hourly) Jul 30 02:01:01 f31k.greshko.com run-parts[2420]:
> (/etc/cron.hourly) starting 0anacron Jul 30 02:01:01 f31k.greshko.com
> run-parts[2428]: (/etc/cron.hourly) finished 0anacron

If I boot with enforcing=0 as a kernel option, I see this happen.

> 
> Do you think having dwatch installed may be significant?  And, did
> you mention that in the bugzilla? It sounds to me like an important
> detail.

No, I don't think dwatch is significant, it is just the job I noticed.
It was running fine on July 25, I updated, and on reboot on July 26, I
see this behavior.

I think this is the problem:
crond[5954]: (*system*) NULL security context for user, but SELinux in
permissive mode, continuing ()

crond only starts and runs properly when selinux is disabled.  It
hasn't been updated since last year, selinux was last updated in June,
and the container-selinux package doesn't seem to have anything to do
with this even though it was updated on July 25.

With enforcing 0, restart crond, no dwatch

Jul 29 12:25:03 localhost.localdomain crond[12307]: (CRON) INFO
(@reboot jobs will be run at computer's startup.) Jul 29 12:25:03
localhost.localdomain crond[12307]: (CRON) INFO (running with inotify
support) Jul 29 12:25:03 localhost.localdomain crond[12307]: ((null))
No security context but SELinux in permissive mode, continuing
(/etc/cron.d/0hourly) Jul 29 12:25:03 localhost.localdomain
crond[12307]: ((null)) No security context but SELinux in permissive
mode, continuing (/etc/cron.d/atop) Jul 29 12:25:03
localhost.localdomain crond[12307]: ((null)) No security context but
SELinux in permissive mode, continuing (/etc/cron.d/moodle) Jul 29
12:25:03 localhost.localdomain crond[12307]: ((null)) No security
context but SELinux in permissive mode, continuing
(/etc/cron.d/mailman) Jul 29 12:25:03 localhost.localdomain
crond[12307]: ((null)) No security context but SELinux in permissive
mode, continuing (/etc/cron.d/rear) Jul 29 12:25:03
localhost.localdomain crond[12307]: ((null)) No security context but
SELinux in permissive mode, continuing (/etc/crontab) Jul 29 12:25:03
localhost.localdomain crond[12307]: (CRON) INFO (RANDOM_DELAY will be
scaled with factor 30% if used.) Jul 29 12:25:03 localhost.localdomain
crond[12307]: (CRON) STARTUP (1.5.4) Jul 29 12:25:03
localhost.localdomain systemd[1]: Started Command Scheduler. Jul 29
12:25:03 localhost.localdomain systemd[1]: Stopped Command Scheduler.
Jul 29 12:25:03 localhost.localdomain systemd[1]: crond.service:
Succeeded. Jul 29 12:25:03 localhost.localdomain crond[11695]: (CRON)
INFO (Shutting down) Jul 29 12:25:03 localhost.localdomain systemd[1]:
Stopping Command Scheduler...

With enforcing 1, restart crond, no dwatch

Jul 29 12:25:47 localhost.localdomain crond[12324]: (CRON) INFO
(@reboot jobs will be run at computer's startup.) Jul 29 12:25:47
localhost.localdomain crond[12324]: (CRON) INFO (running with inotify
support) Jul 29 12:25:47 localhost.localdomain crond[12324]: (root)
FAILED (loading cron table) Jul 29 12:25:47 localhost.localdomain
crond[12324]: ((null)) No SELinux security context
(/etc/cron.d/0hourly) Jul 29 12:25:47 localhost.localdomain
crond[12324]: (root) FAILED (loading cron table) Jul 29 12:25:47
localhost.localdomain crond[12324]: ((null)) No SELinux security
context (/etc/cron.d/atop) Jul 29 12:25:47 localhost.localdomain
crond[12324]: (root) FAILED (loading cron table) Jul 29 12:25:47
localhost.localdomain crond[12324]: ((null)) No SELinux security
context (/etc/cron.d/moodle) Jul 29 12:25:46 localhost.localdomain
crond[12324]: (root) FAILED (loading cron table) Jul 29 12:25:46
localhost.localdomain crond[12324]: ((null)) No SELinux security
context (/etc/cron.d/mailman) Jul 29 12:25:46 localhost.localdomain
crond[12324]: (root) FAILED (loading cron table) Jul 29 12:25:46
localhost.localdomain crond[12324]: ((null)) No SELinux security
context (/etc/cron.d/rear) Jul 29 12:25:46 localhost.localdomain
crond[12324]: (root) FAILED (loading cron table) Jul 29 12:25:46
localhost.localdomain crond[12324]: ((null)) No SELinux security
context (/etc/crontab) Jul 29 12:25:46 localhost.localdomain
crond[12324]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 28%
if used.) Jul 29 12:25:46 localhost.localdomain crond[12324]: (CRON)
STARTUP (1.5.4) Jul 29 12:25:46 localhost.localdomain systemd[1]:
Started Command Scheduler. Jul 29 12:25:46 localhost.localdomain
systemd[1]: Stopped Command Scheduler. Jul 29 12:25:46
localhost.localdomain systemd[1]: crond.service: Succeeded. Jul 29
12:25:46 localhost.localdomain crond[12307]: (CRON) INFO (Shutting
down) Jul 29 12:25:46 localhost.localdomain systemd[1]: Stopping
Command Scheduler...

I think something (inadvertently) changed the selinux security context
that crond is started with, systemd happily starts it in either case,
ignoring any difference, but when it runs, the missing security context
prevents it from actually performing its function.

I reinstalled all the selinux components, and still the problem
persists.  I'm going to drop this for a while, see if anything comes to
me.  I have your workaround for the time being.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux