# selinux: vixie-cron not working

## Panard

I'm using 2.6.7-hardened-r8 kernel with policy.17.

When starting vixie-cron, I've got this output in my /var/log/messages :

```

Sep 21 13:34:53 aragorn audit(1095766493.531:0): avc:  denied  { write } for  pid=22081 exe=/usr/sbin/cron name=log dev=ramfs ino=5778 ipaddr=127.0.0.6 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:ramfs_t tclass=sock_file

Sep 21 13:34:53 aragorn cron[22081]: (CRON) STARTUP (fork ok)

Sep 21 13:34:53 aragorn cron[22081]: (root) ENTRYPOINT FAILED (crontabs/root)

```

My /etc/crontab

```

# for vixie cron

#

# $Header: /var/cvsroot/gentoo-x86/sys-apps/vixie-cron/files/crontab-3.0.1-r4,v 1.6 2004/07/18 04:40:50 dragonheart Exp $

#

#

# Global variables

SHELL=/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin

MAILTO=root@aragorn.home

HOME=/

# check scripts in cron.hourly, cron.daily, cron.weekly and cron.monthly

0  *  * * *     rm -f /var/spool/cron/lastrun/cron.hourly

1  3  * * *     rm -f /var/spool/cron/lastrun/cron.daily

15 4  * * 6     rm -f /var/spool/cron/lastrun/cron.weekly

30 5  1 * *     rm -f /var/spool/cron/lastrun/cron.monthly

*/10  * * * *   test -x /usr/sbin/run-crons && /usr/sbin/run-crons

0  *  * * *     rdate -s -u ntp0.ncl.ac.uk >/dev/null 2>&1

0  1  * * *     logwatch.pl >/dev/null

0  2  * * *     webalizer >/dev/null

#45 23 * * *    /etc/fwanalog/fwanalog.sh

#0   1 * * *    fwlogwatch

```

when doing crontab /etc/crontab, /var/log/messages gives me this :

```

Sep 21 13:50:05 aragorn audit(1095767405.828:0): avc:  denied  { read } for  pid=1753 exe=/usr/bin/crontab name=crontab dev=hda2 ino=1864146 ipaddr=127.0.0.6 scontext=panard:sysadm_r:sysadm_crontab_t tcontext=system_u:object_r:system_cron_spool_t tclass=file

Sep 21 13:50:05 aragorn audit(1095767405.828:0): avc:  denied  { getattr } for  pid=1753 exe=/usr/bin/crontab path=/etc/crontabdev=hda2 ino=1864146 ipaddr=127.0.0.6 scontext=panard:sysadm_r:sysadm_crontab_t tcontext=system_u:object_r:system_cron_spool_t tclass=file

Sep 21 13:50:05 aragorn crontab[1753]: (root) REPLACE (root)

Sep 21 13:51:00 aragorn cron[22081]: (system_u) RELOAD (/etc/crontab)

Sep 21 13:51:00 aragorn cron[22081]: (system_u) ENTRYPOINT FAILED (/etc/crontab)

Sep 21 13:51:00 aragorn cron[22081]: (root) ENTRYPOINT FAILED (crontabs/root)

```

Am I doing something wrong ?

----------

## AppleMasher

I'm wandering if you ever found a solution to this.  I am running policy 17 with 2.6.7-hardened-r17

```

Jan  8 18:45:16 router /usr/sbin/cron[23390]: (CRON) STARTUP (V5.0)

Jan  8 18:45:16 router /usr/sbin/cron[23390]: (system_u) NO CONTEXT (/etc/crontab)

Jan  8 18:45:16 router /usr/sbin/cron[23390]: (root) ENTRYPOINT FAILED (crontabs/root

```

There are no relevant selinux permission errors in selinux.log (my selinux log file)

```

# ls -Z /etc/crontab && ls -Z /var/spool/cron/crontabs/root && ps x -Z | grep cron

-rw-r--r--  root     root     system_u:object_r:system_cron_spool_t /etc/crontab

-rw-------  root     root     system_u:object_r:sysadm_cron_spool_t /var/spool/cron/crontabs/root

system_u:system_r:crond_t           23390 ?        Ss     0:00 /usr/sbin/cron

```

----------

## Panard

If you want to use a root crontab (not system), you have to be in the staff_r context.

If you want to use a system crontab, do _not_ run crontab /etc/crontab (with vixie-cron) (if you have run crontab /etc/crontab before, run crontab -r to remove it), then :

```

$ chmod 0600 /etc/crontab

# Be sure that /etc/crontab is in the right format

# ( time user  command )

$ setfiles /etc/security/selinux/file_context /etc/crontab

# Restart vixie-cron to be sure.

```

----------

## AppleMasher

thanks, that solved it.  I'm slowly getting the hang of selinux, time to do some more reading.

----------

## dashnu

I am in the same boat, cron will not run. I tried the above suggestions with no luck. Do you hav any other ideas?

I am still in permissive mode.

Thanks

----------

## dashnu

anyone?

----------

## pookey

I'm also having this issue

```

Nov  2 14:13:48 xian cron[6294]: (CRON) STARTUP (V5.0)

Nov  2 14:13:48 xian cron[6294]: (system_u) NO CONTEXT (/etc/crontab)

```

```

# ls -laZ /etc/crontab

-rw-------  root     root     system_u:object_r:system_cron_spool_t /etc/crontab

```

Kind Regards,

Ian

----------

## pookey

has anyone managed to solve  this issue?

At the moment I'm having to manually run things when I remember to do it... which is not as frequently as it should be  :Smile: 

----------

## dashnu

 *pookey wrote:*   

> has anyone managed to solve  this issue?
> 
> At the moment I'm having to manually run things when I remember to do it... which is not as frequently as it should be 

 

I sure as hell have not. I wish we could get some help on this issue.

----------

## vladgrigorescu

A reboot did the trick for me.

----------

## dashnu

I found my error was partly related to ssh-ing into the box. I was not getting the correct context when starting daemons. So Logging into the console and restarting services fixed it a bit... However roots crontab will not run. Things in cron.d* run fine.

Still Stuck.

----------

## njlg

I found that relabel allowed /etc/crontab to work:

```
# rlpkg -a
```

or at least, I did not get the following error in the vixie-cron log when I restarted the daemon:

 *Quote:*   

> (system_u) ENTRYPOINT FAILED (/etc/crontab)

 

----------

## HydraSwitch

It works for me when I'm in the user_r role and not otherwise.

Login as the user you want your crontab to work as and run crontab -e

as that user.  You can see what role you're in with the 'id' command.

su to the user from root doesn't work.

----------

## fixinko

You must starting/stopping/restarting apps when you are staff_u:sysadm_r:sysadm_t, otherwise you'll be not able to start/stop them 	correctly, also if you selinux is in permissive mode.

----------

## mizery de aria

I tried this and it didn't resolve the issue for me.

```
# id

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) context=root:sysadm_r:sysadm_t
```

 *co je Jidda Sha Ti'l wrote:*   

> I found that relabel allowed /etc/crontab to work:
> 
> ```
> # rlpkg -a
> ```
> ...

 

 *Panard wrote:*   

> If you want to use a root crontab (not system), you have to be in the staff_r context.
> 
> If you want to use a system crontab, do _not_ run crontab /etc/crontab (with vixie-cron) (if you have run crontab /etc/crontab before, run crontab -r to remove it), then :
> 
> ```
> ...

 

```
# locate file_context|grep "^/etc/.*texts$"

/etc/selinux/targeted/modules/active/file_contexts

/etc/selinux/targeted/contexts/files/file_contexts

/etc/selinux/strict/modules/active/file_contexts

/etc/selinux/strict/contexts/files/file_contexts
```

Are there other steps to take to correctly resolve this issue?

still in my /var/log/cron.log:

```
cron[10573]: (system_u) ENTRYPOINT FAILED (/etc/crontab)
```

Where does "system_u" come from?

```
# ls -alZ /etc/init.d/vixie-cron 

-rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 530 Sep 14 12:31 /etc/init.d/vixie-cron

# for i in `equery files vixie-cron`;do if test -f "$i";then ls -alZ $i;fi;done

-rw-r--r--. 1 root root system_u:object_r:system_cron_spool_t 0 Sep 14 12:31 /etc/cron.d/.keep_sys-process_vixie-cron-0

-rw-r--r--. 1 root root system_u:object_r:etc_t 220 Sep 14 12:31 /etc/cron.deny

-rw-------. 1 root root system_u:object_r:system_cron_spool_t 611 Sep 14 12:31 /etc/crontab

-rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 530 Sep 14 12:31 /etc/init.d/vixie-cron

-rw-r--r--. 1 root root system_u:object_r:etc_t 123 Sep 14 12:31 /etc/pam.d/cron

-rwxr-s--x. 1 root crontab system_u:object_r:crontab_exec_t 39272 Sep 14 12:31 /usr/bin/crontab

-rwxr-x---. 1 root wheel system_u:object_r:crond_exec_t 47400 Sep 14 12:31 /usr/sbin/cron

-rw-r--r--. 1 root root system_u:object_r:usr_t 4100 Sep 14 12:31 /usr/share/doc/vixie-cron-4.1-r10/CHANGES.bz2

-rw-r--r--. 1 root root system_u:object_r:usr_t 1721 Sep 14 12:31 /usr/share/doc/vixie-cron-4.1-r10/CONVERSION.bz2

-rw-r--r--. 1 root root system_u:object_r:usr_t 2045 Sep 14 12:31 /usr/share/doc/vixie-cron-4.1-r10/FEATURES.bz2

-rw-r--r--. 1 root root system_u:object_r:usr_t 8246 Sep 14 12:31 /usr/share/doc/vixie-cron-4.1-r10/MAIL.bz2

-rw-r--r--. 1 root root system_u:object_r:usr_t 1735 Sep 14 12:31 /usr/share/doc/vixie-cron-4.1-r10/README.bz2

-rw-r--r--. 1 root root system_u:object_r:usr_t 949 Sep 14 12:31 /usr/share/doc/vixie-cron-4.1-r10/THANKS.bz2

-rw-r--r--. 1 root root system_u:object_r:usr_t 367 Sep 14 12:31 /usr/share/doc/vixie-cron-4.1-r10/crontab.bz2

-rw-r--r--. 1 root root system_u:object_r:man_t 1655 Sep 14 12:31 /usr/share/man/man1/crontab.1.bz2

-rw-r--r--. 1 root root system_u:object_r:man_t 3700 Sep 14 12:31 /usr/share/man/man5/crontab.5.bz2

-rw-r--r--. 1 root root system_u:object_r:man_t 1916 Sep 14 12:31 /usr/share/man/man8/cron.8.bz2

-rw-r--r--. 1 root root unconfined_u:object_r:file_t 0 Sep 14 12:31 /var/spool/cron/crontabs/.keep_sys-process_vixie-cron-0

# ls -alZ /etc/crontab

-rw-------. 1 root root system_u:object_r:system_cron_spool_t 611 Sep 14 12:31 /etc/crontab
```

What can I do to give correct access/permission?

----------

