SElinux prevent cron from running Centos 7

linux centos cron selinux

10,157

Solution 1

So you need to change the type of the cron file under var/spool/cron

Try this:

# chcon -t user_cron_spool_t /var/spool/cron/teamspeak3-user

Take a look here for more info:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html

Solution 2

IMO chcon is a quick fix. It would be better to set it as rules by semanage:

# semanage fcontext -a -t user_cron_spool_t "/var/spool/cron(/.*)?"
# restorecon -R -vv /var/spool/cron

It will survive any system update and auto applied to new users's cronjob.

Solution 3

I was trying this for shutting down my rhel 7.3 server automatically at 11:00 pm daily through cron job in /etc/crontab. I faced the similar issue and selinux did not allowed to run the job.

However I got the solution by creating a new crontab file in /etc/cron.d/ and the cron job successfully executed and shutdown the system on defined time in /etc/cron.d/crontab file.

I got solution from below RHEL page on point 24.1.2 Scheduling a Cron Job""

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-automating_system_tasks

10,157

Resurectionx

Updated on September 18, 2022

Comments

Resurectionx over 1 year
I was using a cronjob to start a script that will trigger my teamspeak on reboot

It was working fine for a while until i activated Selinux the cron dont work anymore

I have this error on the cron logs :
```
Aug  2 16:14:21 Manu crond[683]: (teamspeak3-user) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=system_u:object_r:unlabeled_t:s0 (/var/spool/cron/teamspeak3-user)
Aug  2 16:14:21 Manu crond[683]: (teamspeak3-user) FAILED (loading cron table)
```
I searched on the web and some people are talking about a known bug and a work around that dind't work for me.

Help please.

Info Added :
```
ls -lZ /var/spool/cron/teamspeak3-user

-rw-------. teamspeak3-user teamspeak3-user system_u:object_r:unlabeled_t:s0 /var/spool/cron/teamspeak3-user
```
- ebal almost 8 years
  
  What is the output of: ls -lZ /var/spool/cron/teamspeak3-user
- Resurectionx almost 8 years
  
  Output added up
Resurectionx almost 8 years

BravO Sir, It worked like a Charm
cazort over 2 years

I'm on Rocky Linux (Roughly Like Centos 8) and the user crontabs are assigned this context by default, at least if you load them using the crontab command line, which I did. Perhaps is the OP's problem a function of activating SELinux after setting up the user's crontab? I am curious about this because I want to know when I need to check this manually vs. not.
cazort over 2 years

Also, a note on the chcon command, this is for temporary changes only, and these changes will not persist on a reboot (or any other event that triggers reset of file context, such as restorecon -R run on any parent directory) To this end you need a permanent policy change, i.e. semanage fcontext -a -t user_cron_spool_t /var/spool/cron/teamspeak3-user. Again, the way I set up my system this policy was already set up when I created the crontab so it was not necessary for me to run this. I'm curious why in your system it didn't happen this way.
cazort over 2 years

If I were you I would check the SELinux context on the parent directory, /var/spool/cron as in the absence of other policies, files created in a directory will inherent their context from the parent, so if the context is not set correctly on that directory this problem will reoccur if you ever create crontabs for other users.
cazort over 2 years

chcon is for temporary changes only, see the solution by @Tomofumi for a longer-term solution.