SElinux prevent cron from running Centos 7
Solution 1
So you need to change the type of the cron file under var/spool/cron
Try this:
# chcon -t user_cron_spool_t /var/spool/cron/teamspeak3-user
Take a look here for more info:
Solution 2
IMO chcon
is a quick fix. It would be better to set it as rules by semanage:
# semanage fcontext -a -t user_cron_spool_t "/var/spool/cron(/.*)?"
# restorecon -R -vv /var/spool/cron
It will survive any system update and auto applied to new users's cronjob.
Solution 3
I was trying this for shutting down my rhel 7.3 server automatically at 11:00 pm daily through cron job in /etc/crontab. I faced the similar issue and selinux did not allowed to run the job.
However I got the solution by creating a new crontab file in /etc/cron.d/ and the cron job successfully executed and shutdown the system on defined time in /etc/cron.d/crontab file.
I got solution from below RHEL page on point 24.1.2 Scheduling a Cron Job""
Related videos on Youtube
Resurectionx
Updated on September 18, 2022Comments
-
Resurectionx over 1 year
I was using a cronjob to start a script that will trigger my teamspeak on reboot
It was working fine for a while until i activated Selinux the cron dont work anymore
I have this error on the cron logs :
Aug 2 16:14:21 Manu crond[683]: (teamspeak3-user) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=system_u:object_r:unlabeled_t:s0 (/var/spool/cron/teamspeak3-user) Aug 2 16:14:21 Manu crond[683]: (teamspeak3-user) FAILED (loading cron table)
I searched on the web and some people are talking about a known bug and a work around that dind't work for me.
Help please.
Info Added :
ls -lZ /var/spool/cron/teamspeak3-user -rw-------. teamspeak3-user teamspeak3-user system_u:object_r:unlabeled_t:s0 /var/spool/cron/teamspeak3-user
-
ebal almost 8 yearsWhat is the output of: ls -lZ /var/spool/cron/teamspeak3-user
-
Resurectionx almost 8 yearsOutput added up
-
-
Resurectionx almost 8 yearsBravO Sir, It worked like a Charm
-
cazort over 2 yearsI'm on Rocky Linux (Roughly Like Centos 8) and the user crontabs are assigned this context by default, at least if you load them using the
crontab
command line, which I did. Perhaps is the OP's problem a function of activating SELinux after setting up the user's crontab? I am curious about this because I want to know when I need to check this manually vs. not. -
cazort over 2 yearsAlso, a note on the
chcon
command, this is for temporary changes only, and these changes will not persist on a reboot (or any other event that triggers reset of file context, such asrestorecon -R
run on any parent directory) To this end you need a permanent policy change, i.e.semanage fcontext -a -t user_cron_spool_t /var/spool/cron/teamspeak3-user
. Again, the way I set up my system this policy was already set up when I created the crontab so it was not necessary for me to run this. I'm curious why in your system it didn't happen this way. -
cazort over 2 yearsIf I were you I would check the SELinux context on the parent directory,
/var/spool/cron
as in the absence of other policies, files created in a directory will inherent their context from the parent, so if the context is not set correctly on that directory this problem will reoccur if you ever create crontabs for other users. -
cazort over 2 years
chcon
is for temporary changes only, see the solution by @Tomofumi for a longer-term solution.