cron selinux security context issue - cron

my system is fedora 23.
trying to run a cronjob that is blocked by selinux in /etc/crontab.
* * * * sun,mon,tue,wed,thu,fri,sat root DISPLAY=:0 eog $HOME/Pictures/somepic.jpg
context for crontab:
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 2664 Jan 23 18:12 /etc/crontab
if i run selinux in permissive mode, the job runs every time.
here's the journal entry for crond in 'enforce mode':
-- Logs begin at Wed 2016-01-20 10:40:21 PST. --
Jan 23 18:25:01 localhost.localdomain CROND[20342]: (root) CMDOUT (/bin/sh: root: command not found)
Jan 23 18:25:25 localhost.localdomain crond[938]: (CRON) INFO (Shutting down)
Jan 23 18:25:25 localhost.localdomain crond[18645]: (CRON) INFO (Syslog will be used instead of sendmail.)
Jan 23 18:25:25 localhost.localdomain crond[18645]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 12% if used.)
Jan 23 18:25:25 localhost.localdomain crond[18645]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:etc_t:s0 (/etc/crontab)
Jan 23 18:25:25 localhost.localdomain crond[18645]: (root) FAILED (loading cron table)
Jan 23 18:25:25 localhost.localdomain crond[18645]: (root) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_cron_spool_t:s0 (/var/spool/cron/root)
Jan 23 18:25:25 localhost.localdomain crond[18645]: (root) FAILED (loading cron table)
Jan 23 18:25:25 localhost.localdomain crond[18645]: (CRON) INFO (running with inotify support)
Jan 23 18:25:25 localhost.localdomain crond[18645]: (CRON) INFO (#reboot jobs will be run at computer's startup.)
sebool settings:
cron_can_relabel --> off
cron_system_cronjob_use_shares --> off
cron_userdomain_transition --> on
fcron_crond --> off

I'm having the same issue. Had a crontab that worked great for a long time. Made an edit with crontab -e, and it stopped working. Tried as both root and normal user. Some searching around, this is a currently known bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1263328
I tried the workaround listed in comment #19. It's working fine.
Create file mycron.cil with content:
(allow unconfined_t user_cron_spool_t( file ( entrypoint)))
Then run:
semodule -i mycron.cil
Then restart cron:
systemctl restart crond.service
Comment 21 tells how to remove the workaround when a fix is issued.
Remove by running:
semodule -r mycron
and I assume restart cron again.

You need to change the type of the cron file under var/spool/cron
Try this to apply files triggerd 'Unauthorized SELinux context' messages
# semanage fcontext -a -t user_cron_spool_t "/var/spool/cron(/.*)?"
# restorecon -R -vv /var/spool/cron

I was trying this for shutting down my rhel 7.3 server automatically at 11:00 pm daily through cron job in /etc/crontab.
I faced the similar issue and selinux did not allowed to run the job.
However I got the solution by creating a new crontab file in /etc/cron.d/ and the cron job successfully executed and shutdown the system on defined time in /etc/cron.d/crontab file.
I got solution from below RHEL page on point 24.1.2 Scheduling a Cron Job""
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-automating_system_tasks

Related

Apache2: Failed to set up mount namespacing: Permission denied

I have VPS server with Debian 10. I want to start Apache2 with option PrivateTmp=true.
But on start it failed with error: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied.
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2020-11-27 17:17:43 CET; 5s ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 523 ExecStart=/usr/sbin/apachectl start (code=exited, status=226/NAMESPACE)
Nov 27 17:17:43 5091-server systemd[1]: Starting The Apache HTTP Server...
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed to set up mount namespacing: Permission denied
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Control process exited, code=exited, status=226/NAMESPACE
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Failed with result 'exit-code'.
Nov 27 17:17:43 5091-server systemd[1]: Failed to start The Apache HTTP Server.
I checked the permissions for tmp:
root#5091-server:~# ls -ld /tmp
drwxrwxrwt 8 root root 4096 Nov 27 17:17 /tmp
root#5091-server:~# ls -ld /var/tmp
drwxrwxrwt 2 root root 4096 Nov 27 17:17 /var/tmp
Any idea which permissions are wrong?
This can work...
sudo sed -i -e 's,PrivateTmp=true,PrivateTmp=false\nNoNewPrivileges=yes,g' /lib/systemd/system/apache2.service
sudo systemctl daemon-reload
sudo systemctl start apache2.service
sudo systemctl status apache2.service
This is related to new systemd security features (v220+?) conflicting with unprivileged LXC containers like the ones inside Proxmox.
Edit apache config (the clean way):
sudo systemctl edit apache2.service
Add this to disable new systemd security features (affect LXC containers like the ones inside Proxmox)
[Service]
PrivateDevices=false
PrivateTmp=false
ProtectControlGroups=false
ProtectKernelModules=false
ProtectSystem=false
Maybe only necessary:
ProtectHome=false
ProtectSystem=false
Then
sudo systemctl start apache2.service
sudo systemctl status apache2.service # Just to check the output
I saw this on apache2 and memcached. Also with systemd-logind. In this last case ssh connection speed was affected. ssh -vvv was stuck on debug1: pledge: filesystem (without VPN), and debug1: pledge: network (with VPN). As mention here and here the problem is solved enabling nesting (also here) on the Proxmox containers.
Probably simply enabling the "nesting" feature for the container (if it is unprivileged) will allow systemd to make use of its namespacing features.
Related
Nested containers in LXD | Ubuntu
Roadmap - Proxmox VE 7.1 The real fix is to upgrade host?
Failed to reset devices.list...Operation not permitted · Issue #2004 · lxc/lxd

CentOS 7 - boot order needs to be changed in order for sge to start automatically

It seems like sge tries start before lustre is mounted when the server boots, which brings an error to start automatically when it reboots.
Can somebody tell me how to change the order when it boots, so sge starts after lustre is mounted?
Error message from the log:
Aug 12 11:46:21 dragen1 systemd: Configuration file /usr/lib/systemd/system/sge_execd.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Aug 12 11:46:40 dragen1 sge_execd: error: SGE_ROOT directory "/cm/shared/apps/sge/2011.11p1" doesn't exist
Aug 12 11:46:40 dragen1 systemd: sge_execd.service: control process exited, code=exited status=1
Aug 12 11:46:40 dragen1 systemd: Unit sge_execd.service entered failed state.
Aug 12 11:46:40 dragen1 systemd: sge_execd.service failed
I added in the following under [Unit] from the sge service
RequiresMountsFor=(Mount Point)
This fixed the problem.

Error in starting postgresql service in linux through command line

I was starting the postgresql service by
systemctl start postgresql.service
It was raising an error as below
Job for postgresql.service failed. See "systemctl status postgresql.service" and "journalctl -xn" for details.
Please help how to start the service through command line in linux?
Output for journalctl -xn
osboxes:/home/osboxes # journalctl -xn
-- Logs begin at Wed 2015-04-08 10:08:38 BST, end at Tue 2016-03-22 14:15:07 GMT. --
Mar 22 14:09:03 osboxes wickedd[824]: eno16777760: Notified neighbours about IP address 192.168
Mar 22 14:09:03 osboxes wickedd[824]: route ipv4 0.0.0.0/0 via 192.168.182.2 dev eno16777760 ty
Mar 22 14:09:04 osboxes wickedd[824]: Skipping hostname update, none available
Mar 22 14:15:01 osboxes cron[9120]: pam_unix(crond:session): session opened for user root by (u
Mar 22 14:15:01 osboxes systemd[9121]: pam_unix(systemd-user:session): session opened for user
Mar 22 14:15:01 osboxes CRON[9120]: pam_unix(crond:session): session closed for user root
Mar 22 14:15:01 osboxes systemd[9122]: pam_unix(systemd-user:session): session closed for user
Mar 22 14:15:07 osboxes postgresql[9160]: Initializing PostgreSQL 9.3.11 at location ~postgres/
Mar 22 14:15:07 osboxes postgresql[9160]: ..failed
Mar 22 14:15:07 osboxes postgresql[9160]: You can find a log of the initialisation in ~postgres

I want to know if my server was shutdown and time that is shutting down in

i have a server hp with ubuntu server
I want to know if my server was shutdown and time that is shutting down in
there are something to know a logs of my server
You can try the last reboot command to get some basic information about the most recent reboots and the uptime between them.
# last reboot
reboot system boot 2.6.32-431.3.1.e Fri Mar 14 07:02 - 01:51 (8+18:49)
reboot system boot 2.6.32-431.3.1.e Sun Feb 16 02:15 - 06:59 (26+03:44)
reboot system boot 2.6.32-431.3.1.e Sun Jan 26 16:21 - 06:59 (46+13:38)
reboot system boot 2.6.32-358.11.1. Sun Oct 13 18:53 - 16:18 (104+22:25)
reboot system boot 2.6.32-358.11.1. Sun Oct 6 10:10 - 18:50 (7+08:40)
reboot system boot 2.6.32-358.11.1. Sat Jun 29 09:28 - 10:06 (99+00:38)
reboot system boot 2.6.32-358.11.1. Sat Jun 29 09:06 - 09:25 (00:19)
reboot system boot 2.6.32-358.6.2.e Sat Jun 29 08:46 - 09:01 (00:15)

(13)Permission denied: access to /cgi-bin/test.cgi denied

I am trying out CGI-scripts for the first time but without success. I have read many tutorials and followed may threads in different forums but I can not make it work.
I am using a appache web server on a Fedora 10 machine.
I always have problem with
[Wed Oct 21 20:47:36 2009] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Oct 21 20:47:36 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Oct 21 20:47:36 2009] [notice] Digest: generating secret for digest authentication ...
[Wed Oct 21 20:47:36 2009] [notice] Digest: done
[Wed Oct 21 20:47:36 2009] [notice] Apache/2.2.11 (Unix) DAV/2 PHP/5.2.9 mod_ssl/2.2.11 OpenSSL/0.9.8g configured -- resuming normal operations
I need help.
This is what my environment looks like.
uname -a
Linux localhost.localdomain 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 i386 GNU/Linux
ls -l /var/www/cgi-bin/
total 36
-rwxrwxrwx 1 root root 106 2009-10-21 18:29 index.html
-rwxr-xr-x 1 root root 11089 2009-02-24 20:11 squidGuard.cgi
-rwxr-xr-x 1 root root 5720 2009-02-24 20:11 squidGuard-simple.cgi
-rwxr-xr-x 1 root root 5945 2009-02-24 20:11 squidGuard-simple-de.cgi
-rwxrwxrwx 1 root root 110 2009-10-21 17:38 test.cgi
apachectl -v
Server version: Apache/2.2.11 (Unix)
Server built: Mar 6 2009 09:12:25
perl -version
This is perl, v5.10.0 built for i386-linux-thread-multi
Copyright 1987-2007, Larry Wall
My script
cat test.cgi
#!/usr/bin/perl
print "Content-Type: text/html\n\n";
print "Hello, world!\n";
The error message I gen when I try to access the web page server "http://192.168.50.29/cgi-bin/test.cgi" looks like this:
[Wed Oct 21 21:00:27 2009] [error] [client 192.168.50.69] (13)Permission denied: access to /cgi-bin/test.cgi denied
I have added the line:
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
to /etc/httpd/conf/httpd.conf
I just can not make it work.
Can anyone help me?
Check your os permissions for test.cgi and be sure the user or group you are using to run your apache it has read access.
EDIT - The problem is with permissions, but not with read permissions, as you are using SELinux, you need to worry about your file context. Check this thread at fedora forums, it explains quite a few options to solve your problem.
1.FIRST CHECK THE HTTPD.CONF FILE.Set the script directory as follows in the httpd.conf.
Here you'd need to make sure you find the right httpd.conf file.For example, in my Debian, the default httpd.conf is /etc/apache2/sites-avaialbe/default.
<Directory "dir_name">
Options All
AllowOverride All
Order allow,deny
Allow from all
<Directory>
OR you could just use the default /cgi-bin folder.
2.Set the execute permission for the test script.
chmod +x script_name
check your fstab if the mounted filesystem have permission to execute
UUID=xxx-xxx-xxx-xx-xx /mnt/mountpoint ext4 rw,user,exec 0 0
the exec part is important
SELinux prevented Apache from accessing the cgi script in my case.
A quick-n-dirty fix that worked for me was turning off SELinux:
vim /etc/sysconfig/selinux
set "SELINUX=disabled"
reboot

Resources