1. after crontab -e (from root) have Jan 31 15:52:32 proxy crontab[13171]: (root) END EDIT (root) Jan 31 15:53:01 proxy cron[4296]: (root) ENTRYPOINT FAILED (crontabs/root) 2. after reboot I have ps axZ | grep cron system_u:system_r:crond_t 4387 ? Ss 0:00 /usr/sbin/cron 3. after /etc/init.d/vixie-cron restart I have ps axZ | grep cro user_u:user_r:user_t /usr/sbin/cron cron[15469]: (CRON) STARTUP (V5.0) cron[15469]: (system_u) NO CONTEXT (/etc/crontab) cron not work work only /etc/crontab after reboot Reproducible: Always Steps to Reproduce:
Please post your `emerge --info' and also describe the problem better.
Problem with users crontab, if I edit user crontab crontab -e in log I have message cron[4387]: (root) ENTRYPOINT FAILED (crontabs/root) and users crontab no work (but crontab -l list comands) if I edit file /etc/crontab, I have messages in log cron[4387]: (system_u) RELOAD (/etc/crontab) cron[4387]: (root) ENTRYPOINT FAILED (crontabs/root) and work only /etc/crontab if I restart cron (/etc/init.d/vixie-cron restart) I have in messages cron[3634]: (CRON) STARTUP (V5.0) cron[3634]: (system_u) NO CONTEXT (/etc/crontab) cron[3634]: (root) ENTRYPOINT FAILED (crontabs/root) and don't work all crontabs, and help only reboot and I have ps -auxZ command out after reboot system_u:system_r:crond_t root 4387 0.0 0.0 18552 892 ? Ss Jan31 0:00 /usr/sbin/cron and after /etc/init.d/vixie-cron restart user_u:user_r:user_t root 3655 0.0 0.0 3944 612 pts/0 R+ 07:53 0:00 grep --colour=auto cron Portage 2.1.6.7 (selinux/2007.0/amd64/hardened, gcc-4.1.2, glibc-2.9_p20081201-r1, 2.6.27-hardened-r4 x86_64) ================================================================= System uname: Linux-2.6.27-hardened-r4-x86_64-Intel-R-_Core-TM-2_Duo_CPU_E6550_@_2.33GHz-with-glibc2.2.5 Timestamp of tree: Sat, 31 Jan 2009 15:00:14 +0000 app-shells/bash: 3.2_p48 dev-lang/python: 2.4.4-r15, 2.5.4-r1 sys-apps/baselayout: 1.12.12 sys-apps/sandbox: 1.3.2 sys-devel/autoconf: 2.63 sys-devel/automake: 1.7.9-r1, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.19 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.28-r1 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=nocona -pipe " CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=nocona -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs confcache distcc distlocks fixpackages loadpolicy parallel-fetch protect-owned selinux sesandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LDFLAGS="" LINGUAS="ru" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acl amd64 apache2 authdaemond berkdb bzip2 cli courier cracklib crypt ctype dri fortran gd gdbm gpm graphviz hardened iconv imap isdnlog midi mmx mudflap mysql ncurses nls nptl nptlonly openmp openssh pam pcre perl pppd python readline reflection sasl screen selinux session slang spell spl sse sse2 ssl tcpd udev unicode userlocales vhosts vim-syntax xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="ru" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 intel mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Do you use any ACLs?
(In reply to comment #3) > Do you use any ACLs? > Hi i have the same problem. Apr 21 17:28:49 daljeetdesigns cron[2880]: (CRON) STARTUP (V5.0) Apr 21 17:28:49 daljeetdesigns cron[2880]: (system_u) ENTRYPOINT FAILED (/etc/crontab) Apr 21 17:28:49 daljeetdesigns cron[2880]: (root) ENTRYPOINT FAILED (crontabs/root) daljeetdesigns daljeet # ps axZ | grep cron system_u:system_r:local_login_t 2880 ? Ss 0:00 /usr/sbin/cron staff_u:staff_r:staff_t 3031 pts/0 S+ 0:00 grep --colour=auto cron Portage 2.1.6.7 (selinux/2007.0/x86/hardened, gcc-4.1.2, glibc-2.8_p20080602-r1, 2.6.28-hardened-r7-daljeetdesigns.co.uk i686) ================================================================= System uname: Linux-2.6.28-hardened-r7-daljeetdesigns.co.uk-i686-Intel-R-_Pentium-R-_4_CPU_2.60GHz-with-glibc2.0 Timestamp of tree: Tue, 21 Apr 2009 15:00:17 +0000 distcc 3.0 i686-pc-linux-gnu [disabled] app-shells/bash: 3.2_p39 dev-lang/python: 2.4.4-r14, 2.5.2-r7 dev-python/pycrypto: 2.0.1-r8 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.63 sys-devel/automake: 1.7.9-r1, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86 ~x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages loadpolicy parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LDFLAGS="" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow X alsa apache2 ares berkdb cgi cli cracklib crypt ctype cups curl curlwrappers dedicated dri filter fortran gdbm geoip gif gpm hardened hub iconv imagemagick ipv6 isdnlog jpeg mailwrapper midi milter mmx mudflap mysql ncurses nls nptl nptlonly opengl openmp pam pcre perl php pic png ppds pppd prefixaq proxy proxy_http readline reflection samba sasl selinux session simplexml spl ssl symlink tcpd tiff truetype unicode vhosts win32codecs x86 xml xml2 xmlreader xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt intel mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
confirm, I have this error too, I'm using refpolicy v2 profile.
I am also experiencing a related issue and was directed to add here by gizmo of #gentoo-hardened I reemerged vixie-cron and was unable to start it due to: # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) context=root:sysadm_r:sysadm_t # /etc/init.d/vixie-cron restart Authenticating root. Password: * Stopping vixie-cron ... [ ok ] * Starting vixie-cron ... [ ok ] /var/log/cron.log: Sep 18 14:02:00 bitcoin cron[17667]: (CRON) STARTUP (V5.0) Sep 18 14:02:00 bitcoin cron[17667]: (system_u) ENTRYPOINT FAILED (/etc/crontab) # ls -alZ /etc/crontab -rw-r--r--. 1 root root system_u:object_r:system_cron_spool_t 611 Sep 18 13:55 /etc/crontab # ls -alZ /var/spool/cron/ total 36 drwxr-x---. 4 root cron system_u:object_r:cron_spool_t 4096 Sep 14 10:44 . drwxr-xr-x. 4 root root system_u:object_r:var_spool_t 4096 Apr 3 2009 .. -rw-r--r--. 1 root root unconfined_u:object_r:file_t 0 Sep 14 10:44 .keep_sys-process_cronbase-0 drwx-wx--T. 2 root crontab system_u:object_r:cron_spool_t 4096 Sep 18 13:55 crontabs drwxr-x---. 2 root root system_u:object_r:crond_tmp_t 4096 Sep 14 10:44 lastrun # ps auxZ|grep cron system_u:system_r:crond_t root 17744 0.0 0.1 11932 552 ? Ss 14:09 0:00 /usr/sbin/cron emerge --info: http://pastebin.com/uxY2057u # uname -a Linux bitcoin 2.6.32-hardened-r16 #1 SMP Tue Sep 14 09:10:16 EDT 2010 x86_64 Intel(R) Xeon(R) CPU L5335 @ 2.00GHz GenuineIntel GNU/Linux # eselect profile list [15] selinux/v2refpolicy/amd64/hardened * eix -I selinux: http://pastebin.com/LUyinfC2
This appears to be a bug in the SELinux v2ref policies. Pebenito, can you please reassign this to selinux team
Bump... Same issue here on a new-ish hardened box: Portage 2.1.8.3 (selinux/v2refpolicy/amd64/hardened, gcc-4.4.4, glibc-2.11.2-r0, 2.6.34-hardened-r6 x86_64) ================================================================= System uname: Linux-2.6.34-hardened-r6-x86_64-AMD_Sempron-tm-_Processor_3400+-with-gentoo-2.0.1 Timestamp of tree: Mon, 11 Oct 2010 09:45:02 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.1_p7 dev-java/java-config: 2.1.11 dev-lang/python: 2.6.5-r3, 3.1.2-r4 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.3 sys-apps/sandbox: 2.3-r1 sys-devel/autoconf: 2.13, 2.65-r1 sys-devel/automake: 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.3.4, 4.4.4-r2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe -floop-interchange -floop-strip-mine -floop-block" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=athlon64 -O2 -pipe -floop-interchange -floop-strip-mine -floop-block" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests buildpkg ccache distlocks fixpackages loadpolicy news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unmerge-logs unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="XXXX/gentoo/" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en_US en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://XXXX/gentoo-portage" USE="X acpi amd64 apache2 berkdb bzip2 caps cli cracklib crypt cups curl cxx dbus dejavu dri expat fam foomaticdb fortran gd gdbm gmp gnutls gpm graphviz gs hal hardened hardenedphp iconv imlib innodb ipv6 java jbig jpeg jpeg2k lm_sensors logrotate modules mudflap ncurses nls openmp pam pcre perl php pic png postgres ppds pppd python readline reflection sasl selinux session snmp spamassassin spell sqlite ssl tcpd threads tiff truetype unicode usb xorg zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="directory canon casio fuji kodak polaroid ptp2 samsung spca50x" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US en" PHP_TARGETS="php-5.2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev v4l vesa radeon nv" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
It's also not limited to vixie-cron. I'm seeing the same behavior from fcron. Oct 16 12:05:28 phenom fcron[9523]: fcron[9523] 3.0.6 started Oct 16 12:05:28 phenom fcron[9523]: updating configuration from /var/spool/fcron Oct 16 12:05:28 phenom fcron[9523]: adding new file systab Oct 16 12:05:28 phenom fcron[9523]: ENTRYPOINT FAILED for user "systab" (CONTEXT system_u:system_r:logrotate_t) for file CONTEXT system_u:object_r:system_cron_spool_t emerge --info: http://pastebin.com/ajfiSQyJ
Ok - Pebenito can you give some guidance on how to create the SELinux policy adjustment? Fedora core 13 doesn't appear to have this problem... What should we look for when comparing the two policies?
Fedora 13 does not use vixie-cron. they use cronie - their maintained fork of vixie-cron. cronie is in portage but currently lacks selinux support. i'd love for the selinux support in cronie to be enabled, but since i dont use it myself i'd need help here... thanks
Well, that's embarrassing... :) I'd still take some guidance... I've also experienced this problem when SELinux is in permissive mode.
I've reasoned through a workaround. Since the problem is generally with the system_u "user," moving the desired cron jobs to the normal root cron, the one in /var/spool/cron/cronjobs works as expected. So I've emptied out the /etc/crontabs and /etc/cron.d/ directories and most everything is happy... At least now I can wait for someone to figure out the real solution.
This APPEARS to be resolved with the latest refpolicy (2.20101213), at least on my testing machine. Could someone else test this? We have testing ebuilds in the hardened-dev overlay.
I'm still seeing: Jan 14 18:42:28 phenom cron[24806]: (CRON) STARTUP (V5.0) Jan 14 18:42:28 phenom cron[24806]: (system_u) ENTRYPOINT FAILED (/etc/crontab) in the logs... # equery list selinux- FEATURES variable contains unknown value(s): loadpolicy [ Searching for package 'selinux-' in all categories among: ] * installed packages [I--] [ ~] sec-policy/selinux-base-policy-2.20101213-r3 (0) [I--] [ ~] sec-policy/selinux-dhcp-2.20101213 (0) [I--] [ ~] sec-policy/selinux-distcc-2.20101213 (0) [I--] [ ~] sec-policy/selinux-logrotate-2.20101213 (0) [I--] [ ~] sec-policy/selinux-ntp-2.20101213 (0) [I--] [ ~] sec-policy/selinux-portmap-2.20101213 (0) [I--] [ ~] sec-policy/selinux-screen-2.20101213 (0) [I--] [ ~] sec-policy/selinux-snmpd-2.20101213 (0) [I--] [ ~] sec-policy/selinux-sudo-2.20101213-r1 (0)
First of all, definitely upgrade vixie-cron to at least 4.1-r11. That should fix the problem that end user crontabs aren't loaded (with the ENTRYPOINT FAILED error). Next, edit /etc/selinux/strict/contexts/default_contexts so that the line: system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t reads system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t Reason: the default context from crond_t for system_u should be system_cronjob_t. The currently provided default context file uses system_crond_t but thats an alias which doesn't seem to be loaded/available. As such, the default context is a somewhat random domain to which crond_t is allowed to transition... Can you verify if this is indeed a proper fix for your situation?
Yep, that did it. Between the new vixie-cron, which I already had, the new policy 2-20101213, and the last tweak to change the default context, it works again. Now to get all the changes into mainstream portage... :) Thanks!
The fix should be in selinux-base-policy-2.20101213-r5 and higher (which is already available in the main tree in ~arch).
If one is still experiencing this problem, please also give the output of "getseuser system_u system_u:system_r:crond_t" (it should give "system_u:system_r:system_cronjob_t")
