sys-process/cronie needs a selinux use flag to run with selinux --- cronie-1.4.8.ebuild.orig 2011-10-28 00:42:32.000000000 +0200 +++ cronie-1.4.8.ebuild 2012-02-12 16:43:57.060088152 +0100 @@ -12,7 +12,7 @@ HOMEPAGE="https://fedorahosted.org/croni LICENSE="ISC BSD BSD-2" KEYWORDS="amd64 ~arm ~sparc x86" -IUSE="inotify pam" +IUSE="inotify pam selinux" DEPEND="pam? ( virtual/pam )" RDEPEND="${DEPEND}" @@ -28,6 +28,7 @@ src_configure() { SPOOL_DIR="/var/spool/cron/crontabs" econf \ $(use_with inotify ) \ $(use_with pam ) \ + $(use_with selinux ) \ --with-daemon_username=cron \ --with-daemon_groupname=cron \ || die "econf failed"
New error with selinux (cron.log): /usr/sbin/crond[9990]: (CRON) STARTUP (1.4.8) /usr/sbin/crond[9990]: (CRON) INFO (@reboot jobs will be run at computer's startup.) /usr/sbin/crond[9996]: (*system*) ERROR (Could not set exec or keycreate context to system_u:system_r:system_cronjob_t for user) /usr/sbin/crond[9996]: (root) ERROR (failed to change SELinux context) F
Any errors in the avc.log (or audit.log) file?
I have the patch to allow for key creation pending. However, I also tested with a small patch on cron that disabled the setkeycreatecon() call and it seems to work just fine. Mailed the cronie maintainer for more info.
Created attachment 307923 [details, diff] Patch to remove setkeycreatecon() call Possible patch against cronie (waiting for maintainer feedback first)
USE="selinux" added to cronie ebuild (1.4.8-r1) so that it enables SELinux support.
Ok patch is handled upstream (a while ago, missed the mail): https://fedorahosted.org/cronie/changeset/c98110b45bfaee0e30de4424a0f62060677a3624
(In reply to comment #6) sys-process/cronie-1.4.8-r1 with your patch applied runs the cron entries and the error is gone. Thanks :-)
Thanks for the verification ;-) Keeping it on TEST-REQUEST until stabilized.
Stable (for a while already)
