I have vixie-cron and my user is staff_u, when i set something in cron it runs as staff_u:sysadm_r:sysadm_t, it should be running as staff_u:staff_r:staff_t. I have the userdomain_transition boolean enabled. with the boolean disabled it runs correctly in the cronjob_t domain. $ crontab -l #min hour day month dayofwk command */15 * * * * id >> /home/jason/cron.log 2>&1 $ cat ~/cron.log uid=1000(jason) gid=100(users) groups=100(users),7(lp),10(wheel),16(cron),18(audio),19(cdrom),27(video),197(crontab),250(portage) context=staff_u:sysadm_r:sysadm_t # grep crond_t /etc/selinux/*/contexts/{default_contexts,users/*} /etc/selinux/strict/contexts/default_contexts:system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t /etc/selinux/strict/contexts/users/guest_u:system_r:crond_t guest_r:guest_t /etc/selinux/strict/contexts/users/root:system_r:crond_t unconfined_r:unconfined_t sysadm_r:cronjob_t staff_r:cronjob_t user_r:cronjob_t /etc/selinux/strict/contexts/users/staff_u:system_r:crond_t staff_r:cronjob_t /etc/selinux/strict/contexts/users/unconfined_u:system_r:crond_t unconfined_r:unconfined_t unconfined_r:unconfined_cronjob_t /etc/selinux/strict/contexts/users/user_u:system_r:crond_t user_r:cronjob_t /etc/selinux/strict/contexts/users/xguest_u:system_r:crond_t xguest_r:xguest_t # semanage boolean -l | grep cron cron_userdomain_transition (on , on) Determine whether crond can execute jobs in the user domain as opposed to the the generic cronjob domain. # ls -lZ /var/spool/cron/crontabs/ total 5 -rw-------. 1 jason crontab staff_u:object_r:user_cron_spool_t 363 Mar 13 02:21 jason
This is probably the problem: /etc/selinux/strict/contexts/users/staff_u:system_r:crond_t staff_r:cronjob_t Your users/staff_u definition tells SELinux userspace that, if a transition is done based on user context from crond_t, then it is suggested to go to cronjob_t. However, because the boolean userdomain_transition is set, this will fail. As a result it will fall back to the failsafe domain, which is sysadm_t. Edit your users/staff_u file to use staff_r:staff_t instead of cronjob_t and you should be all set.
setting the line to staff_t did indeed fix the problem. also the following works too: system_r:crond_t staff_r:cronjob_t staff_r:staff_t is this something we might want to add in the policy so that it'll just work?
We could do that, at first sight I do not see any issues with that. Does it try the cronjob_t one first or does it just check if it is possible (iow, are there errors in the audit logs as it tries cronjob_t first?)
(In reply to Sven Vermeulen from comment #3) > (iow, are there errors in the audit logs as it tries cronjob_t first?) I do not see anything in the audit logs and i have it set like this on two of my machines.
Created attachment 401044 [details, diff] user default contexts patch this patch should do it.
in policy -r5
r5 policy has been stabilized