Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 403293

Summary: sys-process/cronie add selinux use flag
Product: Gentoo Linux Reporter: Florian Steinel <Florian.Steinel>
Component: HardenedAssignee: SE Linux Bugs <selinux>
Status: VERIFIED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Patch to remove setkeycreatecon() call

Description Florian Steinel 2012-02-12 15:44:44 UTC 
sys-process/cronie needs a selinux use flag to run with selinux

--- cronie-1.4.8.ebuild.orig    2011-10-28 00:42:32.000000000 +0200
+++ cronie-1.4.8.ebuild 2012-02-12 16:43:57.060088152 +0100
@@ -12,7 +12,7 @@ HOMEPAGE="https://fedorahosted.org/croni

 LICENSE="ISC BSD BSD-2"
 KEYWORDS="amd64 ~arm ~sparc x86"
-IUSE="inotify pam"
+IUSE="inotify pam selinux"

 DEPEND="pam? ( virtual/pam )"
 RDEPEND="${DEPEND}"
@@ -28,6 +28,7 @@ src_configure() {
        SPOOL_DIR="/var/spool/cron/crontabs" econf \
                $(use_with inotify ) \
                $(use_with pam ) \
+               $(use_with selinux ) \
                --with-daemon_username=cron \
                --with-daemon_groupname=cron \
                || die "econf failed"
Comment 1 Florian Steinel 2012-02-12 16:01:10 UTC 
New error with selinux (cron.log):
/usr/sbin/crond[9990]: (CRON) STARTUP (1.4.8)
/usr/sbin/crond[9990]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
/usr/sbin/crond[9996]: (*system*) ERROR (Could not set exec or keycreate context to system_u:system_r:system_cronjob_t for user)
/usr/sbin/crond[9996]: (root) ERROR (failed to change SELinux context)
F
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-03-27 19:35:11 UTC 
Any errors in the avc.log (or audit.log) file?
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-05 18:33:19 UTC 
I have the patch to allow for key creation pending. However, I also tested with a small patch on cron that disabled the setkeycreatecon() call and it seems to work just fine. Mailed the cronie maintainer for more info.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-05 18:34:00 UTC 
Created attachment 307923 [details, diff]
Patch to remove setkeycreatecon() call

Possible patch against cronie (waiting for maintainer feedback first)
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-06 18:27:13 UTC 
USE="selinux" added to cronie ebuild (1.4.8-r1) so that it enables SELinux support.
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-07-22 09:05:21 UTC 
Ok patch is handled upstream (a while ago, missed the mail): https://fedorahosted.org/cronie/changeset/c98110b45bfaee0e30de4424a0f62060677a3624
Comment 7 Florian Steinel 2012-10-27 10:52:46 UTC 
(In reply to comment #6)
sys-process/cronie-1.4.8-r1 with your patch applied runs the cron entries and the error is gone.
Thanks :-)
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-10 18:02:56 UTC 
Thanks for the verification ;-)

Keeping it on TEST-REQUEST until stabilized.
Comment 9 Sven Vermeulen (RETIRED) gentoo-dev 2013-03-29 09:45:05 UTC 
Stable (for a while already)