No security context, /etc/crontab and /etc/cron.d/*

Crond throws ‘null security context’ errors with any execution launched from a crontab or cron.daily/* job, and reports null context for /etc/crontab and /etc/cron.d/* on startup. Selinux must be permissive for any cron jobs to run. Anacron jobs in /etc/cron.[daily,monthly,hourly,weekly] do not have this issue, though it bears noting that anacron jobs use a different label and selinux access (bin_t). Lots of similar reports to this but they all appear to be in two camps, the roots of which do not match this case. Any ideas?

kernel 4.18.0-425.10.1.el8_7.x86_64
libselinux 2.9-6.el8.x86_64
cronie-anacron 1.5.2-8.el8.x86_64
cronie 1.5.2-8.el8.x86_64
crontabs 1.11-17.20190603git.el8.noarch

On the surface identical to two major sets of old reports, first set begins at or around 2016 with https://bugzilla.redhat.com/show_bug.cgi?id=1298192 and second appears to be dupes of https://bugzilla.redhat.com/show_bug.cgi?id=1862823 ending in 2020.

The former pops up multiple times from 2016 to 2021. This calls out manual vs on-package-install semodule additions. The expected system_cron_spool_t stuff is already there but trying the manual semodule anyway did not fix or change the errors.

The latter is reported solved in 2022 for FC31. This calls out a libselinux bug triggered by longer search domains overrunning a max threshold, and provides a test (comment 10,11). The test returns success, ie,

# python3 -c "import selinux; print(selinux.get_default_context_with_rolelevel('system_u', 'system_r', None, 'system_u:system_r:crond_t:s0-s0:c0.c1023'))"

returns

[0, 'system_u:system_r:system_cronjob_t:s0-s0:c0.c1023']

rather than [-1, None]

The indicated paths do have the expected labels:

12:57:26 root@login00.godzilla:~ # ls -lZd /etc/crontab /etc/cron.d /etc/cron.d/*
drwxr-xr-x. 2 root root unconfined_u:object_r:system_cron_spool_t:s0 142 Mar 21 10:22 /etc/cron.d
-rw-r--r--. 1 root root unconfined_u:object_r:system_cron_spool_t:s0 128 Jan 23 13:41 /etc/cron.d/0hourly
-rw-r--r--. 1 root root unconfined_u:object_r:system_cron_spool_t:s0 184 Mar 20 14:50 /etc/cron.d/aide-daily
-rw-r--r--. 1 root root unconfined_u:object_r:system_cron_spool_t:s0 222 Mar 20 14:50 /etc/cron.d/aide-device
-rw-r--r--. 1 root root unconfined_u:object_r:system_cron_spool_t:s0 228 Mar 20 14:50 /etc/cron.d/aide-realtime
-rw-------. 1 root root unconfined_u:object_r:system_cron_spool_t:s0  82 Jan 23 13:41 /etc/cron.d/one-shot-temps
-rw-r--r--. 1 root root unconfined_u:object_r:system_cron_spool_t:s0 158 Jan 23 13:41 /etc/cron.d/opa-cablehealth
-rw-r--r--. 1 root root unconfined_u:object_r:system_cron_spool_t:s0 108 Jan 23 13:41 /etc/cron.d/raid-check
-rw-r--r--. 1 root root unconfined_u:object_r:system_cron_spool_t:s0 451 Jan 23 13:41 /etc/crontab

but crond on startup reports

Mar 21 12:54:08 godzilla00 crond[1894153]: (CRON) STARTUP (1.5.2)
Mar 21 12:54:08 godzilla00 crond[1894153]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 68% if used.)
Mar 21 12:54:08 godzilla00 crond[1894153]: ((null)) No security context but SELinux in permissive mode, continuing (/etc/crontab)
Mar 21 12:54:08 godzilla00 crond[1894153]: ((null)) No security context but SELinux in permissive mode, continuing (/etc/cron.d/0hourly)
Mar 21 12:54:08 godzilla00 crond[1894153]: ((null)) No security context but SELinux in permissive mode, continuing (/etc/cron.d/aide-daily)
Mar 21 12:54:08 godzilla00 crond[1894153]: ((null)) No security context but SELinux in permissive mode, continuing (/etc/cron.d/aide-device)
Mar 21 12:54:08 godzilla00 crond[1894153]: ((null)) No security context but SELinux in permissive mode, continuing (/etc/cron.d/aide-realtime)
Mar 21 12:54:08 godzilla00 crond[1894153]: ((null)) No security context but SELinux in permissive mode, continuing (/etc/cron.d/one-shot-temps)
Mar 21 12:54:08 godzilla00 crond[1894153]: ((null)) No security context but SELinux in permissive mode, continuing (/etc/cron.d/opa-cablehealth)
Mar 21 12:54:08 godzilla00 crond[1894153]: ((null)) No security context but SELinux in permissive mode, continuing (/etc/cron.d/raid-check)
Mar 21 12:54:08 godzilla00 crond[1894153]: (CRON) INFO (running with inotify support)
Mar 21 12:54:08 godzilla00 crond[1894153]: (CRON) INFO (@reboot jobs will be run at computer's startup.)

Restorecon does not change the behavior; I’ve run it against the indicated /etc/crontab and /etc/cron.d/*, and against the scripts and binaries called from those jobs, and against the entire rootfs.

Rebooting does not change the behavior, either before the restorecon calls or after.

This is typically a result of having a system set as disabled and then set to permissive or enforcing after the fact, but you didn’t indicate if this was the case. Have you tried touch /.autorelabel and rebooting your system?

Nope, its the other way around, the system is permissive from install and I only set it enforcing temporarily, long enough to verify that cron jobs fail on this issue while anacron jobs do not.

See the tail end of the OP, restorecon has been run at several granularities from individual files indicated in the errors all the way out to the entire install. See also the ‘ls -lZd’, the labels are there.

This is boot persistent, will edit to add.

I understand. I don’t see the same behavior, though. Granted, I only have /etc/cron.d/raid-check, which is working without issues.

# package names
[root@router ~]# rpm -q kernel libselinux cronie-anacron cronie crontabs
kernel-4.18.0-425.10.1.el8_7.x86_64
libselinux-2.9-6.el8.x86_64
cronie-anacron-1.5.2-8.el8.x86_64
cronie-1.5.2-8.el8.x86_64
crontabs-1.11-17.20190603git.el8.noarch

# selinux contexts
[root@router ~]# ls -lZd /etc/crontab /etc/cron.d /etc/cron.d/*
drwxr-xr-x. 2 root root system_u:object_r:system_cron_spool_t:s0  39 Sep 30 17:00 /etc/cron.d
-rw-r--r--. 1 root root system_u:object_r:system_cron_spool_t:s0 128 Sep 30 17:00 /etc/cron.d/0hourly
-rw-r--r--. 1 root root system_u:object_r:system_cron_spool_t:s0 108 Oct  1 20:49 /etc/cron.d/raid-check
-rw-r--r--. 1 root root system_u:object_r:system_cron_spool_t:s0 451 May 18  2021 /etc/crontab
[root@router ~]# ls -lZ /usr/sbin/raid-check
-rwxr-xr-x. 1 root root system_u:object_r:mdadm_exec_t:s0 3793 Oct  1 20:49 /usr/sbin/raid-check

# no output
[root@router ~]# journalctl -u crond.service --since today | grep security

# latest crond logs
[root@router ~]# journalctl -u crond.service --since today | tail
Mar 21 06:01:01 router.angelsofclockwork.net CROND[1135831]: (root) CMD (run-parts /etc/cron.hourly)
Mar 21 07:01:01 router.angelsofclockwork.net CROND[1139017]: (root) CMD (run-parts /etc/cron.hourly)
Mar 21 08:01:01 router.angelsofclockwork.net CROND[1142258]: (root) CMD (run-parts /etc/cron.hourly)
Mar 21 09:01:01 router.angelsofclockwork.net CROND[1145670]: (root) CMD (run-parts /etc/cron.hourly)
Mar 21 10:01:01 router.angelsofclockwork.net CROND[1149184]: (root) CMD (run-parts /etc/cron.hourly)
Mar 21 11:01:01 router.angelsofclockwork.net CROND[1152369]: (root) CMD (run-parts /etc/cron.hourly)
Mar 21 12:01:01 router.angelsofclockwork.net CROND[1155653]: (root) CMD (run-parts /etc/cron.hourly)
Mar 21 13:01:01 router.angelsofclockwork.net CROND[1158930]: (root) CMD (run-parts /etc/cron.hourly)
Mar 21 14:01:01 router.angelsofclockwork.net CROND[1162164]: (root) CMD (run-parts /etc/cron.hourly)
Mar 21 15:01:01 router.angelsofclockwork.net CROND[1165400]: (root) CMD (run-parts /etc/cron.hourly)

# recent runs of raid-check
[root@router ~]# journalctl -u crond.service | grep raid
Mar 12 01:00:01 router.angelsofclockwork.net CROND[416040]: (root) CMD (/usr/sbin/raid-check)
Mar 19 01:00:01 router.angelsofclockwork.net CROND[962819]: (root) CMD (/usr/sbin/raid-check)

# When the system started up
[root@router ~]# journalctl -u crond.service -b | head
-- Logs begin at Mon 2023-03-06 21:23:15 MST, end at Tue 2023-03-21 15:44:01 MST. --
Mar 06 21:23:34 router.angelsofclockwork.net systemd[1]: Started Command Scheduler.
Mar 06 21:23:34 router.angelsofclockwork.net crond[2365]: (CRON) STARTUP (1.5.2)
Mar 06 21:23:34 router.angelsofclockwork.net crond[2365]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 16% if used.)
Mar 06 21:23:34 router.angelsofclockwork.net crond[2365]: (CRON) INFO (running with inotify support)
Mar 06 22:01:01 router.angelsofclockwork.net CROND[6212]: (root) CMD (run-parts /etc/cron.hourly)
Mar 06 23:01:01 router.angelsofclockwork.net CROND[9400]: (root) CMD (run-parts /etc/cron.hourly)

I don’t recognize a lot of the entries you have in /etc/cron.d/*, so I can’t try to replicate what you have there. I do know that the raid-check works for me.

Did a standalone install, same os/packages/jobs, didn’t have the issue, so despite appearances it’s something in the image construction or provisioning.