After about a day of not having crontabs running I realized that SELinux was stopping both user and root crontab jobs. I messed with it and then discovered:
https://bugzilla.redhat.com/show_bug.cgi?id=1298192 (Recent dnf updates caused crontabs to be restricted. Reboot to last kernel fixes that.)
I added myself to that bug but I had already broken SELinux to the point where it would not work properly even if I rebooted to the previous kernel. I was willing to be stupid/brave about messing with it since I figure that if I can't get it back in order then I don't know enough about it. A full relabel takes about ten minutes on my system, so it is not terrible.
I have been with "Fedora" since it was "Redhat 5.0" but only enabled SELinux after upgrading to F23. This bug keeps making me want to go back to "disabled" but then I come back to it and do some more googling.
My last attempt to fix it was with:
(reformatted to easier reading) dnf reinstall libselinux-utils selinux-policy libselinux-devel libselinux-python3 libselinux.i686 libselinux-python selinux-policy-targeted rpm-plugin-selinux libselinux.x86_64
Then a reboot to do the relabel and run with "permissive" to debug. It had lots of issues. I suspect that most were simply that I was doing working as the admin for my machine and that was not properly set.
My question:
Can anybody suggest a series of steps to put my F23 SELinux installation in line with the default workstation install of F23?
Note that I was previously running: setsebool -P httpd_enable_homedirs 1 setsebool -P httpd_read_user_content 1 I happen to have a personal use web server running out of /home/httpd and I would rather leave it there since /home is a partition. The point being that I am fine with running the basic allows that SELinux Troubleshooter identified when I first enabled it.
On Fri, 2016-01-15 at 08:08 -0800, Doug H. wrote:
After about a day of not having crontabs running I realized that SELinux was stopping both user and root crontab jobs. I messed with it and then discovered:
https://bugzilla.redhat.com/show_bug.cgi?id=1298192 (Recent dnf updates caused crontabs to be restricted. Reboot to last kernel fixes that.)
I added myself to that bug but I had already broken SELinux to the point where it would not work properly even if I rebooted to the previous kernel. I was willing to be stupid/brave about messing with it since I figure that if I can't get it back in order then I don't know enough about it. A full relabel takes about ten minutes on my system, so it is not terrible.
I have been with "Fedora" since it was "Redhat 5.0" but only enabled SELinux after upgrading to F23. This bug keeps making me want to go back to "disabled" but then I come back to it and do some more googling.
My last attempt to fix it was with:
(reformatted to easier reading) dnf reinstall libselinux-utils selinux-policy libselinux-devel libselinux-python3 libselinux.i686 libselinux-python selinux-policy-targeted rpm-plugin-selinux libselinux.x86_64
Then a reboot to do the relabel and run with "permissive" to debug. It had lots of issues. I suspect that most were simply that I was doing working as the admin for my machine and that was not properly set.
My question:
Can anybody suggest a series of steps to put my F23 SELinux installation in line with the default workstation install of F23?
Note that I was previously running: setsebool -P httpd_enable_homedirs 1 setsebool -P httpd_read_user_content 1 I happen to have a personal use web server running out of /home/httpd and I would rather leave it there since /home is a partition. The point being that I am fine with running the basic allows that SELinux Troubleshooter identified when I first enabled it.
Ok, seems that `dnf reinstall` might have been the issue.
I am back up with SELinux enforcing after:
dnf remove selinux-policy selinux-policy-targeted rm -rf /etc/selinux touch /.autorelabel
I first booted to the recent/current kernel and all was good with crontabs still blocked as expected so I rebooted to 4.2.8-300 and now all is working and SELinux is back in the picture. Will now wait for the bug to be fixed.
-
Doug H.