The Silence of the Anacrons

Daniel J Walsh dwalsh at redhat.com
Wed Mar 15 13:51:19 UTC 2006 

Ted Rule wrote:
> Something that's niggled me for a while are the empty Email messages
> generated by Anacron.
>
> This is on FC4 / selinux-policy-strict-1.27.1-2.22
>
> When the machine is left powered overnight, the normal /etc/cron.daily
> processes - including logwatch and logrotate - run perfectly happily and
> generate appropriate Emails.
>
> By default, logrotate doesn't result in an Email, but for reasons
> unrelated to SELinux I have it set to run in debug mode, so my instance
> does. The Email from logrotate is effectively 'sent' by /etc/cron.daily
> as it wrappers all the output from its child jobs.
>
> In contrast, logwatch sends its own Email independent of Cron's sendmail
> child process.
>
> When the machine is depowered overnight and repowered in the morning,
> Anacron proceeds to run the various /etc/cron.daily scripts. With
> SELinux enforcing, logwatch runs normally, and generates its normal
> Email log summary.
>
> However, logrotate's output is never seen, even though it can be seen
> from the various timestamps and filenames that logrotate has correctly
> run and suitably rotated all the logs.
>
> The overall cron.daily Job launched by Anacron results in an empty
> Email, with no body and more particularly no Subject. The mail From
> address is set to "Anacron <root at hostname>".
>
> Burrowing around the Anacron source it is apparent that under normal
> circumstances it would give the Email a subject of
>
> 	"Anacron job cron.daily"
>
> Given the behaviour I see, I think the problem is somehow related to
> the /etc/cron.daily/* processes not having rights to write to the file
> descriptor which is the input to Cron's overall sendmail process.
>
> I've had a look through the SELinux policy to see if I can spot the
> difference between the permissions of Jobs launched by Cron and Anacron,
> and I'm afraid I can't see where the problem lies; since jobs launched
> by either method appear to run as system_crond_t, the difference in
> behaviour eludes me.
>
> Can anyone else offer any insight into the problem?
>
> Thanks,
>
>
>
>   
Is this on FC5?  If yes, are you seeing any AVC messages?  If not could 
you attempt to enable audit

semodule -b /usr/share/selinux/targeted/enableaudit.pp

Create the error.

Grab the AVC Messages

semodule -b /usr/share/selinux/targeted/base.pp

to turn off auditing again.


Of course verifying this works with setenforce 0 would also help to make 
sure it is SELinux causing the problem.

More information about the fedora-selinux-list mailing list