Skip to content

selinux: avc denied

Issue

# systemctl status crond
 crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Thu 2023-12-08 16:59:47 UTC; 4s ago
  Process: 994 ExecStart=/usr/sbin/crond -n $CRONDARGS (code=exited, status=203/EXEC)
 Main PID: 994 (code=exited, status=203/EXEC)

OS

# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.9 (Ootpa)

dmesg

[  223.572217] audit: type=1400 audit(1707403690.408:11): avc:  denied  { execute } for  pid=981 comm="(crond)" name="crond" 
dev="dm-0" ino=17010170 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0

Check

# ls -lZ /usr/sbin/crond
-rwxr-xr-x. 1 root root unconfined_u:object_r:user_tmp_t:s0 75712 Oct  2  2022 /usr/sbin/crond

Fix

chcon -u system_u -t crond_exec_t /usr/sbin/crond

Root cause

Oops ... maybe you already figured it out :)