SELinux error "Not allowed to set exec context" is seen when running at command in RHEL 5

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 5
  • SELinux strict policy < selinux-policy-2.4.6-346

Issue

  • While trying to schedule a task, the below error for atd daemon is seen.
daemon 3 atd[24961]: Not allowed to set exec context to root:sysadm_r:sysadm_crond_t:SystemLow-SystemHigh for user  root

Resolution

This issue has been resolved in selinux-policy version selinux-policy-2.4.6-346. 1

Here is a snippet from the 5.10 tech notes. 2

BZ#838702 
    With the SELinux strict policy enabled, when the user executed a locally developed application configured to use the atd daemon, the daemon ran in an incorrect SELinux domain due to the missing SELinux policy rules. Consequently, the following error message was logged in the /var/log/message file:

    Not allowed to set exec context

    With this update, the appropriate SELinux policy rules have been added so that atd runs in the correct domain and the error message is no longer returned.

  1. https://access.redhat.com/errata/RHBA-2013:1312 ↩︎

  2. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/5.10_Technical_Notes/selinux-policy.html ↩︎

Diagnostic Steps

Simple reproducer:

# echo '/usr/bin/id -Z' | at now + 1 minute

==> /var/log/messages <==
Jul  9 03:05:00 xxxxxx atd[13963]: Not allowed to set exec context to root:sysadm_r:sysadm_crond_t:s0-s0:c0.c1023 for user  root : No such file or directory

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments