I have copied this question over here from StackOverflow...
I have installed incron from the EPEL repository (0.5.9) (before you ask; YES, I also tried downloading the source and compiling locally (0.5.10); same results) and am attempting to set up a process on my CentOS 6.4 (final) virtual box that I have successfully prototyped on my local Ubuntu 12.04 machine (process including incron works perfectly under Ubuntu):
Some information up front:
- SELinux is set PERMISSIVE (I have also tried DISABLED, it seems to make no difference!)
- I have added my script(s) and called executables to all with NOPASSWD using
visudoto get around some permissions issues... I have tried to apply the policy for incron as desribed here http://blog.siphos.be/2013/05/a-selinux-policy-for-incron-finishing-up/ but I keep getting
libsepol.policydb_read: policydb magic number 0x696c6f70 does not match expected magic number 0xf97cff8c or 0xf97cff8d semodule_package: Error while reading policy module from incron.tewhen I try to use
semodule_packageI have tried to define environment both in the script itself and in a pre-script
caller.shby doing this I am able toenv > /tmp/envfile.txtwhich indicates the script is running in a clone of thesudo env(as I intended) however I still get no output from my script, either the work it is supposed to do on it's input file or any of it's logs...it's gotta be permissions right? (I'm about one more day of this away from just doing
chmod -r 777on the root file system ;) )Under Ubuntu 12.04 the simple act of doing
sudo incrotab -eand entering/tmp/ IN_CREATE,IN_NO_LOOP env > /home/username/envfile.txtshows that incron is already running in the root/sudo environment, as the incron documentation suggests it should be.Is this all SELinux-related stuff, or is there something else going on in CentOS thats making this so difficult?
If I invoke my script from the command line with sudo /path/to/my/script.sh arguments it works like a charm.
or for that matter if I invoke caller.sh it all works fine, but when caller.sh is invoked by incrond its the same, can't even env > /dev/pts/0 from it. (though I CAN env > /tmp/envfile.txt
sudo service incrond status verifies that incrond is running. root and myusername are added to /etc/incron.allow, /etc/incron.deny is empty.
the below is deprecated, see bullet points above, but read it for backstory and expansion...
My incrotab for root is:
/path/to/dropfolder/ IN_CLOSE_WRITE sudo /path/to/my/script.sh $@/$#
Events in /path/to/dropfolder/ result in NOTHING useful happening. logs are generated in /var/log/cron, no messages, no actions occur on the files in the folder.
So I have researched: it was suggested that cron runs in a minimal environment and that to execute complex commands/scripts you may have to execute your .bashrc and/or export your PATH at the beginning of the cron command.
Edit: Documentation indicates that incron run from system tables or root takes env from its host enviroment, therefore only incron executed by non-root users should require any sort of env or PATH fiddling
So… incrontab for root:
/path/to/dropfolder IN_CLOSE_WRITE . /home/myusername/.bashrc; export PATH=$PATH:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin; sudo /path/to/my/script.sh $@/$#"
No dice… tried && instead of ; = no dice. If you can think of a variation on the above I've probably tried it…
So, lets try a little restorecond -R /usr/sbin/incrond /etc/incron* action!
Huh, no change there either.
service incrond stop followed by service incrond start and then service incrond restart … nope, nope, and nope.
Drastic measures: yum remove incron and yum install incron, chkconfig incrond on and then for good measure a sudo reboot!
how about the ol' touch ./autorelabel and reboot? nope!
Nothing.
I don't even get anything from /tmp/ IN_ALL_EVENTS echo boo> > /home/myusername/boofile.txt, hence my inability to even do an env > envfile.txt to check whether incron is running in a sparse environment… (see above note)
And yet: service incrond status yields incrond (pid xxxx) is running...
further examination of /var/log/cron yields results like this: Aug 14 15:05:30 hostname incrond[1584]: (root) CMD (sudo /path/to/DropFolder/script/subfolder/script-Beta-1.sh /home/username/DropFolder/testfile.file) -yes I made sure my script was executable..
if I set root's incrontab to contain /tmp/ IN_ALL_EVENTS,IN_NO_LOOP env > /tmp/envfile.txt I get nothing. tail /var/log/cron contains: Aug 15 10:06:32 hostname incrond[1584]: (root) CMD (env > /tmp/envfile.txt) but the file doesn't exist in /tmp/
so incrond is indeed attempting to do SOMETHING, but I get no output anywhere... even a echo > /dev/pts/0 produces nada results.
if I make root's incrontab /tmp/ IN_ALL_EVENTS,IN_NO_LOOP . ./home/print/.bashrc; env > /tmp/envfile.txt as was suggested in a number of threads I found dealing with cron environment issues I get Aug 15 12:30:25 hostname incrond[1726]: cannot exec process: Permission denied the pid here is different from the one that claims it issued the command, so there's obviously some child process spawning happening here... that was mentioned in the SELinux policy link above, and I feel they're related, but shouldn't PREMISSIVE and DISABLED SELinux settings not care about that??
before I tried setting SELinux to DISABLED I was getting entries in /var/log/audit/audit.log that indicated incron was trying to do things and they were taged res=success at the end... which seems to indicate SELinux was letting stuff happen, but nothing happens! Since setting SELinux to DISABLED and back to PERMISSIVE and rebooting (several times) I'm not getting any entries in /var/log/audit/audit.log related to incrond aside from service start etc related things. WTH?
I have tried all of the above described incron tactics as root (sudo incrontab), as a plain user, and though system tables (located in /etc/incron.d) with the same results :p
I have thrown the kitchen sink at this (as far as I understand the contents of the sink) and I can't find a solution...What am I missing? I hope someone can make me feel like an idiot in short order!
