selinux : root as sysadm_u not able to start at job


I have a system where root user is sysadm_u. When the user tries to start at job, get this error “execle: couldn’t get security context for user root”.

After going through the source code of at and other selinux docs, the issue seems to be the sysadm_u is not able to find any reachable contexts.

at is failing here: retval=get_default_context_with_level(seuser, level, NULL, &user_context);

I am able to see the reachable contexts using the below command and validate this.

# selinuxconlist -l s0-s0:c0.c1023 sysadm_u system_u:system_r:crond_t:s0-s0:c0.c1023 # 

=> No output.

Below is my atd process context:

# ps -efZ | grep atd # system_u:system_r:crond_t:s0-s0:c0.c1023 root 12735 1  0 01:10 ?       00:00:00 /usr/sbin/atd -f 

Test1)

But if i use -l s0 instead of -l s0-s0:c0.c1023 in the above command, I get the below result.

# selinuxconlist -l s0 sysadm_u system_u:system_r:crond_t:s0-s0:c0.c1023 sysadm_u:sysadm_r:sysadm_t:s0 sysadm_u:system_r:system_cronjob_t:s0 # 

What is difference between the above two ? Why would the reachable contexts change if I add more range ?

sysadm_u has roles sysadm_r and system_r

# semanage user -l                  Labeling   MLS/       MLS/ SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles  root            user       s0         s0-s0:c0.c1023                 sysadm_r system_r sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r system_r system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r 

Test 2) It also gives reachable contexts if i remove the system_r role from sysadm_u

semanage user -l                  Labeling   MLS/       MLS/ SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r  # selinuxconlist -l s0-s0:c0.c1023 sysadm_u system_u:system_r:crond_t:s0-s0:c0.c1023 # sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 #  

But the crond_t context is missing here. How can i make at works with sysadm_u. Any help/suggestions will be great.