File Contexts error?

Hongwei Li hongwei at wustl.edu
Thu Mar 3 15:18:10 UTC 2005 

> Hi,
>
> I have run up2date to update many packages of my fc3 system.  My system
> info:
> RedHat FC3 linux, kernel 2.6.10-1.766_FC3, selinux enforced (targeted),
> iptables enabled
> selinux-policy-targeted:     1.17.30-2.19
>
> Then, the root received the following mail:
>
> Invalid File Contexts
>
> /etc/blkid.tab
> /etc/asound.state
> /etc/ld.so.cache
> /etc/.pwd.lock
> /etc/hotplug/usb.usermap
> /etc/freshclam.conf
> /etc/sysconfig/firstboot
> /etc/sysconfig/hwconf
> /.autofsck
> /.fonts.cache-1
> /lost+found
> /root/install.log
> /root/install.log.syslog
> /lib/modules/2.6.10-1.766_FC3/modules.ccwmap
> /lib/modules/2.6.10-1.766_FC3/modules.alias
> /lib/modules/2.6.10-1.766_FC3/modules.dep
> /lib/modules/2.6.10-1.766_FC3/modules.inputmap
> /lib/modules/2.6.10-1.766_FC3/modules.usbmap
> /lib/modules/2.6.10-1.766_FC3/modules.isapnpmap
> /lib/modules/2.6.10-1.766_FC3/modules.pcimap
> /lib/modules/2.6.10-1.766_FC3/modules.ieee1394map
> /lib/modules/2.6.10-1.766_FC3/modules.symbols
> /lib/modules/2.6.9-1.667/modules.ccwmap
> /lib/modules/2.6.9-1.667/modules.alias
> /lib/modules/2.6.9-1.667/modules.dep
> /lib/modules/2.6.9-1.667/modules.inputmap
> /lib/modules/2.6.9-1.667/modules.usbmap
> /lib/modules/2.6.9-1.667/modules.isapnpmap
> /lib/modules/2.6.9-1.667/modules.pcimap
> /lib/modules/2.6.9-1.667/modules.ieee1394map
> /lib/modules/2.6.9-1.667/modules.symbols
> /home/lost+found
> /tmp/lost+found
> /usr/lost+found
> /var/log/rpmpkgs
> /var/log/httpd/ssl_error_log
> /var/log/httpd/ssl_request_log
> /var/log/httpd/ssl_access_log
> /var/log/httpd/error_log
> /var/log/httpd/access_log
> /var/log/yum.log
> /var/lost+found
> /var/run/utmp
> /var/lib/squirrelmail/prefs/qlily.pref
> /var/lib/squirrelmail/prefs/qlily.abook
> /var/lib/php/session/sess_bd54786e5c301c251fd139a22c129872
>
> I don't know which package's updating caused this problem.  Then, I run:
>
> # restorecon -R /etc/*
> # restorecon -R /var/*
> # restorecon -R /lib/*
> # restorecon -R /usr/*
>
> I got a lot of warning about sybolic links, that's probably okay.  Now,
> the problem is that the user qlily cannot login to squirrelmail.  The
> error message is:
>
> Preference file, /var/lib/squirrelmail/prefs/qlily.pref.tmp, could not be
> opened. Contact your system administrator to resolve this issue.
>
> Check the files:
>
> # ls -lZ /var/lib/squirrelmail/prefs/qlily.*
> -rw-r--r--  apache   apache   system_u:object_r:var_lib_t
> /var/lib/squirrelmail/prefs/qlily.abook
> -rw-------  apache   apache   system_u:object_r:var_lib_t
> /var/lib/squirrelmail/prefs/qlily.pref
> -rw-r--r--  apache   apache   system_u:object_r:var_lib_t
> /var/lib/squirrelmail/prefs/qlily.pref.tmp
>
> and the log shows:
>
> Mar  2 15:49:03 pippo kernel: audit(1109800143.922:0): avc:  denied  {
> write } for  pid=1458 exe=/usr/sbin/httpd name=qlily.pref.tmp dev=hda2
> ino=2540354 scontext=root:system_r:httpd_t
> tcontext=system_u:object_r:var_lib_t tclass=file
> Mar  2 15:49:03 pippo kernel: audit(1109800143.924:0): avc:  denied  {
> write } for  pid=1458 exe=/usr/sbin/httpd
> name=sess_bd54786e5c301c251fd139a22c129872 dev=hda2 ino=2540345
> scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_lib_t
> tclass=file
> ....
>
> qlily is the only user I created so far in the system.  This user can
> send/receive email through pine.  To test the situation, I created another
> user msnet.  He can login to ssh console, but cannot login to
> squirrelmail, the error message is:
>
> You must be logged in to access this page
>
> although the password is correct.  his pref file is:
>
> # ls -lZ /var/lib/squirrelmail/prefs/msnet.pref
> -rw-------  apache   apache   root:object_r:httpd_var_lib_t
> /var/lib/squirrelmail/prefs/msnet.pref
>
> What's wrong?  What package updating caused this problem?  How to fix the
> problem?
>
> Thanks a lot!
>
> Hongwei Li
>
>
>

Hi,

I have solved the problem.  If some people encounter the same problem,
here is what I did:

# fixfiles relable

(reboot)

Then, all users can log in squirrelmail, read/send mails normally.  I
created another new user account, it also works.

However, I still have a question.  The file contexts properties for the
existing users and new user are different.  In my case, qlily is the
existing user (the "fixfiles relabel" solved the problem for this
account), and mmst is a new user created after running fixfiles relable. 
Please see:

# ls -lZ /var/spool/mail/
-rw-rw----  mmst     mail     root:object_r:mail_spool_t       mmst
-rw-rw----  qlily    mail     system_u:object_r:mail_spool_t   qlily

# ls -lZ /var/lib/squirrelmail/prefs/
-rw-r--r--  apache   apache   user_u:object_r:httpd_squirrelmail_t mmst.abook
-rw-------  apache   apache   user_u:object_r:httpd_squirrelmail_t mmst.pref
-rw-r--r--  apache   apache   system_u:object_r:httpd_squirrelmail_t
qlily.abook
-rw-------  apache   apache   system_u:object_r:httpd_squirrelmail_t
qlily.pref

Why are they different, but no error message and they don't have any
problem when they login, read/send mails in pine or squirrelmail?

Strange features of selinux!

Thanks!

Hongwei Li

More information about the fedora-selinux-list mailing list