File Contexts error?
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 7 15:44:28 UTC 2005
Hongwei Li wrote:
>>Hi,
>>
>>I have run up2date to update many packages of my fc3 system. My system
>>info:
>>RedHat FC3 linux, kernel 2.6.10-1.766_FC3, selinux enforced (targeted),
>>iptables enabled
>>selinux-policy-targeted: 1.17.30-2.19
>>
>>Then, the root received the following mail:
>>
>>Invalid File Contexts
>>
>>/etc/blkid.tab
>>/etc/asound.state
>>/etc/ld.so.cache
>>/etc/.pwd.lock
>>/etc/hotplug/usb.usermap
>>/etc/freshclam.conf
>>/etc/sysconfig/firstboot
>>/etc/sysconfig/hwconf
>>/.autofsck
>>/.fonts.cache-1
>>/lost+found
>>/root/install.log
>>/root/install.log.syslog
>>/lib/modules/2.6.10-1.766_FC3/modules.ccwmap
>>/lib/modules/2.6.10-1.766_FC3/modules.alias
>>/lib/modules/2.6.10-1.766_FC3/modules.dep
>>/lib/modules/2.6.10-1.766_FC3/modules.inputmap
>>/lib/modules/2.6.10-1.766_FC3/modules.usbmap
>>/lib/modules/2.6.10-1.766_FC3/modules.isapnpmap
>>/lib/modules/2.6.10-1.766_FC3/modules.pcimap
>>/lib/modules/2.6.10-1.766_FC3/modules.ieee1394map
>>/lib/modules/2.6.10-1.766_FC3/modules.symbols
>>/lib/modules/2.6.9-1.667/modules.ccwmap
>>/lib/modules/2.6.9-1.667/modules.alias
>>/lib/modules/2.6.9-1.667/modules.dep
>>/lib/modules/2.6.9-1.667/modules.inputmap
>>/lib/modules/2.6.9-1.667/modules.usbmap
>>/lib/modules/2.6.9-1.667/modules.isapnpmap
>>/lib/modules/2.6.9-1.667/modules.pcimap
>>/lib/modules/2.6.9-1.667/modules.ieee1394map
>>/lib/modules/2.6.9-1.667/modules.symbols
>>/home/lost+found
>>/tmp/lost+found
>>/usr/lost+found
>>/var/log/rpmpkgs
>>/var/log/httpd/ssl_error_log
>>/var/log/httpd/ssl_request_log
>>/var/log/httpd/ssl_access_log
>>/var/log/httpd/error_log
>>/var/log/httpd/access_log
>>/var/log/yum.log
>>/var/lost+found
>>/var/run/utmp
>>/var/lib/squirrelmail/prefs/qlily.pref
>>/var/lib/squirrelmail/prefs/qlily.abook
>>/var/lib/php/session/sess_bd54786e5c301c251fd139a22c129872
>>
>>I don't know which package's updating caused this problem. Then, I run:
>>
>># restorecon -R /etc/*
>># restorecon -R /var/*
>># restorecon -R /lib/*
>># restorecon -R /usr/*
>>
>>I got a lot of warning about sybolic links, that's probably okay. Now,
>>the problem is that the user qlily cannot login to squirrelmail. The
>>error message is:
>>
>>Preference file, /var/lib/squirrelmail/prefs/qlily.pref.tmp, could not be
>>opened. Contact your system administrator to resolve this issue.
>>
>>Check the files:
>>
>># ls -lZ /var/lib/squirrelmail/prefs/qlily.*
>>-rw-r--r-- apache apache system_u:object_r:var_lib_t
>>/var/lib/squirrelmail/prefs/qlily.abook
>>-rw------- apache apache system_u:object_r:var_lib_t
>>/var/lib/squirrelmail/prefs/qlily.pref
>>-rw-r--r-- apache apache system_u:object_r:var_lib_t
>>/var/lib/squirrelmail/prefs/qlily.pref.tmp
>>
>>and the log shows:
>>
>>Mar 2 15:49:03 pippo kernel: audit(1109800143.922:0): avc: denied {
>>write } for pid=1458 exe=/usr/sbin/httpd name=qlily.pref.tmp dev=hda2
>>ino=2540354 scontext=root:system_r:httpd_t
>>tcontext=system_u:object_r:var_lib_t tclass=file
>>Mar 2 15:49:03 pippo kernel: audit(1109800143.924:0): avc: denied {
>>write } for pid=1458 exe=/usr/sbin/httpd
>>name=sess_bd54786e5c301c251fd139a22c129872 dev=hda2 ino=2540345
>>scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_lib_t
>>tclass=file
>>....
>>
>>qlily is the only user I created so far in the system. This user can
>>send/receive email through pine. To test the situation, I created another
>>user msnet. He can login to ssh console, but cannot login to
>>squirrelmail, the error message is:
>>
>>You must be logged in to access this page
>>
>>although the password is correct. his pref file is:
>>
>># ls -lZ /var/lib/squirrelmail/prefs/msnet.pref
>>-rw------- apache apache root:object_r:httpd_var_lib_t
>>/var/lib/squirrelmail/prefs/msnet.pref
>>
>>What's wrong? What package updating caused this problem? How to fix the
>>problem?
>>
>>Thanks a lot!
>>
>>Hongwei Li
>>
>>
>>
>>
>>
>
>Hi,
>
>I have solved the problem. If some people encounter the same problem,
>here is what I did:
>
># fixfiles relable
>
>(reboot)
>
>Then, all users can log in squirrelmail, read/send mails normally. I
>created another new user account, it also works.
>
>However, I still have a question. The file contexts properties for the
>existing users and new user are different. In my case, qlily is the
>existing user (the "fixfiles relabel" solved the problem for this
>account), and mmst is a new user created after running fixfiles relable.
>Please see:
>
># ls -lZ /var/spool/mail/
>-rw-rw---- mmst mail root:object_r:mail_spool_t mmst
>-rw-rw---- qlily mail system_u:object_r:mail_spool_t qlily
>
># ls -lZ /var/lib/squirrelmail/prefs/
>-rw-r--r-- apache apache user_u:object_r:httpd_squirrelmail_t mmst.abook
>-rw------- apache apache user_u:object_r:httpd_squirrelmail_t mmst.pref
>-rw-r--r-- apache apache system_u:object_r:httpd_squirrelmail_t
>qlily.abook
>-rw------- apache apache system_u:object_r:httpd_squirrelmail_t
>qlily.pref
>
>Why are they different, but no error message and they don't have any
>problem when they login, read/send mails in pine or squirrelmail?
>
>
>
If the system is relabeled, all system files get labeled with user of
system_u, when they are created by a
user or and service that was restarted by a user they get identified by
that users SELinux name (root, user_u).
It should not be a problem in targeted policy. I have no idea why you
got your other errors.
Did you run with SELinux disabled?
Dan
>Strange features of selinux!
>
>Thanks!
>
>Hongwei Li
>
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
More information about the fedora-selinux-list
mailing list