File Contexts error?

Daniel J Walsh dwalsh at
Mon Mar 7 15:44:28 UTC 2005

Hongwei Li wrote:

>>I have run up2date to update many packages of my fc3 system.  My system
>>RedHat FC3 linux, kernel 2.6.10-1.766_FC3, selinux enforced (targeted),
>>iptables enabled
>>selinux-policy-targeted:     1.17.30-2.19
>>Then, the root received the following mail:
>>Invalid File Contexts
>>I don't know which package's updating caused this problem.  Then, I run:
>># restorecon -R /etc/*
>># restorecon -R /var/*
>># restorecon -R /lib/*
>># restorecon -R /usr/*
>>I got a lot of warning about sybolic links, that's probably okay.  Now,
>>the problem is that the user qlily cannot login to squirrelmail.  The
>>error message is:
>>Preference file, /var/lib/squirrelmail/prefs/qlily.pref.tmp, could not be
>>opened. Contact your system administrator to resolve this issue.
>>Check the files:
>># ls -lZ /var/lib/squirrelmail/prefs/qlily.*
>>-rw-r--r--  apache   apache   system_u:object_r:var_lib_t
>>-rw-------  apache   apache   system_u:object_r:var_lib_t
>>-rw-r--r--  apache   apache   system_u:object_r:var_lib_t
>>and the log shows:
>>Mar  2 15:49:03 pippo kernel: audit(1109800143.922:0): avc:  denied  {
>>write } for  pid=1458 exe=/usr/sbin/httpd name=qlily.pref.tmp dev=hda2
>>ino=2540354 scontext=root:system_r:httpd_t
>>tcontext=system_u:object_r:var_lib_t tclass=file
>>Mar  2 15:49:03 pippo kernel: audit(1109800143.924:0): avc:  denied  {
>>write } for  pid=1458 exe=/usr/sbin/httpd
>>name=sess_bd54786e5c301c251fd139a22c129872 dev=hda2 ino=2540345
>>scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_lib_t
>>qlily is the only user I created so far in the system.  This user can
>>send/receive email through pine.  To test the situation, I created another
>>user msnet.  He can login to ssh console, but cannot login to
>>squirrelmail, the error message is:
>>You must be logged in to access this page
>>although the password is correct.  his pref file is:
>># ls -lZ /var/lib/squirrelmail/prefs/msnet.pref
>>-rw-------  apache   apache   root:object_r:httpd_var_lib_t
>>What's wrong?  What package updating caused this problem?  How to fix the
>>Thanks a lot!
>>Hongwei Li
>I have solved the problem.  If some people encounter the same problem,
>here is what I did:
># fixfiles relable
>Then, all users can log in squirrelmail, read/send mails normally.  I
>created another new user account, it also works.
>However, I still have a question.  The file contexts properties for the
>existing users and new user are different.  In my case, qlily is the
>existing user (the "fixfiles relabel" solved the problem for this
>account), and mmst is a new user created after running fixfiles relable. 
>Please see:
># ls -lZ /var/spool/mail/
>-rw-rw----  mmst     mail     root:object_r:mail_spool_t       mmst
>-rw-rw----  qlily    mail     system_u:object_r:mail_spool_t   qlily
># ls -lZ /var/lib/squirrelmail/prefs/
>-rw-r--r--  apache   apache   user_u:object_r:httpd_squirrelmail_t mmst.abook
>-rw-------  apache   apache   user_u:object_r:httpd_squirrelmail_t mmst.pref
>-rw-r--r--  apache   apache   system_u:object_r:httpd_squirrelmail_t
>-rw-------  apache   apache   system_u:object_r:httpd_squirrelmail_t
>Why are they different, but no error message and they don't have any
>problem when they login, read/send mails in pine or squirrelmail?
If the system is relabeled, all system files get labeled with user of 
system_u, when they are created by a
 user or and service that was restarted by a user they get identified by 
that users SELinux name (root, user_u).
It should not be a problem in targeted policy.  I have no idea why you 
got your other errors.
Did you run with SELinux disabled?


>Strange features of selinux!
>Hongwei Li
>fedora-selinux-list mailing list
>fedora-selinux-list at

More information about the fedora-selinux-list mailing list