File Contexts error?

Daniel J Walsh dwalsh at redhat.com
Mon Mar 7 15:44:28 UTC 2005 

Hongwei Li wrote:

>>Hi,
>>
>>I have run up2date to update many packages of my fc3 system.  My system
>>info:
>>RedHat FC3 linux, kernel 2.6.10-1.766_FC3, selinux enforced (targeted),
>>iptables enabled
>>selinux-policy-targeted:     1.17.30-2.19
>>
>>Then, the root received the following mail:
>>
>>Invalid File Contexts
>>
>>/etc/blkid.tab
>>/etc/asound.state
>>/etc/ld.so.cache
>>/etc/.pwd.lock
>>/etc/hotplug/usb.usermap
>>/etc/freshclam.conf
>>/etc/sysconfig/firstboot
>>/etc/sysconfig/hwconf
>>/.autofsck
>>/.fonts.cache-1
>>/lost+found
>>/root/install.log
>>/root/install.log.syslog
>>/lib/modules/2.6.10-1.766_FC3/modules.ccwmap
>>/lib/modules/2.6.10-1.766_FC3/modules.alias
>>/lib/modules/2.6.10-1.766_FC3/modules.dep
>>/lib/modules/2.6.10-1.766_FC3/modules.inputmap
>>/lib/modules/2.6.10-1.766_FC3/modules.usbmap
>>/lib/modules/2.6.10-1.766_FC3/modules.isapnpmap
>>/lib/modules/2.6.10-1.766_FC3/modules.pcimap
>>/lib/modules/2.6.10-1.766_FC3/modules.ieee1394map
>>/lib/modules/2.6.10-1.766_FC3/modules.symbols
>>/lib/modules/2.6.9-1.667/modules.ccwmap
>>/lib/modules/2.6.9-1.667/modules.alias
>>/lib/modules/2.6.9-1.667/modules.dep
>>/lib/modules/2.6.9-1.667/modules.inputmap
>>/lib/modules/2.6.9-1.667/modules.usbmap
>>/lib/modules/2.6.9-1.667/modules.isapnpmap
>>/lib/modules/2.6.9-1.667/modules.pcimap
>>/lib/modules/2.6.9-1.667/modules.ieee1394map
>>/lib/modules/2.6.9-1.667/modules.symbols
>>/home/lost+found
>>/tmp/lost+found
>>/usr/lost+found
>>/var/log/rpmpkgs
>>/var/log/httpd/ssl_error_log
>>/var/log/httpd/ssl_request_log
>>/var/log/httpd/ssl_access_log
>>/var/log/httpd/error_log
>>/var/log/httpd/access_log
>>/var/log/yum.log
>>/var/lost+found
>>/var/run/utmp
>>/var/lib/squirrelmail/prefs/qlily.pref
>>/var/lib/squirrelmail/prefs/qlily.abook
>>/var/lib/php/session/sess_bd54786e5c301c251fd139a22c129872
>>
>>I don't know which package's updating caused this problem.  Then, I run:
>>
>># restorecon -R /etc/*
>># restorecon -R /var/*
>># restorecon -R /lib/*
>># restorecon -R /usr/*
>>
>>I got a lot of warning about sybolic links, that's probably okay.  Now,
>>the problem is that the user qlily cannot login to squirrelmail.  The
>>error message is:
>>
>>Preference file, /var/lib/squirrelmail/prefs/qlily.pref.tmp, could not be
>>opened. Contact your system administrator to resolve this issue.
>>
>>Check the files:
>>
>># ls -lZ /var/lib/squirrelmail/prefs/qlily.*
>>-rw-r--r--  apache   apache   system_u:object_r:var_lib_t
>>/var/lib/squirrelmail/prefs/qlily.abook
>>-rw-------  apache   apache   system_u:object_r:var_lib_t
>>/var/lib/squirrelmail/prefs/qlily.pref
>>-rw-r--r--  apache   apache   system_u:object_r:var_lib_t
>>/var/lib/squirrelmail/prefs/qlily.pref.tmp
>>
>>and the log shows:
>>
>>Mar  2 15:49:03 pippo kernel: audit(1109800143.922:0): avc:  denied  {
>>write } for  pid=1458 exe=/usr/sbin/httpd name=qlily.pref.tmp dev=hda2
>>ino=2540354 scontext=root:system_r:httpd_t
>>tcontext=system_u:object_r:var_lib_t tclass=file
>>Mar  2 15:49:03 pippo kernel: audit(1109800143.924:0): avc:  denied  {
>>write } for  pid=1458 exe=/usr/sbin/httpd
>>name=sess_bd54786e5c301c251fd139a22c129872 dev=hda2 ino=2540345
>>scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_lib_t
>>tclass=file
>>....
>>
>>qlily is the only user I created so far in the system.  This user can
>>send/receive email through pine.  To test the situation, I created another
>>user msnet.  He can login to ssh console, but cannot login to
>>squirrelmail, the error message is:
>>
>>You must be logged in to access this page
>>
>>although the password is correct.  his pref file is:
>>
>># ls -lZ /var/lib/squirrelmail/prefs/msnet.pref
>>-rw-------  apache   apache   root:object_r:httpd_var_lib_t
>>/var/lib/squirrelmail/prefs/msnet.pref
>>
>>What's wrong?  What package updating caused this problem?  How to fix the
>>problem?
>>
>>Thanks a lot!
>>
>>Hongwei Li
>>
>>
>>
>>    
>>
>
>Hi,
>
>I have solved the problem.  If some people encounter the same problem,
>here is what I did:
>
># fixfiles relable
>
>(reboot)
>
>Then, all users can log in squirrelmail, read/send mails normally.  I
>created another new user account, it also works.
>
>However, I still have a question.  The file contexts properties for the
>existing users and new user are different.  In my case, qlily is the
>existing user (the "fixfiles relabel" solved the problem for this
>account), and mmst is a new user created after running fixfiles relable. 
>Please see:
>
># ls -lZ /var/spool/mail/
>-rw-rw----  mmst     mail     root:object_r:mail_spool_t       mmst
>-rw-rw----  qlily    mail     system_u:object_r:mail_spool_t   qlily
>
># ls -lZ /var/lib/squirrelmail/prefs/
>-rw-r--r--  apache   apache   user_u:object_r:httpd_squirrelmail_t mmst.abook
>-rw-------  apache   apache   user_u:object_r:httpd_squirrelmail_t mmst.pref
>-rw-r--r--  apache   apache   system_u:object_r:httpd_squirrelmail_t
>qlily.abook
>-rw-------  apache   apache   system_u:object_r:httpd_squirrelmail_t
>qlily.pref
>
>Why are they different, but no error message and they don't have any
>problem when they login, read/send mails in pine or squirrelmail?
>
>  
>
If the system is relabeled, all system files get labeled with user of 
system_u, when they are created by a
 user or and service that was restarted by a user they get identified by 
that users SELinux name (root, user_u).
It should not be a problem in targeted policy.  I have no idea why you 
got your other errors.
Did you run with SELinux disabled?

Dan

>Strange features of selinux!
>
>Thanks!
>
>Hongwei Li
>
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>

More information about the fedora-selinux-list mailing list