What to do about "invalid context"
Göran Uddeborg
goeran at uddeborg.se
Sat Jun 14 09:33:48 UTC 2008
Could anyone explain what is wrong when I get the error below?
The problem:
I get error messages when I try to run crontab.
mimmi> env LANG=en_US.utf8 crontab -l
Authentication service cannot retrieve authentication info
You (göran) are not allowed to access to (crontab) because of pam configuration.
What I have found out:
In the audit log there is this entry:
mimmi> sudo ausearch -a 3208
----
time->Sat Jun 14 11:17:09 2008
type=SYSCALL msg=audit(1213435029.953:3208): arch=c000003e syscall=59 success=no exit=-13 a0=7f7c49c10238 a1=7fff57b9d760 a2=7f7c49e11f50 a3=7f7c4f562a70 items=0 ppid=5234 pid=5236 auid=503 uid=0 gid=503 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1213435029.953:3208): security_compute_sid: invalid context unconfined_u:unconfined_r:updpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=process
Using strace I see that crontab tries to exec /sbin/unix_update and
fails, which I suppose is what this message is about:
4826 execve("/sbin/unix_update", ["/sbin/unix_update", "g\303\266ran", "verify"], [/* 0 vars */]) = -1 EACCES (Permission denied)
My first though was that maybe the label on unix_update had not been
correctly updated in some upgrade or so. But doing a restorecon on
it didn't change its context (system_u:object_r:updpwd_exec_t:s0).
I assume there is something broken in the host configurations, rather
than some bug in the policy. But I don't understand what it is or
what to do about it. I'm usually able to figure out
"type=AVC"/"avc: denied" issues, but what do I do about a
"type=SELINUX_ERR"/"invalid context"?
More information about the fedora-selinux-list
mailing list