What to do about "invalid context"

Stephen Smalley sds at tycho.nsa.gov
Mon Jun 16 13:04:31 UTC 2008 

On Sat, 2008-06-14 at 11:33 +0200, Göran Uddeborg wrote:
> Could anyone explain what is wrong when I get the error below?
> 
> The problem:
> 
>   I get error messages when I try to run crontab.
> 
>     mimmi> env LANG=en_US.utf8 crontab -l
> 
>     Authentication service cannot retrieve authentication info
>     You (göran) are not allowed to access to (crontab) because of pam configuration.
> 
> What I have found out:
> 
>   In the audit log there is this entry:
> 
>     mimmi> sudo ausearch -a 3208
>     ----
>     time->Sat Jun 14 11:17:09 2008
>     type=SYSCALL msg=audit(1213435029.953:3208): arch=c000003e syscall=59 success=no exit=-13 a0=7f7c49c10238 a1=7fff57b9d760 a2=7f7c49e11f50 a3=7f7c4f562a70 items=0 ppid=5234 pid=5236 auid=503 uid=0 gid=503 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 key=(null)
>     type=SELINUX_ERR msg=audit(1213435029.953:3208): security_compute_sid:  invalid context unconfined_u:unconfined_r:updpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=process
> 
> 
>   Using strace I see that crontab tries to exec /sbin/unix_update and
>   fails, which I suppose is what this message is about:
> 
>     4826  execve("/sbin/unix_update", ["/sbin/unix_update", "g\303\266ran", "verify"], [/* 0 vars */]) = -1 EACCES (Permission denied)
> 
>   My first though was that maybe the label on unix_update had not been
>   correctly updated in some upgrade or so.  But doing a restorecon on
>   it didn't change its context (system_u:object_r:updpwd_exec_t:s0).
> 
> 
> I assume there is something broken in the host configurations, rather
> than some bug in the policy.  But I don't understand what it is or
> what to do about it.  I'm usually able to figure out
> "type=AVC"/"avc: denied" issues, but what do I do about a
> "type=SELINUX_ERR"/"invalid context"?

Missing role-type statement, ala:
# cat myupdpwd.te 
module myupdate 1.0;

require {
        role unconfined_r;
        type updpwd_exec_t;
}

role unconfined_r types updpwd_exec_t;

# make -f /usr/share/selinux/devel/Makefile myupdpwd.pp
# semodule -i myupdpwd.pp

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list