What to do about "invalid context"
Stephen Smalley
sds at tycho.nsa.gov
Mon Jun 16 13:04:31 UTC 2008
On Sat, 2008-06-14 at 11:33 +0200, Göran Uddeborg wrote:
> Could anyone explain what is wrong when I get the error below?
>
> The problem:
>
> I get error messages when I try to run crontab.
>
> mimmi> env LANG=en_US.utf8 crontab -l
>
> Authentication service cannot retrieve authentication info
> You (göran) are not allowed to access to (crontab) because of pam configuration.
>
> What I have found out:
>
> In the audit log there is this entry:
>
> mimmi> sudo ausearch -a 3208
> ----
> time->Sat Jun 14 11:17:09 2008
> type=SYSCALL msg=audit(1213435029.953:3208): arch=c000003e syscall=59 success=no exit=-13 a0=7f7c49c10238 a1=7fff57b9d760 a2=7f7c49e11f50 a3=7f7c4f562a70 items=0 ppid=5234 pid=5236 auid=503 uid=0 gid=503 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 key=(null)
> type=SELINUX_ERR msg=audit(1213435029.953:3208): security_compute_sid: invalid context unconfined_u:unconfined_r:updpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=process
>
>
> Using strace I see that crontab tries to exec /sbin/unix_update and
> fails, which I suppose is what this message is about:
>
> 4826 execve("/sbin/unix_update", ["/sbin/unix_update", "g\303\266ran", "verify"], [/* 0 vars */]) = -1 EACCES (Permission denied)
>
> My first though was that maybe the label on unix_update had not been
> correctly updated in some upgrade or so. But doing a restorecon on
> it didn't change its context (system_u:object_r:updpwd_exec_t:s0).
>
>
> I assume there is something broken in the host configurations, rather
> than some bug in the policy. But I don't understand what it is or
> what to do about it. I'm usually able to figure out
> "type=AVC"/"avc: denied" issues, but what do I do about a
> "type=SELINUX_ERR"/"invalid context"?
Missing role-type statement, ala:
# cat myupdpwd.te
module myupdate 1.0;
require {
role unconfined_r;
type updpwd_exec_t;
}
role unconfined_r types updpwd_exec_t;
# make -f /usr/share/selinux/devel/Makefile myupdpwd.pp
# semodule -i myupdpwd.pp
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list