Re: File Contexts error?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hongwei Li wrote:

Hi,

I have run up2date to update many packages of my fc3 system.  My system
info:
RedHat FC3 linux, kernel 2.6.10-1.766_FC3, selinux enforced (targeted),
iptables enabled
selinux-policy-targeted:     1.17.30-2.19

Then, the root received the following mail:

Invalid File Contexts

/etc/blkid.tab
/etc/asound.state
/etc/ld.so.cache
/etc/.pwd.lock
/etc/hotplug/usb.usermap
/etc/freshclam.conf
/etc/sysconfig/firstboot
/etc/sysconfig/hwconf
/.autofsck
/.fonts.cache-1
/lost+found
/root/install.log
/root/install.log.syslog
/lib/modules/2.6.10-1.766_FC3/modules.ccwmap
/lib/modules/2.6.10-1.766_FC3/modules.alias
/lib/modules/2.6.10-1.766_FC3/modules.dep
/lib/modules/2.6.10-1.766_FC3/modules.inputmap
/lib/modules/2.6.10-1.766_FC3/modules.usbmap
/lib/modules/2.6.10-1.766_FC3/modules.isapnpmap
/lib/modules/2.6.10-1.766_FC3/modules.pcimap
/lib/modules/2.6.10-1.766_FC3/modules.ieee1394map
/lib/modules/2.6.10-1.766_FC3/modules.symbols
/lib/modules/2.6.9-1.667/modules.ccwmap
/lib/modules/2.6.9-1.667/modules.alias
/lib/modules/2.6.9-1.667/modules.dep
/lib/modules/2.6.9-1.667/modules.inputmap
/lib/modules/2.6.9-1.667/modules.usbmap
/lib/modules/2.6.9-1.667/modules.isapnpmap
/lib/modules/2.6.9-1.667/modules.pcimap
/lib/modules/2.6.9-1.667/modules.ieee1394map
/lib/modules/2.6.9-1.667/modules.symbols
/home/lost+found
/tmp/lost+found
/usr/lost+found
/var/log/rpmpkgs
/var/log/httpd/ssl_error_log
/var/log/httpd/ssl_request_log
/var/log/httpd/ssl_access_log
/var/log/httpd/error_log
/var/log/httpd/access_log
/var/log/yum.log
/var/lost+found
/var/run/utmp
/var/lib/squirrelmail/prefs/qlily.pref
/var/lib/squirrelmail/prefs/qlily.abook
/var/lib/php/session/sess_bd54786e5c301c251fd139a22c129872

I don't know which package's updating caused this problem.  Then, I run:

# restorecon -R /etc/*
# restorecon -R /var/*
# restorecon -R /lib/*
# restorecon -R /usr/*

I got a lot of warning about sybolic links, that's probably okay.  Now,
the problem is that the user qlily cannot login to squirrelmail.  The
error message is:

Preference file, /var/lib/squirrelmail/prefs/qlily.pref.tmp, could not be
opened. Contact your system administrator to resolve this issue.

Check the files:

# ls -lZ /var/lib/squirrelmail/prefs/qlily.*
-rw-r--r--  apache   apache   system_u:object_r:var_lib_t
/var/lib/squirrelmail/prefs/qlily.abook
-rw-------  apache   apache   system_u:object_r:var_lib_t
/var/lib/squirrelmail/prefs/qlily.pref
-rw-r--r--  apache   apache   system_u:object_r:var_lib_t
/var/lib/squirrelmail/prefs/qlily.pref.tmp

and the log shows:

Mar  2 15:49:03 pippo kernel: audit(1109800143.922:0): avc:  denied  {
write } for  pid=1458 exe=/usr/sbin/httpd name=qlily.pref.tmp dev=hda2
ino=2540354 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:var_lib_t tclass=file
Mar  2 15:49:03 pippo kernel: audit(1109800143.924:0): avc:  denied  {
write } for  pid=1458 exe=/usr/sbin/httpd
name=sess_bd54786e5c301c251fd139a22c129872 dev=hda2 ino=2540345
scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_lib_t
tclass=file
....

qlily is the only user I created so far in the system.  This user can
send/receive email through pine.  To test the situation, I created another
user msnet.  He can login to ssh console, but cannot login to
squirrelmail, the error message is:

You must be logged in to access this page

although the password is correct.  his pref file is:

# ls -lZ /var/lib/squirrelmail/prefs/msnet.pref
-rw-------  apache   apache   root:object_r:httpd_var_lib_t
/var/lib/squirrelmail/prefs/msnet.pref

What's wrong?  What package updating caused this problem?  How to fix the
problem?

Thanks a lot!

Hongwei Li






Hi,

I have solved the problem.  If some people encounter the same problem,
here is what I did:

# fixfiles relable

(reboot)

Then, all users can log in squirrelmail, read/send mails normally.  I
created another new user account, it also works.

However, I still have a question. The file contexts properties for the
existing users and new user are different. In my case, qlily is the
existing user (the "fixfiles relabel" solved the problem for this
account), and mmst is a new user created after running fixfiles relable. Please see:

# ls -lZ /var/spool/mail/
-rw-rw----  mmst     mail     root:object_r:mail_spool_t       mmst
-rw-rw----  qlily    mail     system_u:object_r:mail_spool_t   qlily

# ls -lZ /var/lib/squirrelmail/prefs/
-rw-r--r--  apache   apache   user_u:object_r:httpd_squirrelmail_t mmst.abook
-rw-------  apache   apache   user_u:object_r:httpd_squirrelmail_t mmst.pref
-rw-r--r--  apache   apache   system_u:object_r:httpd_squirrelmail_t
qlily.abook
-rw-------  apache   apache   system_u:object_r:httpd_squirrelmail_t
qlily.pref

Why are they different, but no error message and they don't have any
problem when they login, read/send mails in pine or squirrelmail?



If the system is relabeled, all system files get labeled with user of system_u, when they are created by a
user or and service that was restarted by a user they get identified by that users SELinux name (root, user_u).
It should not be a problem in targeted policy. I have no idea why you got your other errors.
Did you run with SELinux disabled?

Dan

Strange features of selinux!

Thanks!

Hongwei Li


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux