What to do about "invalid context"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Could anyone explain what is wrong when I get the error below?

The problem:

  I get error messages when I try to run crontab.

    mimmi> env LANG=en_US.utf8 crontab -l

    Authentication service cannot retrieve authentication info
    You (göran) are not allowed to access to (crontab) because of pam configuration.

What I have found out:

  In the audit log there is this entry:

    mimmi> sudo ausearch -a 3208
    ----
    time->Sat Jun 14 11:17:09 2008
    type=SYSCALL msg=audit(1213435029.953:3208): arch=c000003e syscall=59 success=no exit=-13 a0=7f7c49c10238 a1=7fff57b9d760 a2=7f7c49e11f50 a3=7f7c4f562a70 items=0 ppid=5234 pid=5236 auid=503 uid=0 gid=503 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 key=(null)
    type=SELINUX_ERR msg=audit(1213435029.953:3208): security_compute_sid:  invalid context unconfined_u:unconfined_r:updpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=process


  Using strace I see that crontab tries to exec /sbin/unix_update and
  fails, which I suppose is what this message is about:

    4826  execve("/sbin/unix_update", ["/sbin/unix_update", "g\303\266ran", "verify"], [/* 0 vars */]) = -1 EACCES (Permission denied)

  My first though was that maybe the label on unix_update had not been
  correctly updated in some upgrade or so.  But doing a restorecon on
  it didn't change its context (system_u:object_r:updpwd_exec_t:s0).


I assume there is something broken in the host configurations, rather
than some bug in the policy.  But I don't understand what it is or
what to do about it.  I'm usually able to figure out
"type=AVC"/"avc: denied" issues, but what do I do about a
"type=SELINUX_ERR"/"invalid context"?

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux