fedora-selinux June 2008 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: What to do about "invalid context"

Re: What to do about "invalid context"

From: Stephen Smalley <sds_at_nospam>
Date: Mon Jun 16 2008 - 13:04:31 GMT
To: Gran Uddeborg <goeran@uddeborg.se>

On Sat, 2008-06-14 at 11:33 +0200, Göran Uddeborg wrote:
> Could anyone explain what is wrong when I get the error below?
>
> The problem:
>
> I get error messages when I try to run crontab.
>
> mimmi> env LANG=en_US.utf8 crontab -l
>
> Authentication service cannot retrieve authentication info
> You (göran) are not allowed to access to (crontab) because of pam configuration.
>
> What I have found out:
>
> In the audit log there is this entry:
>
> mimmi> sudo ausearch -a 3208
> ----
> time->Sat Jun 14 11:17:09 2008
> type=SYSCALL msg=audit(1213435029.953:3208): arch=c000003e syscall=59 success=no exit=-13 a0=7f7c49c10238 a1=7fff57b9d760 a2=7f7c49e11f50 a3=7f7c4f562a70 items=0 ppid=5234 pid=5236 auid=503 uid=0 gid=503 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 key=(null)
> type=SELINUX_ERR msg=audit(1213435029.953:3208): security_compute_sid: invalid context unconfined_u:unconfined_r:updpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=process
>
>
> Using strace I see that crontab tries to exec /sbin/unix_update and
> fails, which I suppose is what this message is about:
>
> 4826 execve("/sbin/unix_update", ["/sbin/unix_update", "g\303\266ran", "verify"], [/* 0 vars */]) = -1 EACCES (Permission denied)
>
> My first though was that maybe the label on unix_update had not been
> correctly updated in some upgrade or so. But doing a restorecon on
> it didn't change its context (system_u:object_r:updpwd_exec_t:s0).
>
>
> I assume there is something broken in the host configurations, rather
> than some bug in the policy. But I don't understand what it is or
> what to do about it. I'm usually able to figure out
> "type=AVC"/"avc: denied" issues, but what do I do about a
> "type=SELINUX_ERR"/"invalid context"?

Missing role-type statement, ala:
# cat myupdpwd.te
module myupdate 1.0;

require { role unconfined_r; type updpwd_exec_t;
}

role unconfined_r types updpwd_exec_t;

# make -f /usr/share/selinux/devel/Makefile myupdpwd.pp # semodule -i myupdpwd.pp -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list