Hongwei Li wrote:
>Hi,
>
>I have run up2date to update many packages of my fc3 system. My system
>info:
>RedHat FC3 linux, kernel 2.6.10-1.766_FC3, selinux enforced (targeted),
>iptables enabled
>selinux-policy-targeted: 1.17.30-2.19
>
>Then, the root received the following mail:
>
>Invalid File Contexts
>
>/etc/blkid.tab
>/etc/asound.state
>/etc/ld.so.cache
>/etc/.pwd.lock
>/etc/hotplug/usb.usermap
>/etc/freshclam.conf
>/etc/sysconfig/firstboot
>/etc/sysconfig/hwconf
>/.autofsck
>/.fonts.cache-1
>/lost+found
>/root/install.log
>/root/install.log.syslog
>/lib/modules/2.6.10-1.766_FC3/modules.ccwmap
>/lib/modules/2.6.10-1.766_FC3/modules.alias
>/lib/modules/2.6.10-1.766_FC3/modules.dep
>/lib/modules/2.6.10-1.766_FC3/modules.inputmap
>/lib/modules/2.6.10-1.766_FC3/modules.usbmap
>/lib/modules/2.6.10-1.766_FC3/modules.isapnpmap
>/lib/modules/2.6.10-1.766_FC3/modules.pcimap
>/lib/modules/2.6.10-1.766_FC3/modules.ieee1394map
>/lib/modules/2.6.10-1.766_FC3/modules.symbols
>/lib/modules/2.6.9-1.667/modules.ccwmap
>/lib/modules/2.6.9-1.667/modules.alias
>/lib/modules/2.6.9-1.667/modules.dep
>/lib/modules/2.6.9-1.667/modules.inputmap
>/lib/modules/2.6.9-1.667/modules.usbmap
>/lib/modules/2.6.9-1.667/modules.isapnpmap
>/lib/modules/2.6.9-1.667/modules.pcimap
>/lib/modules/2.6.9-1.667/modules.ieee1394map
>/lib/modules/2.6.9-1.667/modules.symbols
>/home/lost+found
>/tmp/lost+found
>/usr/lost+found
>/var/log/rpmpkgs
>/var/log/httpd/ssl_error_log
>/var/log/httpd/ssl_request_log
>/var/log/httpd/ssl_access_log
>/var/log/httpd/error_log
>/var/log/httpd/access_log
>/var/log/yum.log
>/var/lost+found
>/var/run/utmp
>/var/lib/squirrelmail/prefs/qlily.pref
>/var/lib/squirrelmail/prefs/qlily.abook
>/var/lib/php/session/sess_bd54786e5c301c251fd139a22c129872
>
>I don't know which package's updating caused this problem. Then, I run:
>
># restorecon -R /etc/*
># restorecon -R /var/*
># restorecon -R /lib/*
># restorecon -R /usr/*
>
>I got a lot of warning about sybolic links, that's probably okay. Now,
>the problem is that the user qlily cannot login to squirrelmail. The
>error message is:
>
>Preference file, /var/lib/squirrelmail/prefs/qlily.pref.tmp, could not be
>opened. Contact your system administrator to resolve this issue.
>
>Check the files:
>
># ls -lZ /var/lib/squirrelmail/prefs/qlily.*
>-rw-r--r-- apache apache system_u:object_r:var_lib_t
>/var/lib/squirrelmail/prefs/qlily.abook
>-rw------- apache apache system_u:object_r:var_lib_t
>/var/lib/squirrelmail/prefs/qlily.pref
>-rw-r--r-- apache apache system_u:object_r:var_lib_t
>/var/lib/squirrelmail/prefs/qlily.pref.tmp
>
>and the log shows:
>
>Mar 2 15:49:03 pippo kernel: audit(1109800143.922:0): avc: denied {
>write } for pid=1458 exe=/usr/sbin/httpd name=qlily.pref.tmp dev=hda2
>ino=2540354 scontext=root:system_r:httpd_t
>tcontext=system_u:object_r:var_lib_t tclass=file
>Mar 2 15:49:03 pippo kernel: audit(1109800143.924:0): avc: denied {
>write } for pid=1458 exe=/usr/sbin/httpd
>name=sess_bd54786e5c301c251fd139a22c129872 dev=hda2 ino=2540345
>scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_lib_t
>tclass=file
>....
>
>qlily is the only user I created so far in the system. This user can
>send/receive email through pine. To test the situation, I created another
>user msnet. He can login to ssh console, but cannot login to
>squirrelmail, the error message is:
>
>You must be logged in to access this page
>
>although the password is correct. his pref file is:
>
># ls -lZ /var/lib/squirrelmail/prefs/msnet.pref
>-rw------- apache apache root:object_r:httpd_var_lib_t
>/var/lib/squirrelmail/prefs/msnet.pref
>
>What's wrong? What package updating caused this problem? How to fix the
>problem?
>
>Thanks a lot!
>
>Hongwei Li
>
>
>
>
>
Hi,
I have solved the problem. If some people encounter the same problem,
here is what I did:
# fixfiles relable
(reboot)
Then, all users can log in squirrelmail, read/send mails normally. I
created another new user account, it also works.
However, I still have a question. The file contexts properties for the
existing users and new user are different. In my case, qlily is the
existing user (the "fixfiles relabel" solved the problem for this
account), and mmst is a new user created after running fixfiles relable.
Please see:
# ls -lZ /var/spool/mail/
-rw-rw---- mmst mail root:object_r:mail_spool_t mmst
-rw-rw---- qlily mail system_u:object_r:mail_spool_t qlily
# ls -lZ /var/lib/squirrelmail/prefs/
-rw-r--r-- apache apache user_u:object_r:httpd_squirrelmail_t mmst.abook
-rw------- apache apache user_u:object_r:httpd_squirrelmail_t mmst.pref
-rw-r--r-- apache apache system_u:object_r:httpd_squirrelmail_t
qlily.abook
-rw------- apache apache system_u:object_r:httpd_squirrelmail_t
qlily.pref
Why are they different, but no error message and they don't have any
problem when they login, read/send mails in pine or squirrelmail?
If the system is relabeled, all system files get labeled with user of
system_u, when they are created by a
user or and service that was restarted by a user they get identified by
that users SELinux name (root, user_u).
It should not be a problem in targeted policy. I have no idea why you
got your other errors.
Did you run with SELinux disabled?
Dan
Strange features of selinux!
Thanks!
Hongwei Li
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list