FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-14-2008, 09:33 AM
"Göran Uddeborg"
 
Default What to do about "invalid context"

Could anyone explain what is wrong when I get the error below?

The problem:

I get error messages when I try to run crontab.

mimmi> env LANG=en_US.utf8 crontab -l

Authentication service cannot retrieve authentication info
You (göran) are not allowed to access to (crontab) because of pam configuration.

What I have found out:

In the audit log there is this entry:

mimmi> sudo ausearch -a 3208
----
time->Sat Jun 14 11:17:09 2008
type=SYSCALL msg=audit(1213435029.953:3208): arch=c000003e syscall=59 success=no exit=-13 a0=7f7c49c10238 a1=7fff57b9d760 a2=7f7c49e11f50 a3=7f7c4f562a70 items=0 ppid=5234 pid=5236 auid=503 uid=0 gid=503 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:unconfined_crontab_ t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1213435029.953:3208): security_compute_sid: invalid context unconfined_u:unconfined_r:updpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_cron tab_t:s0-s0:c0.c1023 tcontext=system_ubject_r:updpwd_exec_t:s0 tclass=process


Using strace I see that crontab tries to exec /sbin/unix_update and
fails, which I suppose is what this message is about:

4826 execve("/sbin/unix_update", ["/sbin/unix_update", "g303266ran", "verify"], [/* 0 vars */]) = -1 EACCES (Permission denied)

My first though was that maybe the label on unix_update had not been
correctly updated in some upgrade or so. But doing a restorecon on
it didn't change its context (system_ubject_r:updpwd_exec_t:s0).


I assume there is something broken in the host configurations, rather
than some bug in the policy. But I don't understand what it is or
what to do about it. I'm usually able to figure out
"type=AVC"/"avc:*denied" issues, but what do I do about a
"type=SELINUX_ERR"/"invalid context"?

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-16-2008, 01:04 PM
Stephen Smalley
 
Default What to do about "invalid context"

On Sat, 2008-06-14 at 11:33 +0200, Göran Uddeborg wrote:
> Could anyone explain what is wrong when I get the error below?
>
> The problem:
>
> I get error messages when I try to run crontab.
>
> mimmi> env LANG=en_US.utf8 crontab -l
>
> Authentication service cannot retrieve authentication info
> You (göran) are not allowed to access to (crontab) because of pam configuration.
>
> What I have found out:
>
> In the audit log there is this entry:
>
> mimmi> sudo ausearch -a 3208
> ----
> time->Sat Jun 14 11:17:09 2008
> type=SYSCALL msg=audit(1213435029.953:3208): arch=c000003e syscall=59 success=no exit=-13 a0=7f7c49c10238 a1=7fff57b9d760 a2=7f7c49e11f50 a3=7f7c4f562a70 items=0 ppid=5234 pid=5236 auid=503 uid=0 gid=503 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:unconfined_crontab_ t:s0-s0:c0.c1023 key=(null)
> type=SELINUX_ERR msg=audit(1213435029.953:3208): security_compute_sid: invalid context unconfined_u:unconfined_r:updpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_cron tab_t:s0-s0:c0.c1023 tcontext=system_ubject_r:updpwd_exec_t:s0 tclass=process
>
>
> Using strace I see that crontab tries to exec /sbin/unix_update and
> fails, which I suppose is what this message is about:
>
> 4826 execve("/sbin/unix_update", ["/sbin/unix_update", "g303266ran", "verify"], [/* 0 vars */]) = -1 EACCES (Permission denied)
>
> My first though was that maybe the label on unix_update had not been
> correctly updated in some upgrade or so. But doing a restorecon on
> it didn't change its context (system_ubject_r:updpwd_exec_t:s0).
>
>
> I assume there is something broken in the host configurations, rather
> than some bug in the policy. But I don't understand what it is or
> what to do about it. I'm usually able to figure out
> "type=AVC"/"avc: denied" issues, but what do I do about a
> "type=SELINUX_ERR"/"invalid context"?

Missing role-type statement, ala:
# cat myupdpwd.te
module myupdate 1.0;

require {
role unconfined_r;
type updpwd_exec_t;
}

role unconfined_r types updpwd_exec_t;

# make -f /usr/share/selinux/devel/Makefile myupdpwd.pp
# semodule -i myupdpwd.pp

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-17-2008, 06:36 PM
"Göran Uddeborg"
 
Default What to do about "invalid context"

Stephen Smalley writes:
> role unconfined_r types updpwd_exec_t;

Aha, now I get it! It's the role-type combination that is not
allowed, and thus "invalid". Thanks!

A little detail, though. It's the type updpwd_t, not updpwd_exec_t
that should be allowed, isn't it? Unless I'm mistaken, it's the file
that has the *_exec_t type, but the resulting process domain is *_t.

I did create my module following your pattern, but using updpwd_t, and
the crontab command works again. So it seems it was the right thing
to do. Or have I done something I shouldn't do after all?

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-17-2008, 06:44 PM
Stephen Smalley
 
Default What to do about "invalid context"

On Tue, 2008-06-17 at 20:36 +0200, Göran Uddeborg wrote:
> Stephen Smalley writes:
> > role unconfined_r types updpwd_exec_t;
>
> Aha, now I get it! It's the role-type combination that is not
> allowed, and thus "invalid". Thanks!
>
> A little detail, though. It's the type updpwd_t, not updpwd_exec_t
> that should be allowed, isn't it? Unless I'm mistaken, it's the file
> that has the *_exec_t type, but the resulting process domain is *_t.
>
> I did create my module following your pattern, but using updpwd_t, and
> the crontab command works again. So it seems it was the right thing
> to do. Or have I done something I shouldn't do after all?

Oops, my mistake - yes, you wanted the domain type, not the executable
type there.

audit2allow is actually supposed to handle those errors too, but it
seems to be broken at the moment for them.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 02:30 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org