Useradd/groupadd fails: failure while writing changes to /etc/passwd and /etc/group. Contexts problem

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
0
down vote

favorite












Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.



root@hometest:~# id -Z
staff_u:staff_r:staff_t:s0

root@hometest:~# useradd testuser
useradd: failure while writing changes to /etc/passwd


Not out of space on /



root@hometest:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 6.4G 13G 35% /


Permissions



root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow


root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
-----------I--e--- /etc
--------------e--- /etc/passwd
--------------e--- /etc/group
--------------e--- /etc/shadow


Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.



root@hometest:~# sestatus 
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31


Some info from logs:



type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.


When I'm trying to build a module using audit2allow I've got another problem - cannot compile. I know that it's a bad idea to generate modules that way, but it's for tracing the problem only.



root@hometest:~# audit2allow -R -a -t sysadm_t > sysadm_local.te
root@hometest:~# make -f /usr/share/selinux/devel/Makefile
Compiling default sysadm_local module
/usr/bin/checkmodule: loading policy configuration from tmp/sysadm_local.tmp
sysadm_local.te:1:ERROR 'syntax error' at token ';' on line 1098:
module sysadm_local_full.1.0.0 ;
#line 1
/usr/bin/checkmodule: error(s) encountered while parsing configuration
/usr/share/selinux/devel/include/Makefile:159: recipe for target 'tmp/sysadm_local.mod' failed
make: *** [tmp/sysadm_local.mod] Error 1


What am I doing wrong? Any help is appreciated.



UPD. I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?







share|improve this question





















  • What happens when you grep the entries from your audit log into the audit2allow command so grep ..... | audit2allow -m useradd
    – Raman Sailopal
    Jul 27 at 14:29










  • Sorry, I'm a bit slow at the end of the working day with some extra hours =) What I'm supposed to grep?
    – Igor Klyuchnikov
    Jul 27 at 14:48











  • Ah, it creates a .pp module with some rules, but installing this module and reloading a policy doesn't solve the problem. At least now I'm able to compile modules, thanks a lot! Trying to find an "allow rule", that can help
    – Igor Klyuchnikov
    Jul 29 at 21:30
















up vote
0
down vote

favorite












Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.



root@hometest:~# id -Z
staff_u:staff_r:staff_t:s0

root@hometest:~# useradd testuser
useradd: failure while writing changes to /etc/passwd


Not out of space on /



root@hometest:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 6.4G 13G 35% /


Permissions



root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow


root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
-----------I--e--- /etc
--------------e--- /etc/passwd
--------------e--- /etc/group
--------------e--- /etc/shadow


Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.



root@hometest:~# sestatus 
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31


Some info from logs:



type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.


When I'm trying to build a module using audit2allow I've got another problem - cannot compile. I know that it's a bad idea to generate modules that way, but it's for tracing the problem only.



root@hometest:~# audit2allow -R -a -t sysadm_t > sysadm_local.te
root@hometest:~# make -f /usr/share/selinux/devel/Makefile
Compiling default sysadm_local module
/usr/bin/checkmodule: loading policy configuration from tmp/sysadm_local.tmp
sysadm_local.te:1:ERROR 'syntax error' at token ';' on line 1098:
module sysadm_local_full.1.0.0 ;
#line 1
/usr/bin/checkmodule: error(s) encountered while parsing configuration
/usr/share/selinux/devel/include/Makefile:159: recipe for target 'tmp/sysadm_local.mod' failed
make: *** [tmp/sysadm_local.mod] Error 1


What am I doing wrong? Any help is appreciated.



UPD. I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?







share|improve this question





















  • What happens when you grep the entries from your audit log into the audit2allow command so grep ..... | audit2allow -m useradd
    – Raman Sailopal
    Jul 27 at 14:29










  • Sorry, I'm a bit slow at the end of the working day with some extra hours =) What I'm supposed to grep?
    – Igor Klyuchnikov
    Jul 27 at 14:48











  • Ah, it creates a .pp module with some rules, but installing this module and reloading a policy doesn't solve the problem. At least now I'm able to compile modules, thanks a lot! Trying to find an "allow rule", that can help
    – Igor Klyuchnikov
    Jul 29 at 21:30












up vote
0
down vote

favorite









up vote
0
down vote

favorite











Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.



root@hometest:~# id -Z
staff_u:staff_r:staff_t:s0

root@hometest:~# useradd testuser
useradd: failure while writing changes to /etc/passwd


Not out of space on /



root@hometest:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 6.4G 13G 35% /


Permissions



root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow


root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
-----------I--e--- /etc
--------------e--- /etc/passwd
--------------e--- /etc/group
--------------e--- /etc/shadow


Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.



root@hometest:~# sestatus 
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31


Some info from logs:



type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.


When I'm trying to build a module using audit2allow I've got another problem - cannot compile. I know that it's a bad idea to generate modules that way, but it's for tracing the problem only.



root@hometest:~# audit2allow -R -a -t sysadm_t > sysadm_local.te
root@hometest:~# make -f /usr/share/selinux/devel/Makefile
Compiling default sysadm_local module
/usr/bin/checkmodule: loading policy configuration from tmp/sysadm_local.tmp
sysadm_local.te:1:ERROR 'syntax error' at token ';' on line 1098:
module sysadm_local_full.1.0.0 ;
#line 1
/usr/bin/checkmodule: error(s) encountered while parsing configuration
/usr/share/selinux/devel/include/Makefile:159: recipe for target 'tmp/sysadm_local.mod' failed
make: *** [tmp/sysadm_local.mod] Error 1


What am I doing wrong? Any help is appreciated.



UPD. I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?







share|improve this question













Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.



root@hometest:~# id -Z
staff_u:staff_r:staff_t:s0

root@hometest:~# useradd testuser
useradd: failure while writing changes to /etc/passwd


Not out of space on /



root@hometest:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 6.4G 13G 35% /


Permissions



root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow


root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
-----------I--e--- /etc
--------------e--- /etc/passwd
--------------e--- /etc/group
--------------e--- /etc/shadow


Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.



root@hometest:~# sestatus 
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31


Some info from logs:



type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.


When I'm trying to build a module using audit2allow I've got another problem - cannot compile. I know that it's a bad idea to generate modules that way, but it's for tracing the problem only.



root@hometest:~# audit2allow -R -a -t sysadm_t > sysadm_local.te
root@hometest:~# make -f /usr/share/selinux/devel/Makefile
Compiling default sysadm_local module
/usr/bin/checkmodule: loading policy configuration from tmp/sysadm_local.tmp
sysadm_local.te:1:ERROR 'syntax error' at token ';' on line 1098:
module sysadm_local_full.1.0.0 ;
#line 1
/usr/bin/checkmodule: error(s) encountered while parsing configuration
/usr/share/selinux/devel/include/Makefile:159: recipe for target 'tmp/sysadm_local.mod' failed
make: *** [tmp/sysadm_local.mod] Error 1


What am I doing wrong? Any help is appreciated.



UPD. I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?









share|improve this question












share|improve this question




share|improve this question








edited Jul 30 at 20:24
























asked Jul 27 at 14:23









Igor Klyuchnikov

12




12











  • What happens when you grep the entries from your audit log into the audit2allow command so grep ..... | audit2allow -m useradd
    – Raman Sailopal
    Jul 27 at 14:29










  • Sorry, I'm a bit slow at the end of the working day with some extra hours =) What I'm supposed to grep?
    – Igor Klyuchnikov
    Jul 27 at 14:48











  • Ah, it creates a .pp module with some rules, but installing this module and reloading a policy doesn't solve the problem. At least now I'm able to compile modules, thanks a lot! Trying to find an "allow rule", that can help
    – Igor Klyuchnikov
    Jul 29 at 21:30
















  • What happens when you grep the entries from your audit log into the audit2allow command so grep ..... | audit2allow -m useradd
    – Raman Sailopal
    Jul 27 at 14:29










  • Sorry, I'm a bit slow at the end of the working day with some extra hours =) What I'm supposed to grep?
    – Igor Klyuchnikov
    Jul 27 at 14:48











  • Ah, it creates a .pp module with some rules, but installing this module and reloading a policy doesn't solve the problem. At least now I'm able to compile modules, thanks a lot! Trying to find an "allow rule", that can help
    – Igor Klyuchnikov
    Jul 29 at 21:30















What happens when you grep the entries from your audit log into the audit2allow command so grep ..... | audit2allow -m useradd
– Raman Sailopal
Jul 27 at 14:29




What happens when you grep the entries from your audit log into the audit2allow command so grep ..... | audit2allow -m useradd
– Raman Sailopal
Jul 27 at 14:29












Sorry, I'm a bit slow at the end of the working day with some extra hours =) What I'm supposed to grep?
– Igor Klyuchnikov
Jul 27 at 14:48





Sorry, I'm a bit slow at the end of the working day with some extra hours =) What I'm supposed to grep?
– Igor Klyuchnikov
Jul 27 at 14:48













Ah, it creates a .pp module with some rules, but installing this module and reloading a policy doesn't solve the problem. At least now I'm able to compile modules, thanks a lot! Trying to find an "allow rule", that can help
– Igor Klyuchnikov
Jul 29 at 21:30




Ah, it creates a .pp module with some rules, but installing this module and reloading a policy doesn't solve the problem. At least now I'm able to compile modules, thanks a lot! Trying to find an "allow rule", that can help
– Igor Klyuchnikov
Jul 29 at 21:30















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f458853%2fuseradd-groupadd-fails-failure-while-writing-changes-to-etc-passwd-and-etc-gr%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes










 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f458853%2fuseradd-groupadd-fails-failure-while-writing-changes-to-etc-passwd-and-etc-gr%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?