mjhjmtu

Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.

root@hometest:~# id -Z
staff_u:staff_r:staff_t:s0

root@hometest:~# useradd testuser
useradd: failure while writing changes to /etc/passwd

Not out of space on /

root@hometest:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 6.4G 13G 35% /

Permissions

root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow


root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
-----------I--e--- /etc
--------------e--- /etc/passwd
--------------e--- /etc/group
--------------e--- /etc/shadow

Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.

root@hometest:~# sestatus 
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31

Some info from logs:

type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
 Was caused by:
 Missing type enforcement (TE) allow rule.

 You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
 Was caused by:
 Missing type enforcement (TE) allow rule.

 You can use audit2allow to generate a loadable module to allow this access.

When I'm trying to build a module using audit2allow I've got another problem - cannot compile. I know that it's a bad idea to generate modules that way, but it's for tracing the problem only.

root@hometest:~# audit2allow -R -a -t sysadm_t > sysadm_local.te
root@hometest:~# make -f /usr/share/selinux/devel/Makefile
Compiling default sysadm_local module
/usr/bin/checkmodule: loading policy configuration from tmp/sysadm_local.tmp
sysadm_local.te:1:ERROR 'syntax error' at token ';' on line 1098:
 module sysadm_local_full.1.0.0 ;
#line 1
/usr/bin/checkmodule: error(s) encountered while parsing configuration
/usr/share/selinux/devel/include/Makefile:159: recipe for target 'tmp/sysadm_local.mod' failed
make: *** [tmp/sysadm_local.mod] Error 1

What am I doing wrong? Any help is appreciated.

UPD. I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?