Useradd/groupadd fails: failure while writing changes to /etc/passwd and /etc/group. Contexts problem
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
0
down vote
favorite
Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.
root@hometest:~# id -Z
staff_u:staff_r:staff_t:s0
root@hometest:~# useradd testuser
useradd: failure while writing changes to /etc/passwd
Not out of space on /
root@hometest:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 6.4G 13G 35% /
Permissions
root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow
root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
-----------I--e--- /etc
--------------e--- /etc/passwd
--------------e--- /etc/group
--------------e--- /etc/shadow
Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.
root@hometest:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31
Some info from logs:
type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
When I'm trying to build a module using audit2allow I've got another problem - cannot compile. I know that it's a bad idea to generate modules that way, but it's for tracing the problem only.
root@hometest:~# audit2allow -R -a -t sysadm_t > sysadm_local.te
root@hometest:~# make -f /usr/share/selinux/devel/Makefile
Compiling default sysadm_local module
/usr/bin/checkmodule: loading policy configuration from tmp/sysadm_local.tmp
sysadm_local.te:1:ERROR 'syntax error' at token ';' on line 1098:
module sysadm_local_full.1.0.0 ;
#line 1
/usr/bin/checkmodule: error(s) encountered while parsing configuration
/usr/share/selinux/devel/include/Makefile:159: recipe for target 'tmp/sysadm_local.mod' failed
make: *** [tmp/sysadm_local.mod] Error 1
What am I doing wrong? Any help is appreciated.
UPD. I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?
ubuntu security selinux
add a comment |Â
up vote
0
down vote
favorite
Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.
root@hometest:~# id -Z
staff_u:staff_r:staff_t:s0
root@hometest:~# useradd testuser
useradd: failure while writing changes to /etc/passwd
Not out of space on /
root@hometest:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 6.4G 13G 35% /
Permissions
root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow
root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
-----------I--e--- /etc
--------------e--- /etc/passwd
--------------e--- /etc/group
--------------e--- /etc/shadow
Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.
root@hometest:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31
Some info from logs:
type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
When I'm trying to build a module using audit2allow I've got another problem - cannot compile. I know that it's a bad idea to generate modules that way, but it's for tracing the problem only.
root@hometest:~# audit2allow -R -a -t sysadm_t > sysadm_local.te
root@hometest:~# make -f /usr/share/selinux/devel/Makefile
Compiling default sysadm_local module
/usr/bin/checkmodule: loading policy configuration from tmp/sysadm_local.tmp
sysadm_local.te:1:ERROR 'syntax error' at token ';' on line 1098:
module sysadm_local_full.1.0.0 ;
#line 1
/usr/bin/checkmodule: error(s) encountered while parsing configuration
/usr/share/selinux/devel/include/Makefile:159: recipe for target 'tmp/sysadm_local.mod' failed
make: *** [tmp/sysadm_local.mod] Error 1
What am I doing wrong? Any help is appreciated.
UPD. I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?
ubuntu security selinux
What happens when you grep the entries from your audit log into the audit2allow command so grep ..... | audit2allow -m useradd
â Raman Sailopal
Jul 27 at 14:29
Sorry, I'm a bit slow at the end of the working day with some extra hours =) What I'm supposed to grep?
â Igor Klyuchnikov
Jul 27 at 14:48
Ah, it creates a .pp module with some rules, but installing this module and reloading a policy doesn't solve the problem. At least now I'm able to compile modules, thanks a lot! Trying to find an "allow rule", that can help
â Igor Klyuchnikov
Jul 29 at 21:30
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.
root@hometest:~# id -Z
staff_u:staff_r:staff_t:s0
root@hometest:~# useradd testuser
useradd: failure while writing changes to /etc/passwd
Not out of space on /
root@hometest:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 6.4G 13G 35% /
Permissions
root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow
root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
-----------I--e--- /etc
--------------e--- /etc/passwd
--------------e--- /etc/group
--------------e--- /etc/shadow
Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.
root@hometest:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31
Some info from logs:
type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
When I'm trying to build a module using audit2allow I've got another problem - cannot compile. I know that it's a bad idea to generate modules that way, but it's for tracing the problem only.
root@hometest:~# audit2allow -R -a -t sysadm_t > sysadm_local.te
root@hometest:~# make -f /usr/share/selinux/devel/Makefile
Compiling default sysadm_local module
/usr/bin/checkmodule: loading policy configuration from tmp/sysadm_local.tmp
sysadm_local.te:1:ERROR 'syntax error' at token ';' on line 1098:
module sysadm_local_full.1.0.0 ;
#line 1
/usr/bin/checkmodule: error(s) encountered while parsing configuration
/usr/share/selinux/devel/include/Makefile:159: recipe for target 'tmp/sysadm_local.mod' failed
make: *** [tmp/sysadm_local.mod] Error 1
What am I doing wrong? Any help is appreciated.
UPD. I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?
ubuntu security selinux
Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.
root@hometest:~# id -Z
staff_u:staff_r:staff_t:s0
root@hometest:~# useradd testuser
useradd: failure while writing changes to /etc/passwd
Not out of space on /
root@hometest:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 6.4G 13G 35% /
Permissions
root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow
root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
-----------I--e--- /etc
--------------e--- /etc/passwd
--------------e--- /etc/group
--------------e--- /etc/shadow
Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.
root@hometest:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31
Some info from logs:
type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
When I'm trying to build a module using audit2allow I've got another problem - cannot compile. I know that it's a bad idea to generate modules that way, but it's for tracing the problem only.
root@hometest:~# audit2allow -R -a -t sysadm_t > sysadm_local.te
root@hometest:~# make -f /usr/share/selinux/devel/Makefile
Compiling default sysadm_local module
/usr/bin/checkmodule: loading policy configuration from tmp/sysadm_local.tmp
sysadm_local.te:1:ERROR 'syntax error' at token ';' on line 1098:
module sysadm_local_full.1.0.0 ;
#line 1
/usr/bin/checkmodule: error(s) encountered while parsing configuration
/usr/share/selinux/devel/include/Makefile:159: recipe for target 'tmp/sysadm_local.mod' failed
make: *** [tmp/sysadm_local.mod] Error 1
What am I doing wrong? Any help is appreciated.
UPD. I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?
ubuntu security selinux
edited Jul 30 at 20:24
asked Jul 27 at 14:23
Igor Klyuchnikov
12
12
What happens when you grep the entries from your audit log into the audit2allow command so grep ..... | audit2allow -m useradd
â Raman Sailopal
Jul 27 at 14:29
Sorry, I'm a bit slow at the end of the working day with some extra hours =) What I'm supposed to grep?
â Igor Klyuchnikov
Jul 27 at 14:48
Ah, it creates a .pp module with some rules, but installing this module and reloading a policy doesn't solve the problem. At least now I'm able to compile modules, thanks a lot! Trying to find an "allow rule", that can help
â Igor Klyuchnikov
Jul 29 at 21:30
add a comment |Â
What happens when you grep the entries from your audit log into the audit2allow command so grep ..... | audit2allow -m useradd
â Raman Sailopal
Jul 27 at 14:29
Sorry, I'm a bit slow at the end of the working day with some extra hours =) What I'm supposed to grep?
â Igor Klyuchnikov
Jul 27 at 14:48
Ah, it creates a .pp module with some rules, but installing this module and reloading a policy doesn't solve the problem. At least now I'm able to compile modules, thanks a lot! Trying to find an "allow rule", that can help
â Igor Klyuchnikov
Jul 29 at 21:30
What happens when you grep the entries from your audit log into the audit2allow command so grep ..... | audit2allow -m useradd
â Raman Sailopal
Jul 27 at 14:29
What happens when you grep the entries from your audit log into the audit2allow command so grep ..... | audit2allow -m useradd
â Raman Sailopal
Jul 27 at 14:29
Sorry, I'm a bit slow at the end of the working day with some extra hours =) What I'm supposed to grep?
â Igor Klyuchnikov
Jul 27 at 14:48
Sorry, I'm a bit slow at the end of the working day with some extra hours =) What I'm supposed to grep?
â Igor Klyuchnikov
Jul 27 at 14:48
Ah, it creates a .pp module with some rules, but installing this module and reloading a policy doesn't solve the problem. At least now I'm able to compile modules, thanks a lot! Trying to find an "allow rule", that can help
â Igor Klyuchnikov
Jul 29 at 21:30
Ah, it creates a .pp module with some rules, but installing this module and reloading a policy doesn't solve the problem. At least now I'm able to compile modules, thanks a lot! Trying to find an "allow rule", that can help
â Igor Klyuchnikov
Jul 29 at 21:30
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f458853%2fuseradd-groupadd-fails-failure-while-writing-changes-to-etc-passwd-and-etc-gr%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
What happens when you grep the entries from your audit log into the audit2allow command so grep ..... | audit2allow -m useradd
â Raman Sailopal
Jul 27 at 14:29
Sorry, I'm a bit slow at the end of the working day with some extra hours =) What I'm supposed to grep?
â Igor Klyuchnikov
Jul 27 at 14:48
Ah, it creates a .pp module with some rules, but installing this module and reloading a policy doesn't solve the problem. At least now I'm able to compile modules, thanks a lot! Trying to find an "allow rule", that can help
â Igor Klyuchnikov
Jul 29 at 21:30