Useradd/groupadd fails: failure while writing changes to /etc/passwd and /etc/group. Contexts problemPermission denied while writing a file in var/www in spite of adding me to user groupRename /etc/passwd and /etc/shadow for security reasonsFixing smb login, disk permissions, and remote accessHow can I prevent unprivileged users from accessing /etc/passwd, /etc/group, etcBoot failure: can't start TOR service and permission denied for locale-check in /etc/profile
PTIJ: wiping amalek’s memory?
What are some noteworthy "mic-drop" moments in math?
Counting all the hearts
Good for you! in Russian
What is the magic ball of every day?
Vocabulary for giving just numbers, not a full answer
How strictly should I take "Candidates must be local"?
Should I take out a loan for a friend to invest on my behalf?
In the late 1940’s to early 1950’s what technology was available that could melt a LOT of ice?
Is "history" a male-biased word ("his+story")?
How to write ı (i without dot) character in pgf-pie
Is "conspicuously missing" or "conspicuously" the subject of this sentence?
What are actual Tesla M60 models used by AWS?
Why would one plane in this picture not have gear down yet?
Is it "Vierergruppe" or "Viergruppe", or is there a distinction?
PTIJ: Should I kill my computer after installing software?
Why does the negative sign arise in this thermodynamic relation?
Database Backup for data and log files
Doesn't allowing a user mode program to access kernel space memory and execute the IN and OUT instructions defeat the purpose of having CPU modes?
Do f-stop and exposure time perfectly cancel?
Why does Captain Marvel assume the people on this planet know this?
Can one live in the U.S. and not use a credit card?
If I receive an SOS signal, what is the proper response?
Intuition behind counterexample of Euler's sum of powers conjecture
Useradd/groupadd fails: failure while writing changes to /etc/passwd and /etc/group. Contexts problem
Permission denied while writing a file in var/www in spite of adding me to user groupRename /etc/passwd and /etc/shadow for security reasonsFixing smb login, disk permissions, and remote accessHow can I prevent unprivileged users from accessing /etc/passwd, /etc/group, etcBoot failure: can't start TOR service and permission denied for locale-check in /etc/profile
Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.
root@hometest:~# id -Z
staff_u:staff_r:staff_t:s0
root@hometest:~# useradd testuser
useradd: failure while writing changes to /etc/passwd
Not out of space on /
root@hometest:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 6.4G 13G 35% /
Permissions
root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow
root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
-----------I--e--- /etc
--------------e--- /etc/passwd
--------------e--- /etc/group
--------------e--- /etc/shadow
Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.
root@hometest:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31
Some info from logs:
type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?
What am I doing wrong? Any help is appreciated.
permissions security selinux
add a comment |
Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.
root@hometest:~# id -Z
staff_u:staff_r:staff_t:s0
root@hometest:~# useradd testuser
useradd: failure while writing changes to /etc/passwd
Not out of space on /
root@hometest:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 6.4G 13G 35% /
Permissions
root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow
root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
-----------I--e--- /etc
--------------e--- /etc/passwd
--------------e--- /etc/group
--------------e--- /etc/shadow
Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.
root@hometest:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31
Some info from logs:
type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?
What am I doing wrong? Any help is appreciated.
permissions security selinux
add a comment |
Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.
root@hometest:~# id -Z
staff_u:staff_r:staff_t:s0
root@hometest:~# useradd testuser
useradd: failure while writing changes to /etc/passwd
Not out of space on /
root@hometest:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 6.4G 13G 35% /
Permissions
root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow
root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
-----------I--e--- /etc
--------------e--- /etc/passwd
--------------e--- /etc/group
--------------e--- /etc/shadow
Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.
root@hometest:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31
Some info from logs:
type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?
What am I doing wrong? Any help is appreciated.
permissions security selinux
Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.
root@hometest:~# id -Z
staff_u:staff_r:staff_t:s0
root@hometest:~# useradd testuser
useradd: failure while writing changes to /etc/passwd
Not out of space on /
root@hometest:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 6.4G 13G 35% /
Permissions
root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow
root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
-----------I--e--- /etc
--------------e--- /etc/passwd
--------------e--- /etc/group
--------------e--- /etc/shadow
Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.
root@hometest:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31
Some info from logs:
type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?
What am I doing wrong? Any help is appreciated.
permissions security selinux
permissions security selinux
asked Jul 30 '18 at 20:20
Igor KlyuchnikovIgor Klyuchnikov
12
12
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
It seems to be a bug. I have also been hit by it.
Running strace on groupadd, the failures is after groupadd writting to /proc/thread-self/attr/fscreate
SELinux is not very well supported in either Debian or Ubuntu. If you like SELinux, consider using Redhat or Centos.
New contributor
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1060897%2fuseradd-groupadd-fails-failure-while-writing-changes-to-etc-passwd-and-etc-gr%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
It seems to be a bug. I have also been hit by it.
Running strace on groupadd, the failures is after groupadd writting to /proc/thread-self/attr/fscreate
SELinux is not very well supported in either Debian or Ubuntu. If you like SELinux, consider using Redhat or Centos.
New contributor
add a comment |
It seems to be a bug. I have also been hit by it.
Running strace on groupadd, the failures is after groupadd writting to /proc/thread-self/attr/fscreate
SELinux is not very well supported in either Debian or Ubuntu. If you like SELinux, consider using Redhat or Centos.
New contributor
add a comment |
It seems to be a bug. I have also been hit by it.
Running strace on groupadd, the failures is after groupadd writting to /proc/thread-self/attr/fscreate
SELinux is not very well supported in either Debian or Ubuntu. If you like SELinux, consider using Redhat or Centos.
New contributor
It seems to be a bug. I have also been hit by it.
Running strace on groupadd, the failures is after groupadd writting to /proc/thread-self/attr/fscreate
SELinux is not very well supported in either Debian or Ubuntu. If you like SELinux, consider using Redhat or Centos.
New contributor
New contributor
answered 2 hours ago
Ramón GarcíaRamón García
1
1
New contributor
New contributor
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1060897%2fuseradd-groupadd-fails-failure-while-writing-changes-to-etc-passwd-and-etc-gr%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown