Useradd/groupadd fails: failure while writing changes to /etc/passwd and /etc/group. Contexts problemPermission denied while writing a file in var/www in spite of adding me to user groupRename /etc/passwd and /etc/shadow for security reasonsFixing smb login, disk permissions, and remote accessHow can I prevent unprivileged users from accessing /etc/passwd, /etc/group, etcBoot failure: can't start TOR service and permission denied for locale-check in /etc/profile

PTIJ: wiping amalek’s memory?

What are some noteworthy "mic-drop" moments in math?

Counting all the hearts

Good for you! in Russian

What is the magic ball of every day?

Vocabulary for giving just numbers, not a full answer

How strictly should I take "Candidates must be local"?

Should I take out a loan for a friend to invest on my behalf?

In the late 1940’s to early 1950’s what technology was available that could melt a LOT of ice?

Is "history" a male-biased word ("his+story")?

How to write ı (i without dot) character in pgf-pie

Is "conspicuously missing" or "conspicuously" the subject of this sentence?

What are actual Tesla M60 models used by AWS?

Why would one plane in this picture not have gear down yet?

Is it "Vierergruppe" or "Viergruppe", or is there a distinction?

PTIJ: Should I kill my computer after installing software?

Why does the negative sign arise in this thermodynamic relation?

Database Backup for data and log files

Doesn't allowing a user mode program to access kernel space memory and execute the IN and OUT instructions defeat the purpose of having CPU modes?

Do f-stop and exposure time perfectly cancel?

Why does Captain Marvel assume the people on this planet know this?

Can one live in the U.S. and not use a credit card?

If I receive an SOS signal, what is the proper response?

Intuition behind counterexample of Euler's sum of powers conjecture



Useradd/groupadd fails: failure while writing changes to /etc/passwd and /etc/group. Contexts problem


Permission denied while writing a file in var/www in spite of adding me to user groupRename /etc/passwd and /etc/shadow for security reasonsFixing smb login, disk permissions, and remote accessHow can I prevent unprivileged users from accessing /etc/passwd, /etc/group, etcBoot failure: can't start TOR service and permission denied for locale-check in /etc/profile













0















Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.



root@hometest:~# id -Z
staff_u:staff_r:staff_t:s0

root@hometest:~# useradd testuser
useradd: failure while writing changes to /etc/passwd


Not out of space on /



root@hometest:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 6.4G 13G 35% /


Permissions



root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow


root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
-----------I--e--- /etc
--------------e--- /etc/passwd
--------------e--- /etc/group
--------------e--- /etc/shadow


Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.



root@hometest:~# sestatus 
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31


Some info from logs:



type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.


I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?
What am I doing wrong? Any help is appreciated.










share|improve this question


























    0















    Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
    No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.



    root@hometest:~# id -Z
    staff_u:staff_r:staff_t:s0

    root@hometest:~# useradd testuser
    useradd: failure while writing changes to /etc/passwd


    Not out of space on /



    root@hometest:~# df -h
    Filesystem Size Used Avail Use% Mounted on
    /dev/sda2 20G 6.4G 13G 35% /


    Permissions



    root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
    12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
    4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
    4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
    4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow


    root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
    -----------I--e--- /etc
    --------------e--- /etc/passwd
    --------------e--- /etc/group
    --------------e--- /etc/shadow


    Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.



    root@hometest:~# sestatus 
    SELinux status: enabled
    SELinuxfs mount: /sys/fs/selinux
    SELinux root directory: /etc/selinux
    Loaded policy name: default
    Current mode: permissive
    Mode from config file: permissive
    Policy MLS status: enabled
    Policy deny_unknown status: allowed
    Memory protection checking: requested (insecure)
    Max kernel policy version: 31


    Some info from logs:



    type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
    Was caused by:
    Missing type enforcement (TE) allow rule.

    You can use audit2allow to generate a loadable module to allow this access.

    type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
    Was caused by:
    Missing type enforcement (TE) allow rule.

    You can use audit2allow to generate a loadable module to allow this access.


    I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?
    What am I doing wrong? Any help is appreciated.










    share|improve this question
























      0












      0








      0








      Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
      No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.



      root@hometest:~# id -Z
      staff_u:staff_r:staff_t:s0

      root@hometest:~# useradd testuser
      useradd: failure while writing changes to /etc/passwd


      Not out of space on /



      root@hometest:~# df -h
      Filesystem Size Used Avail Use% Mounted on
      /dev/sda2 20G 6.4G 13G 35% /


      Permissions



      root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
      12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
      4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
      4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
      4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow


      root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
      -----------I--e--- /etc
      --------------e--- /etc/passwd
      --------------e--- /etc/group
      --------------e--- /etc/shadow


      Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.



      root@hometest:~# sestatus 
      SELinux status: enabled
      SELinuxfs mount: /sys/fs/selinux
      SELinux root directory: /etc/selinux
      Loaded policy name: default
      Current mode: permissive
      Mode from config file: permissive
      Policy MLS status: enabled
      Policy deny_unknown status: allowed
      Memory protection checking: requested (insecure)
      Max kernel policy version: 31


      Some info from logs:



      type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
      Was caused by:
      Missing type enforcement (TE) allow rule.

      You can use audit2allow to generate a loadable module to allow this access.

      type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
      Was caused by:
      Missing type enforcement (TE) allow rule.

      You can use audit2allow to generate a loadable module to allow this access.


      I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?
      What am I doing wrong? Any help is appreciated.










      share|improve this question














      Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
      No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.



      root@hometest:~# id -Z
      staff_u:staff_r:staff_t:s0

      root@hometest:~# useradd testuser
      useradd: failure while writing changes to /etc/passwd


      Not out of space on /



      root@hometest:~# df -h
      Filesystem Size Used Avail Use% Mounted on
      /dev/sda2 20G 6.4G 13G 35% /


      Permissions



      root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow
      12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc
      4 -rw-rw-rw-. 1 root root system_u:object_r:etc_t:s0 977 Jul 25 10:25 /etc/group
      4 -rw-rw-r--. 1 root root system_u:object_r:etc_t:s0 2184 Jul 25 10:17 /etc/passwd
      4 -rw-r-----. 1 root shadow system_u:object_r:shadow_t:s0 1291 Jul 25 10:17 /etc/shadow


      root@hometest:~# lsattr -d /etc /etc/passwd /etc/group
      -----------I--e--- /etc
      --------------e--- /etc/passwd
      --------------e--- /etc/group
      --------------e--- /etc/shadow


      Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.



      root@hometest:~# sestatus 
      SELinux status: enabled
      SELinuxfs mount: /sys/fs/selinux
      SELinux root directory: /etc/selinux
      Loaded policy name: default
      Current mode: permissive
      Mode from config file: permissive
      Policy MLS status: enabled
      Policy deny_unknown status: allowed
      Memory protection checking: requested (insecure)
      Max kernel policy version: 31


      Some info from logs:



      type=AVC msg=audit(1532674348.442:472): avc: denied map for pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
      Was caused by:
      Missing type enforcement (TE) allow rule.

      You can use audit2allow to generate a loadable module to allow this access.

      type=AVC msg=audit(1532685061.535:1239): avc: denied write for pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
      Was caused by:
      Missing type enforcement (TE) allow rule.

      You can use audit2allow to generate a loadable module to allow this access.


      I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?
      What am I doing wrong? Any help is appreciated.







      permissions security selinux






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jul 30 '18 at 20:20









      Igor KlyuchnikovIgor Klyuchnikov

      12




      12




















          1 Answer
          1






          active

          oldest

          votes


















          0














          It seems to be a bug. I have also been hit by it.



          Running strace on groupadd, the failures is after groupadd writting to /proc/thread-self/attr/fscreate



          SELinux is not very well supported in either Debian or Ubuntu. If you like SELinux, consider using Redhat or Centos.






          share|improve this answer








          New contributor




          Ramón García is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.



















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "89"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1060897%2fuseradd-groupadd-fails-failure-while-writing-changes-to-etc-passwd-and-etc-gr%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            It seems to be a bug. I have also been hit by it.



            Running strace on groupadd, the failures is after groupadd writting to /proc/thread-self/attr/fscreate



            SELinux is not very well supported in either Debian or Ubuntu. If you like SELinux, consider using Redhat or Centos.






            share|improve this answer








            New contributor




            Ramón García is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.
























              0














              It seems to be a bug. I have also been hit by it.



              Running strace on groupadd, the failures is after groupadd writting to /proc/thread-self/attr/fscreate



              SELinux is not very well supported in either Debian or Ubuntu. If you like SELinux, consider using Redhat or Centos.






              share|improve this answer








              New contributor




              Ramón García is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.






















                0












                0








                0







                It seems to be a bug. I have also been hit by it.



                Running strace on groupadd, the failures is after groupadd writting to /proc/thread-self/attr/fscreate



                SELinux is not very well supported in either Debian or Ubuntu. If you like SELinux, consider using Redhat or Centos.






                share|improve this answer








                New contributor




                Ramón García is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.










                It seems to be a bug. I have also been hit by it.



                Running strace on groupadd, the failures is after groupadd writting to /proc/thread-self/attr/fscreate



                SELinux is not very well supported in either Debian or Ubuntu. If you like SELinux, consider using Redhat or Centos.







                share|improve this answer








                New contributor




                Ramón García is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                share|improve this answer



                share|improve this answer






                New contributor




                Ramón García is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                answered 2 hours ago









                Ramón GarcíaRamón García

                1




                1




                New contributor




                Ramón García is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.





                New contributor





                Ramón García is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






                Ramón García is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Ask Ubuntu!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1060897%2fuseradd-groupadd-fails-failure-while-writing-changes-to-etc-passwd-and-etc-gr%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Möglingen Índice Localización Historia Demografía Referencias Enlaces externos Menú de navegación48°53′18″N 9°07′45″E / 48.888333333333, 9.129166666666748°53′18″N 9°07′45″E / 48.888333333333, 9.1291666666667Sitio web oficial Mapa de Möglingen«Gemeinden in Deutschland nach Fläche, Bevölkerung und Postleitzahl am 30.09.2016»Möglingen

                    Virtualbox - Configuration error: Querying “UUID” failed (VERR_CFGM_VALUE_NOT_FOUND)“VERR_SUPLIB_WORLD_WRITABLE” error when trying to installing OS in virtualboxVirtual Box Kernel errorFailed to open a seesion for the virtual machineFailed to open a session for the virtual machineUbuntu 14.04 LTS Virtualbox errorcan't use VM VirtualBoxusing virtualboxI can't run Linux-64 Bit on VirtualBoxUnable to insert the virtual optical disk (VBoxguestaddition) in virtual machine for ubuntu server in win 10VirtuaBox in Ubuntu 18.04 Issues with Win10.ISO Installation

                    Torre de la Isleta Índice Véase también Referencias Bibliografía Enlaces externos Menú de navegación38°25′58″N 0°23′02″O / 38.43277778, -0.3838888938°25′58″N 0°23′02″O / 38.43277778, -0.38388889Torre de la Illeta de l’Horta o Torre Saleta. Base de datos de bienes inmuebles. Patrimonio Cultural. Secretaría de Estado de CulturaFicha BIC Torre de la Illeta de l’Horta. Dirección General de Patrimonio Cultural. Generalitat ValencianaLugares de interés. Ayuntamiento del CampelloTorre de la Isleta en CastillosNet.org