Re: What causes this??

Re: What causes this??

[Russell Coker]

On Tue, 2 Dec 2003 15:45, Nick <nagray@bruzenak.com> wrote:
> I just rebuilt a system and when I try to change roles I get this
>
>
> [root@hawaii SELinux]# newrole -r sysadm_r
> cannot find your entry in the passwd file.
> [root@hawaii SELinux]#

Please give us the output of the command "id".  Chances are you are not 
running in a correct context.

Also please tell us whether you are using the old SE Linux or the new SE 
Linux, and whether you are in enforcing or permissive mode.  If enforcing 
then show us any AVC messages that occur in the kernel message log at the 
time you run "newrole".

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

What causes this??

[Nick]

I just rebuilt a system and when I try to change roles I get this


[root@hawaii SELinux]# newrole -r sysadm_r
cannot find your entry in the passwd file.
[root@hawaii SELinux]#

-- 
Nick (Nix) Gray
Senior Systems Engineer
Bruzenak Inc.
(512) 331-7998

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: What causes this??

[Dale Amon]

> On Tue, 2 Dec 2003 15:45, Nick <nagray@bruzenak.com> wrote:
> I just rebuilt a system and when I try to change roles I get this
>
>
> [root@hawaii SELinux]# newrole -r sysadm_r
> cannot find your entry in the passwd file.
> [root@hawaii SELinux]#

If this is a new install, then either you have to
add a line to pam.d/login for pam_selinux.so or
else you have to get Colin Walters login package.

The pam.d solution seems to be the preferred one
by other debian users here (although I'm currently
using the other way).

It's a problem because debian standards don't
seem to allow any way to handle this step other
than by manual incantations.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: What causes this??

[Nick]

On Mon, 2003-12-01 at 22:49, Russell Coker wrote:
> On Tue, 2 Dec 2003 15:45, Nick <nagray@bruzenak.com> wrote:
> > I just rebuilt a system and when I try to change roles I get this
> >
> >
> > [root@hawaii SELinux]# newrole -r sysadm_r
> > cannot find your entry in the passwd file.
> > [root@hawaii SELinux]#
> 
> Please give us the output of the command "id".  Chances are you are not 
> running in a correct context.

id -c 
system_u:system_r:sysadm_t


> Also please tell us whether you are using the old SE Linux or the new SE 
> Linux, 

This is using the kernel at 

http://www.nsa.gov/selinux/archives/linux-2.4-2003100110.tgz

and utilities

http://www.nsa.gov/selinux/archives/selinux-usr-2003100110.tgz

> and whether you are in enforcing or permissive mode.

permissive

>   If enforcing 
> then show us any AVC messages that occur in the kernel message log at the 
> time you run "newrole".

Dec  2 07:44:35 hawaii kernel: security_compute_sid:  invalid context
system_u:system_r:newrole_t for scontext=system_u:system_r:sysadm_t
tcontext=system_u:object_r:newrole_exec_t tclass=process

The strange part is that I have rebuilt this system about 10 times now
while working out the instructions and have never seen this behavior.

This is stock RH9.0  built as per the instructions at 

https://www.efficax.net/SELinux/build.php

-- 
Nick (Nix) Gray
Senior Systems Engineer
Bruzenak Inc.
(512) 331-7998

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: What causes this??

[Russell Coker]

On Wed, 3 Dec 2003 01:47, Nick <nagray@austin.rr.com> wrote:
> On Mon, 2003-12-01 at 22:49, Russell Coker wrote:
> > On Tue, 2 Dec 2003 15:45, Nick <nagray@bruzenak.com> wrote:
> > > I just rebuilt a system and when I try to change roles I get this
> > >
> > >
> > > [root@hawaii SELinux]# newrole -r sysadm_r
> > > cannot find your entry in the passwd file.
> > > [root@hawaii SELinux]#
> >
> > Please give us the output of the command "id".  Chances are you are not
> > running in a correct context.
>
> id -c
> system_u:system_r:sysadm_t

Looks like you don't have the pam module enabled as Dale suggests.  You should 
never get a shell in system_u identity of system_r context.  newrole checks 
the identity against the passwd file, and you have no account system_u there 
(and you shouldn't have one).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: What causes this??

[Stephen Smalley]

On Tue, 2003-12-02 at 09:47, Nick wrote:
> id -c 
> system_u:system_r:sysadm_t

This implies that you aren't running the patched login program (or,
alternatively, using the pam_selinux module).  Note that the user
identity portion of the context wasn't set, which is why newrole is
confused.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: What causes this??

[Dale Amon]

On Tue, Dec 02, 2003 at 11:28:58AM -0500, Stephen Smalley wrote:
> On Tue, 2003-12-02 at 09:47, Nick wrote:
> > id -c 
> > system_u:system_r:sysadm_t
> 
> This implies that you aren't running the patched login program (or,
> alternatively, using the pam_selinux module).  Note that the user
> identity portion of the context wasn't set, which is why newrole is
> confused.

Stephen, just a modest and time saving suggestion. Why
not add a bit of code to detect this particular condition
and print a message stating the probable solution? 

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.