* Re: What causes this?? [not found] <1070340338.12612.2.camel@hawaii> @ 2003-12-02 4:49 ` Russell Coker 2003-12-02 12:43 ` Dale Amon 2003-12-02 14:47 ` Nick 0 siblings, 2 replies; 7+ messages in thread From: Russell Coker @ 2003-12-02 4:49 UTC (permalink / raw) To: nagray, SE Linux On Tue, 2 Dec 2003 15:45, Nick <nagray@bruzenak.com> wrote: > I just rebuilt a system and when I try to change roles I get this > > > [root@hawaii SELinux]# newrole -r sysadm_r > cannot find your entry in the passwd file. > [root@hawaii SELinux]# Please give us the output of the command "id". Chances are you are not running in a correct context. Also please tell us whether you are using the old SE Linux or the new SE Linux, and whether you are in enforcing or permissive mode. If enforcing then show us any AVC messages that occur in the kernel message log at the time you run "newrole". -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: What causes this?? 2003-12-02 4:49 ` What causes this?? Russell Coker @ 2003-12-02 12:43 ` Dale Amon 2003-12-02 14:47 ` Nick 1 sibling, 0 replies; 7+ messages in thread From: Dale Amon @ 2003-12-02 12:43 UTC (permalink / raw) To: Russell Coker; +Cc: nagray, SE Linux > On Tue, 2 Dec 2003 15:45, Nick <nagray@bruzenak.com> wrote: > I just rebuilt a system and when I try to change roles I get this > > > [root@hawaii SELinux]# newrole -r sysadm_r > cannot find your entry in the passwd file. > [root@hawaii SELinux]# If this is a new install, then either you have to add a line to pam.d/login for pam_selinux.so or else you have to get Colin Walters login package. The pam.d solution seems to be the preferred one by other debian users here (although I'm currently using the other way). It's a problem because debian standards don't seem to allow any way to handle this step other than by manual incantations. -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: What causes this?? 2003-12-02 4:49 ` What causes this?? Russell Coker 2003-12-02 12:43 ` Dale Amon @ 2003-12-02 14:47 ` Nick 2003-12-02 15:13 ` Russell Coker 2003-12-02 16:28 ` Stephen Smalley 1 sibling, 2 replies; 7+ messages in thread From: Nick @ 2003-12-02 14:47 UTC (permalink / raw) To: Russell Coker; +Cc: nagray, SE Linux On Mon, 2003-12-01 at 22:49, Russell Coker wrote: > On Tue, 2 Dec 2003 15:45, Nick <nagray@bruzenak.com> wrote: > > I just rebuilt a system and when I try to change roles I get this > > > > > > [root@hawaii SELinux]# newrole -r sysadm_r > > cannot find your entry in the passwd file. > > [root@hawaii SELinux]# > > Please give us the output of the command "id". Chances are you are not > running in a correct context. id -c system_u:system_r:sysadm_t > Also please tell us whether you are using the old SE Linux or the new SE > Linux, This is using the kernel at http://www.nsa.gov/selinux/archives/linux-2.4-2003100110.tgz and utilities http://www.nsa.gov/selinux/archives/selinux-usr-2003100110.tgz > and whether you are in enforcing or permissive mode. permissive > If enforcing > then show us any AVC messages that occur in the kernel message log at the > time you run "newrole". Dec 2 07:44:35 hawaii kernel: security_compute_sid: invalid context system_u:system_r:newrole_t for scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:newrole_exec_t tclass=process The strange part is that I have rebuilt this system about 10 times now while working out the instructions and have never seen this behavior. This is stock RH9.0 built as per the instructions at https://www.efficax.net/SELinux/build.php -- Nick (Nix) Gray Senior Systems Engineer Bruzenak Inc. (512) 331-7998 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: What causes this?? 2003-12-02 14:47 ` Nick @ 2003-12-02 15:13 ` Russell Coker 2003-12-02 16:28 ` Stephen Smalley 1 sibling, 0 replies; 7+ messages in thread From: Russell Coker @ 2003-12-02 15:13 UTC (permalink / raw) To: nagray; +Cc: SE Linux On Wed, 3 Dec 2003 01:47, Nick <nagray@austin.rr.com> wrote: > On Mon, 2003-12-01 at 22:49, Russell Coker wrote: > > On Tue, 2 Dec 2003 15:45, Nick <nagray@bruzenak.com> wrote: > > > I just rebuilt a system and when I try to change roles I get this > > > > > > > > > [root@hawaii SELinux]# newrole -r sysadm_r > > > cannot find your entry in the passwd file. > > > [root@hawaii SELinux]# > > > > Please give us the output of the command "id". Chances are you are not > > running in a correct context. > > id -c > system_u:system_r:sysadm_t Looks like you don't have the pam module enabled as Dale suggests. You should never get a shell in system_u identity of system_r context. newrole checks the identity against the passwd file, and you have no account system_u there (and you shouldn't have one). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: What causes this?? 2003-12-02 14:47 ` Nick 2003-12-02 15:13 ` Russell Coker @ 2003-12-02 16:28 ` Stephen Smalley 2003-12-03 11:02 ` Dale Amon 1 sibling, 1 reply; 7+ messages in thread From: Stephen Smalley @ 2003-12-02 16:28 UTC (permalink / raw) To: nagray; +Cc: Russell Coker, nagray, SE Linux On Tue, 2003-12-02 at 09:47, Nick wrote: > id -c > system_u:system_r:sysadm_t This implies that you aren't running the patched login program (or, alternatively, using the pam_selinux module). Note that the user identity portion of the context wasn't set, which is why newrole is confused. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: What causes this?? 2003-12-02 16:28 ` Stephen Smalley @ 2003-12-03 11:02 ` Dale Amon 0 siblings, 0 replies; 7+ messages in thread From: Dale Amon @ 2003-12-03 11:02 UTC (permalink / raw) To: Stephen Smalley; +Cc: nagray, Russell Coker, nagray, SE Linux On Tue, Dec 02, 2003 at 11:28:58AM -0500, Stephen Smalley wrote: > On Tue, 2003-12-02 at 09:47, Nick wrote: > > id -c > > system_u:system_r:sysadm_t > > This implies that you aren't running the patched login program (or, > alternatively, using the pam_selinux module). Note that the user > identity portion of the context wasn't set, which is why newrole is > confused. Stephen, just a modest and time saving suggestion. Why not add a bit of code to detect this particular condition and print a message stating the probable solution? -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* What causes this?? @ 2003-12-02 5:39 Nick 0 siblings, 0 replies; 7+ messages in thread From: Nick @ 2003-12-02 5:39 UTC (permalink / raw) To: SE Linux; +Cc: Russell Coker I just rebuilt a system and when I try to change roles I get this [root@hawaii SELinux]# newrole -r sysadm_r cannot find your entry in the passwd file. [root@hawaii SELinux]# -- Nick (Nix) Gray Senior Systems Engineer Bruzenak Inc. (512) 331-7998 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2003-12-03 11:02 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1070340338.12612.2.camel@hawaii>
2003-12-02 4:49 ` What causes this?? Russell Coker
2003-12-02 12:43 ` Dale Amon
2003-12-02 14:47 ` Nick
2003-12-02 15:13 ` Russell Coker
2003-12-02 16:28 ` Stephen Smalley
2003-12-03 11:02 ` Dale Amon
2003-12-02 5:39 Nick
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.