Invalid security context while executing audit2alllow.orig

Invalid security context while executing audit2alllow.orig

[bhawna goel]

[-- Attachment #1: Type: text/plain, Size: 523 bytes --]

 Hi Team,

We are getting below error while creating policies using command
audit2allow.orig. Can you help in identifying what could be the possible
reason of such error.

Error:
libsepol.context_from_record: invalid security context:
"specialuser_u:system_r:ssh_t:s0"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
specialuser_u:system_r:ssh_t:s0 to sid

Thanks in Advance

Regards,
Bhawna

[-- Attachment #2: Type: text/html, Size: 3673 bytes --]

Re: Invalid security context while executing audit2alllow.orig

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 1338 bytes --]

On Tue, May 29, 2018 at 05:09:53PM +0530, bhawna goel wrote:
>  Hi Team,
> 
> We are getting below error while creating policies using command
> audit2allow.orig. Can you help in identifying what could be the possible
> reason of such error.

The context "specialuser_u:system_r:ssh_t:s0" is invalid.

Either "specialuser_u" is not authorized to associate with "system_r" role, or the system_r role is not allowed to associate with "ssh_t" type.

seinfo -xuspecialuser_u | grep system_r
seinfo -xrsystem_r | grep ssh_t

> 
> Error:
> libsepol.context_from_record: invalid security context:
> "specialuser_u:system_r:ssh_t:s0"
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert
> specialuser_u:system_r:ssh_t:s0 to sid
> 
> Thanks in Advance
> 
> Regards,
> Bhawna

> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

Re: Invalid security context while executing audit2alllow.orig

[Stephen Smalley]

On 05/29/2018 07:39 AM, bhawna goel wrote:
> Hi Team,
> 
> We are getting below error while creating policies using command audit2allow.orig. Can you help in identifying what could be the possible reason of such error.
> 
> Error:
> libsepol.context_from_record: invalid security context: "specialuser_u:system_r:ssh_t:s0"
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert specialuser_u:system_r:ssh_t:s0 to sid

This means that a security context from the avc messages that you fed into audit2allow (or read from the audit logs) is not valid under the currently loaded policy, e.g. specialuser_u might not be defined or it might not be authorized for the system_r role.

This commonly happens when you take avc denials / audit logs from one system and try to apply audit2allow to them on a different system with a different policy, or if the denials occurred while a different policy was loaded.

You can specify a policy to audit2allow via -p and have it use that policy when decoding the security contexts.