* Invalid security context while executing audit2alllow.orig
@ 2018-05-29 11:39 bhawna goel
2018-05-29 12:46 ` Dominick Grift
2018-05-29 13:47 ` Stephen Smalley
0 siblings, 2 replies; 3+ messages in thread
From: bhawna goel @ 2018-05-29 11:39 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 523 bytes --]
Hi Team,
We are getting below error while creating policies using command
audit2allow.orig. Can you help in identifying what could be the possible
reason of such error.
Error:
libsepol.context_from_record: invalid security context:
"specialuser_u:system_r:ssh_t:s0"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
specialuser_u:system_r:ssh_t:s0 to sid
Thanks in Advance
Regards,
Bhawna
[-- Attachment #2: Type: text/html, Size: 3673 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Invalid security context while executing audit2alllow.orig
2018-05-29 11:39 Invalid security context while executing audit2alllow.orig bhawna goel
@ 2018-05-29 12:46 ` Dominick Grift
2018-05-29 13:47 ` Stephen Smalley
1 sibling, 0 replies; 3+ messages in thread
From: Dominick Grift @ 2018-05-29 12:46 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 1338 bytes --]
On Tue, May 29, 2018 at 05:09:53PM +0530, bhawna goel wrote:
> Hi Team,
>
> We are getting below error while creating policies using command
> audit2allow.orig. Can you help in identifying what could be the possible
> reason of such error.
The context "specialuser_u:system_r:ssh_t:s0" is invalid.
Either "specialuser_u" is not authorized to associate with "system_r" role, or the system_r role is not allowed to associate with "ssh_t" type.
seinfo -xuspecialuser_u | grep system_r
seinfo -xrsystem_r | grep ssh_t
>
> Error:
> libsepol.context_from_record: invalid security context:
> "specialuser_u:system_r:ssh_t:s0"
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert
> specialuser_u:system_r:ssh_t:s0 to sid
>
> Thanks in Advance
>
> Regards,
> Bhawna
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Invalid security context while executing audit2alllow.orig
2018-05-29 11:39 Invalid security context while executing audit2alllow.orig bhawna goel
2018-05-29 12:46 ` Dominick Grift
@ 2018-05-29 13:47 ` Stephen Smalley
1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2018-05-29 13:47 UTC (permalink / raw)
To: bhawna goel, selinux
On 05/29/2018 07:39 AM, bhawna goel wrote:
> Hi Team,
>
> We are getting below error while creating policies using command audit2allow.orig. Can you help in identifying what could be the possible reason of such error.
>
> Error:
> libsepol.context_from_record: invalid security context: "specialuser_u:system_r:ssh_t:s0"
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert specialuser_u:system_r:ssh_t:s0 to sid
This means that a security context from the avc messages that you fed into audit2allow (or read from the audit logs) is not valid under the currently loaded policy, e.g. specialuser_u might not be defined or it might not be authorized for the system_r role.
This commonly happens when you take avc denials / audit logs from one system and try to apply audit2allow to them on a different system with a different policy, or if the denials occurred while a different policy was loaded.
You can specify a policy to audit2allow via -p and have it use that policy when decoding the security contexts.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-05-29 13:47 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-29 11:39 Invalid security context while executing audit2alllow.orig bhawna goel
2018-05-29 12:46 ` Dominick Grift
2018-05-29 13:47 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.