Re: Invalid security context while executing audit2alllow.orig
On 05/29/2018 07:39 AM, bhawna goel wrote: > Hi Team, > > We are getting below error while creating policies using command > audit2allow.orig. Can you help in identifying what could be the possible > reason of such error. > > Error: > libsepol.context_from_record: invalid security context: > "specialuser_u:system_r:ssh_t:s0" > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert > specialuser_u:system_r:ssh_t:s0 to sid This means that a security context from the avc messages that you fed into audit2allow (or read from the audit logs) is not valid under the currently loaded policy, e.g. specialuser_u might not be defined or it might not be authorized for the system_r role. This commonly happens when you take avc denials / audit logs from one system and try to apply audit2allow to them on a different system with a different policy, or if the denials occurred while a different policy was loaded. You can specify a policy to audit2allow via -p and have it use that policy when decoding the security contexts. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: Invalid security context while executing audit2alllow.orig
On Tue, May 29, 2018 at 05:09:53PM +0530, bhawna goel wrote: > Hi Team, > > We are getting below error while creating policies using command > audit2allow.orig. Can you help in identifying what could be the possible > reason of such error. The context "specialuser_u:system_r:ssh_t:s0" is invalid. Either "specialuser_u" is not authorized to associate with "system_r" role, or the system_r role is not allowed to associate with "ssh_t" type. seinfo -xuspecialuser_u | grep system_r seinfo -xrsystem_r | grep ssh_t > > Error: > libsepol.context_from_record: invalid security context: > "specialuser_u:system_r:ssh_t:s0" > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert > specialuser_u:system_r:ssh_t:s0 to sid > > Thanks in Advance > > Regards, > Bhawna > ___ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift signature.asc Description: PGP signature ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Invalid security context while executing audit2alllow.orig
Hi Team, We are getting below error while creating policies using command audit2allow.orig. Can you help in identifying what could be the possible reason of such error. Error: libsepol.context_from_record: invalid security context: "specialuser_u:system_r:ssh_t:s0" libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert specialuser_u:system_r:ssh_t:s0 to sid Thanks in Advance Regards, Bhawna ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.