Sfdwhf

Good day, ladies and gentlemen, I need your help. I have a virtual machine with Ubuntu 18.04 LTS, and I'm trying to enforce in with SELinux. I had to build and install a custom kernel out of current generic ver. for LTS with some extra flags. There were no support of SELinux in standard kernel. The first problem is: I cannot add users and groups while SELinux is enforcing or permissive. If I disable it and reboot - everything is fine.
No matter if I'm real root, or use sudo su, or unconfined user, I face the same problems.

root@hometest:~# id -Z

staff_u:staff_r:staff_t:s0



root@hometest:~# useradd testuser

useradd: failure while writing changes to /etc/passwd

Not out of space on /

root@hometest:~# df -h

Filesystem      Size  Used Avail Use% Mounted on

/dev/sda2        20G  6.4G   13G  35% /

Permissions

root@hometest:~# ls -alsdZ /etc /etc/passwd /etc/group /etc/shadow

12 drwxr-xr-x. 136 root root system_u:object_r:etc_t:s0 12288 Jul 27 16:25 /etc

4 -rw-rw-rw-.   1 root root system_u:object_r:etc_t:s0   977 Jul 25 10:25 /etc/group

4 -rw-rw-r--.   1 root root system_u:object_r:etc_t:s0  2184 Jul 25 10:17 /etc/passwd

4 -rw-r-----.   1 root shadow system_u:object_r:shadow_t:s0  1291 Jul 25 10:17 /etc/shadow





root@hometest:~# lsattr -d /etc /etc/passwd /etc/group

-----------I--e--- /etc

--------------e--- /etc/passwd

--------------e--- /etc/group

--------------e--- /etc/shadow

Found no SELinux booleans, which could help. System is labeled according to the default policy. Tried to restore contexts of /etc/passwd, /etc/shadow and /etc/grpup - nothing changes.

root@hometest:~# sestatus 

SELinux status:                 enabled

SELinuxfs mount:                /sys/fs/selinux

SELinux root directory:         /etc/selinux

Loaded policy name:             default

Current mode:                   permissive

Mode from config file:          permissive

Policy MLS status:              enabled

Policy deny_unknown status:     allowed

Memory protection checking:     requested (insecure)

Max kernel policy version:      31

Some info from logs:

type=AVC msg=audit(1532674348.442:472): avc:  denied  { map } for  pid=1060 comm="useradd" path="/etc/passwd" dev="sda2" ino=131866 scontext=root:sysadm_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1

    Was caused by:

            Missing type enforcement (TE) allow rule.



            You can use audit2allow to generate a loadable module to allow this access.



type=AVC msg=audit(1532685061.535:1239): avc:  denied  { write } for  pid=2759 comm="useradd" path="/etc/passwd.2759" dev="sda2" ino=131279 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1

    Was caused by:

            Missing type enforcement (TE) allow rule.



            You can use audit2allow to generate a loadable module to allow this access.

I compiled a full module with all of the allow rules that were found in audit log, installed it, reloaded the policy and it solved nothing. A checked the log for one more time, found some new entries and made one more module. I tried to change context of /etc/passwd from etc_t to some others - it didn't help. Tried to use strace, but the output is really long. What else can I check o try? There is no problem on Ubuntu 16.04 LTS, what's wrong with 18.04 LTS?
What am I doing wrong? Any help is appreciated.

It seems to be a bug. I have also been hit by it.

Running strace on groupadd, the failures is after groupadd writting to /proc/thread-self/attr/fscreate

SELinux is not very well supported in either Debian or Ubuntu. If you like SELinux, consider using Redhat or Centos.