Page 1 of 1
incorrectly defined system account?
Posted: Mon Nov 15, 2010 11:38 am
by webfeatus
Recent yum update listed an error like this in relation to each accountid on the system:
Code: Select all
accountid homedir /var/www/vhosts/domain.com or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts,
/usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin.
Can anyone tell me what this means?
I have selinux disabled.
/etc/selinux/config
SELINUX=disabled
[Reference:
http://sysadmingear.blogspot.com/2007/1 ... linux.html]
Re: incorrectly defined system account?
Posted: Fri Nov 26, 2010 2:40 pm
by mikeshinn
You've got selinux running, to disable it you need to pass selinux=0 to the kernel on boot.
Re: incorrectly defined system account?
Posted: Wed Dec 01, 2010 3:21 am
by webfeatus
mikeshinn wrote:You've got selinux running, to disable it you need to pass selinux=0 to the kernel on boot.
Code: Select all
# /usr/sbin/sestatus -v
SELinux status: disabled
As far as I know, this has been the case since I disabled according to my post above.
Re: incorrectly defined system account?
Posted: Wed Dec 01, 2010 9:33 am
by scott
You'd think those tools would be more accurate than that by now. But no, its actually still running. Like mike said above, selinux=0 is the only way to be sure.
Re: incorrectly defined system account?
Posted: Wed Dec 01, 2010 10:55 am
by webfeatus
mikeshinn wrote:you need to pass selinux=0 to the kernel on boot
I tried to avoid asking this newb question...
"How do I do that?"
Re: incorrectly defined system account?
Posted: Wed Dec 01, 2010 11:01 am
by biggles
edit /etc/grub.conf
Here are my rows that start the current kernel. Don't copy them, just add selinux=0 to your current config.
Code: Select all
title CentOS (2.6.32.21-3.art.i686.PAE)
root (hd0,0)
kernel /vmlinuz-2.6.32.21-3.art.i686.PAE ro root=LABEL=/ selinux=0 panic=5
initrd /initrd-2.6.32.21-3.art.i686.PAE.img
Re: incorrectly defined system account?
Posted: Wed Dec 01, 2010 11:08 am
by webfeatus
selinux=0 was already included.
No idea what happened with this situation.
I will monitor.
Thank you.
Re: incorrectly defined system account?
Posted: Wed Dec 01, 2010 11:14 am
by webfeatus
I think I was looking at the wrong server.
I believe that the yum error was on my other server.
That server uses openvz, no grsec.
No grub.conf on virtual.
Found this on host...
Code: Select all
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You do not have a /boot partition. This means that
# all kernel and initrd paths are relative to /, eg.
# root (hd0,0)
# kernel /boot/vmlinuz-version ro root=/dev/md0
# initrd /boot/initrd-version.img
#boot=/dev/md0
default=1
timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-164.6.1.el5)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-164.6.1.el5 ro root=/dev/md0
initrd /boot/initrd-2.6.18-164.6.1.el5.img
title CentOS OpenVz (2.6.18-128.2.1.el5.028stab064.8PAE)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-128.2.1.el5.028stab064.8PAE ro root=/dev/md0
initrd /boot/initrd-2.6.18-128.2.1.el5.028stab064.8PAE.img
title OpenVZ (2.6.18-128.2.1.el5.028stab064.7PAE)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-128.2.1.el5.028stab064.7PAE ro root=/dev/md0
initrd /boot/initrd-2.6.18-128.2.1.el5.028stab064.7PAE.img
title CentOS (2.6.18-164.el5)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-164.el5 ro root=/dev/md0
initrd /boot/initrd-2.6.18-164.el5.img
title CentOS (2.6.18-128.el5)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-128.el5 ro root=/dev/md0
initrd /boot/initrd-2.6.18-128.el5.img
Also on host...
Code: Select all
# /usr/sbin/sestatus -v
SELinux status: disabled
Re: incorrectly defined system account?
Posted: Wed Dec 01, 2010 4:56 pm
by faris
I hope I'm not confusing things, but I've seen errors like that during a yum update in the past. They were nothing to worry about.
My impression was that it was just the result of having a selinux-policy (or somesuch) RPM installed, and when that gets updated it checks things, finds a problem and reports it, but that this makes no difference because selinux is disabled.
And selinux is definitely disabled on our systems. No question about it.
Faris.