incorrectly defined system account?

webfeatus · **Posted:** Mon Nov 15, 2010 11:38 am

Recent yum update listed an error like this in relation to each accountid on the system:

Code:

accountid homedir /var/www/vhosts/domain.com or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts,
/usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account.  If it is a system account please make sure its login shell is /sbin/nologin.

Can anyone tell me what this means?

I have selinux disabled.
/etc/selinux/config
SELINUX=disabled

[Reference: http://sysadmingear.blogspot.com/2007/1 ... linux.html]

mikeshinn · **Posted:** Fri Nov 26, 2010 2:40 pm

You've got selinux running, to disable it you need to pass selinux=0 to the kernel on boot.

webfeatus · **Posted:** Wed Dec 01, 2010 3:21 am

mikeshinn wrote:

You've got selinux running, to disable it you need to pass selinux=0 to the kernel on boot.

Code:

# /usr/sbin/sestatus -v
SELinux status:                 disabled

As far as I know, this has been the case since I disabled according to my post above.

scott · **Posted:** Wed Dec 01, 2010 9:33 am

You'd think those tools would be more accurate than that by now. But no, its actually still running. Like mike said above, selinux=0 is the only way to be sure.

webfeatus · **Posted:** Wed Dec 01, 2010 10:55 am

mikeshinn wrote:

you need to pass selinux=0 to the kernel on boot

I tried to avoid asking this newb question...

"How do I do that?"

biggles · **Posted:** Wed Dec 01, 2010 11:01 am

edit /etc/grub.conf

Here are my rows that start the current kernel. Don't copy them, just add selinux=0 to your current config.

Code:

title CentOS (2.6.32.21-3.art.i686.PAE)
        root (hd0,0)
        kernel /vmlinuz-2.6.32.21-3.art.i686.PAE ro root=LABEL=/ selinux=0 panic=5
        initrd /initrd-2.6.32.21-3.art.i686.PAE.img

webfeatus · **Posted:** Wed Dec 01, 2010 11:08 am

selinux=0 was already included.

No idea what happened with this situation.
I will monitor.
Thank you.

webfeatus · **Posted:** Wed Dec 01, 2010 11:14 am

I think I was looking at the wrong server.
I believe that the yum error was on my other server.
That server uses openvz, no grsec.
No grub.conf on virtual.
Found this on host...

Code:

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You do not have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /, eg.
#          root (hd0,0)
#          kernel /boot/vmlinuz-version ro root=/dev/md0
#          initrd /boot/initrd-version.img
#boot=/dev/md0
default=1
timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-164.6.1.el5)
        root (hd0,0)
        kernel /boot/vmlinuz-2.6.18-164.6.1.el5 ro root=/dev/md0
        initrd /boot/initrd-2.6.18-164.6.1.el5.img
title CentOS OpenVz (2.6.18-128.2.1.el5.028stab064.8PAE)
        root (hd0,0)
        kernel /boot/vmlinuz-2.6.18-128.2.1.el5.028stab064.8PAE ro root=/dev/md0
        initrd /boot/initrd-2.6.18-128.2.1.el5.028stab064.8PAE.img
title OpenVZ (2.6.18-128.2.1.el5.028stab064.7PAE)
        root (hd0,0)
        kernel /boot/vmlinuz-2.6.18-128.2.1.el5.028stab064.7PAE ro root=/dev/md0
        initrd /boot/initrd-2.6.18-128.2.1.el5.028stab064.7PAE.img
title CentOS (2.6.18-164.el5)
        root (hd0,0)
        kernel /boot/vmlinuz-2.6.18-164.el5 ro root=/dev/md0
        initrd /boot/initrd-2.6.18-164.el5.img
title CentOS (2.6.18-128.el5)
        root (hd0,0)
        kernel /boot/vmlinuz-2.6.18-128.el5 ro root=/dev/md0
        initrd /boot/initrd-2.6.18-128.el5.img

Also on host...

Code:

# /usr/sbin/sestatus -v
SELinux status:                 disabled

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

I hope I'm not confusing things, but I've seen errors like that during a yum update in the past. They were nothing to worry about.

My impression was that it was just the result of having a selinux-policy (or somesuch) RPM installed, and when that gets updated it checks things, finds a problem and reports it, but that this makes no difference because selinux is disabled.

And selinux is definitely disabled on our systems. No question about it.

Faris.

incorrectly defined system account?

Who is online