Until a few days ago, my Fedora 29 Atomic host was working perfectly with SELinux enforced. The server is only a few week old with nothing fancy yet set or installed.
I changed recently my user (gabx) context from the default unconfined to systemand ran restorecon. This change may be the root of the problem. I ran a few a certbot-letsencrypt container which changed a few files contexts (container_t): maybe did it broke a few things?
1- user gabx can't no more ssh the server: "unable to get valid context for gabx" (same results from various machine)
---------------------------------------------------------------------------
$ journalctl -r
.....
error: ssh_selinux_setup_pty:security_compute_relabel: Invalid argument
.....
error: PAM pam_open_session(): cannot make/remove an entry for the specified session
....
pam_selinux(sshd:session):Unableto get valid context for gabx
below complete lines:
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:>
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:>
Aug 28 09:07:45 poppy audit[1954]: CRED_DISP pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ss>
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
Aug 28 09:07:45 poppy sshd[1957]: Disconnected from user gabx 212.147.52.214 port 57268
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1957 suid=1001 rport=57268 la>
Aug 28 09:07:45 poppy sshd[1957]: Received disconnect from 212.147.52.214 port 57268:11: disconnected by user
Aug 28 09:07:45 poppy audit[1954]: USER_LOGOUT pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=su>
Aug 28 09:07:45 poppy audit[1954]: USER_END pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=succe>
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/>
Aug 28 09:07:45 poppy audit[1954]: USER_LOGIN pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/>
Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
Aug 28 09:07:45 poppy audit[1957]: CRED_ACQ pid=1957 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ssh>
Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:>
Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:>
Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=? acct="gabx" exe="/usr/sbin/sshd" hostname=212.147.52>
Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened for user gabx by (uid=0)
Aug 28 09:07:45 poppy systemd[1]: Started Session 13 of user gabx.
Aug 28 09:07:45 poppy systemd-logind[841]: New session 13 of user gabx.
Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to get valid context for gabx
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:>
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:>
Aug 28 09:07:45 poppy audit[1954]: CRED_DISP pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ss>
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
Aug 28 09:07:45 poppy sshd[1957]: Disconnected from user gabx 212.147.52.214 port 57268
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1957 suid=1001 rport=57268 la>
Aug 28 09:07:45 poppy sshd[1957]: Received disconnect from 212.147.52.214 port 57268:11: disconnected by user
Aug 28 09:07:45 poppy audit[1954]: USER_LOGOUT pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=su>
Aug 28 09:07:45 poppy audit[1954]: USER_END pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=succe>
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/>
Aug 28 09:07:45 poppy audit[1954]: USER_LOGIN pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/>
Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
Aug 28 09:07:45 poppy audit[1957]: CRED_ACQ pid=1957 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ssh>
Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:>
Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:>
Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=? acct="gabx" exe="/usr/sbin/sshd" hostname=212.147.52>
Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened for user gabx by (uid=0)
Aug 28 09:07:45 poppy systemd[1]: Started Session 13 of user gabx.
Aug 28 09:07:45 poppy systemd-logind[841]: New session 13 of user gabx.
Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to get valid context for gabx
----------------------------------------------------------------------------------------------------------
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-08-27 22:38:04 UTC; 10h ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 993 (sshd)
Tasks: 1 (limit: 4915)
Memory: 6.2M
CGroup: /system.slice/sshd.service
└─993 /usr/sbin/sshd -D -oCiphers=aes256-gcm@xxxxxxxxxxx,chacha20-poly1305@xxxxxxxxxxx,aes256-ctr,aes256-cbc,aes128-gcm@xxxxxxxxxxx,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha1>
Aug 28 09:06:56 poppy sshd[1947]: Accepted publickey for gabx from 212.147.52.214 port 55887 ssh2: RSA SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg
Aug 28 09:06:56 poppy sshd[1947]: pam_selinux(sshd:session): Unable to get valid context for gabx
Aug 28 09:06:56 poppy sshd[1947]: pam_unix(sshd:session): session opened for user gabx by (uid=0)
Aug 28 09:06:56 poppy sshd[1947]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Aug 28 09:06:56 poppy sshd[1947]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
Aug 28 09:07:45 poppy sshd[1954]: Accepted publickey for gabx from 212.147.52.214 port 57268 ssh2: RSA SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg
Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to get valid context for gabx
Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened for user gabx by (uid=0)
Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-08-27 22:38:04 UTC; 10h ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 993 (sshd)
Tasks: 1 (limit: 4915)
Memory: 6.2M
CGroup: /system.slice/sshd.service
└─993 /usr/sbin/sshd -D -oCiphers=aes256-gcm@xxxxxxxxxxx,chacha20-poly1305@xxxxxxxxxxx,aes256-ctr,aes256-cbc,aes128-gcm@xxxxxxxxxxx,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha1>
Aug 28 09:06:56 poppy sshd[1947]: Accepted publickey for gabx from 212.147.52.214 port 55887 ssh2: RSA SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg
Aug 28 09:06:56 poppy sshd[1947]: pam_selinux(sshd:session): Unable to get valid context for gabx
Aug 28 09:06:56 poppy sshd[1947]: pam_unix(sshd:session): session opened for user gabx by (uid=0)
Aug 28 09:06:56 poppy sshd[1947]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Aug 28 09:06:56 poppy sshd[1947]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
Aug 28 09:07:45 poppy sshd[1954]: Accepted publickey for gabx from 212.147.52.214 port 57268 ssh2: RSA SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg
Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to get valid context for gabx
Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened for user gabx by (uid=0)
Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
---------------------------------------------------------------------------------------------
# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_securetty.so # disable remote root
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
#%PAM-1.0
auth required pam_securetty.so # disable remote root
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
----------------------------------------------------------------------------------------------------
2- I can't load modules.
With the help of ausearch and journalctl, I can identify SELinux messages, I can write a myapp.pp module. But then:
-----------------------------------
# semodule -i myapp.pp
semodule: Failed on myapp.pp!
-------------------------------
NOTE: message is very poor and don't help.
I would like to fix all these DELinux issues before I keep setting/installing app on the server.
Thank you for help.
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
