SELinux troubleshoot: can't install modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Until a few days ago, my Fedora 29 Atomic host was working perfectly with SELinux enforced. The server is only a few week old with nothing fancy yet set or installed.

I changed recently my user (gabx) context from the default unconfined to systemand ran restorecon.  This change may be the root of the problem. I ran a few a certbot-letsencrypt container which changed a few files contexts (container_t): maybe did it broke a few things?


I have now a few issues:

1- user gabx can't no more ssh the server: "unable to get valid context for gabx" (same results from various machine)
---------------------------------------------------------------------------
$ journalctl -r
.....
error: ssh_selinux_setup_pty:security_compute_relabel: Invalid argument
.....
error: PAM pam_open_session(): cannot make/remove an entry for the specified session
....
pam_selinux(sshd:session):Unableto get valid context for gabx

below complete lines:
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:>
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:>
Aug 28 09:07:45 poppy audit[1954]: CRED_DISP pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ss>
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
Aug 28 09:07:45 poppy sshd[1957]: Disconnected from user gabx 212.147.52.214 port 57268
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1957 suid=1001 rport=57268 la>
Aug 28 09:07:45 poppy sshd[1957]: Received disconnect from 212.147.52.214 port 57268:11: disconnected by user
Aug 28 09:07:45 poppy audit[1954]: USER_LOGOUT pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=su>
Aug 28 09:07:45 poppy audit[1954]: USER_END pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=succe>
Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/>
Aug 28 09:07:45 poppy audit[1954]: USER_LOGIN pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/>
Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
Aug 28 09:07:45 poppy audit[1957]: CRED_ACQ pid=1957 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ssh>
Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:>
Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:>
Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001 ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=? acct="gabx" exe="/usr/sbin/sshd" hostname=212.147.52>
Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened for user gabx by (uid=0)
Aug 28 09:07:45 poppy systemd[1]: Started Session 13 of user gabx.
Aug 28 09:07:45 poppy systemd-logind[841]: New session 13 of user gabx.
Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to get valid context for gabx

----------------------------------------------------------------------------------------------------------
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-08-27 22:38:04 UTC; 10h ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 993 (sshd)
    Tasks: 1 (limit: 4915)
   Memory: 6.2M
   CGroup: /system.slice/sshd.service
           └─993 /usr/sbin/sshd -D -oCiphers=aes256-gcm@xxxxxxxxxxx,chacha20-poly1305@xxxxxxxxxxx,aes256-ctr,aes256-cbc,aes128-gcm@xxxxxxxxxxx,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha1>

Aug 28 09:06:56 poppy sshd[1947]: Accepted publickey for gabx from 212.147.52.214 port 55887 ssh2: RSA SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg
Aug 28 09:06:56 poppy sshd[1947]: pam_selinux(sshd:session): Unable to get valid context for gabx
Aug 28 09:06:56 poppy sshd[1947]: pam_unix(sshd:session): session opened for user gabx by (uid=0)
Aug 28 09:06:56 poppy sshd[1947]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Aug 28 09:06:56 poppy sshd[1947]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
Aug 28 09:07:45 poppy sshd[1954]: Accepted publickey for gabx from 212.147.52.214 port 57268 ssh2: RSA SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg
Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to get valid context for gabx
Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened for user gabx by (uid=0)
Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
---------------------------------------------------------------------------------------------
 # cat /etc/pam.d/sshd
#%PAM-1.0

auth  required pam_securetty.so # disable remote root
auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin

----------------------------------------------------------------------------------------------------

2- I can't load modules.

With the help of ausearch and journalctl, I can identify SELinux messages, I can write a myapp.pp module. But then:

-----------------------------------
# semodule -i myapp.pp
semodule:  Failed on myapp.pp!
-------------------------------

NOTE: message is very poor and don't help.

I would like to fix all these DELinux issues before I keep setting/installing app on the server.
Thank you for help.





_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux