> Until a few days ago, my Fedora 29 Atomic host was working perfectly with > SELinux enforced. The server is only a few week old with nothing fancy yet > set or installed. > > I changed recently my user (gabx) context from the default unconfined to > systemand ran restorecon. This change may be the root of the problem. I > ran a few a certbot-letsencrypt container which changed a few files > contexts (container_t): maybe did it broke a few things? What exactly you did when you changed "context from the default unconfined to system" ? The following 2 chapters for SELinux Users and Administration Guide could help you set you user correctly: 3.3. Confined and Unconfined Users https://docs.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html 3.3.1. The sudo Transition and SELinux Roles https://docs.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users-sudo_Transition_and_SELinux_Roles > > I have now a few issues: > > 1- user gabx can't no more ssh the server: "unable to get valid context for > gabx" (same results from various machine) > --------------------------------------------------------------------------- > $ journalctl -r > ..... > error: ssh_selinux_setup_pty:security_compute_relabel: Invalid argument > ..... > error: PAM pam_open_session(): cannot make/remove an entry for the > specified session > .... > pam_selinux(sshd:session):Unableto get valid context for gabx > > below complete lines: > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:> > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:> > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:> > Aug 28 09:07:45 poppy audit[1954]: CRED_DISP pid=1954 uid=0 auid=1001 > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred > grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ss> > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:> > Aug 28 09:07:45 poppy sshd[1957]: Disconnected from user gabx > 212.147.52.214 port 57268 > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > kind=session fp=? direction=both spid=1957 suid=1001 rport=57268 la> > Aug 28 09:07:45 poppy sshd[1957]: Received disconnect from 212.147.52.214 > port 57268:11: disconnected by user > Aug 28 09:07:45 poppy audit[1954]: USER_LOGOUT pid=1954 uid=0 auid=1001 > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 > exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=su> > Aug 28 09:07:45 poppy audit[1954]: USER_END pid=1954 uid=0 auid=1001 ses=13 > subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 > exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=succe> > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001 > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:> > Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001 > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 > exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/> > Aug 28 09:07:45 poppy audit[1954]: USER_LOGIN pid=1954 uid=0 auid=1001 > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 > exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/> > Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty: > security_compute_relabel: Invalid argument > Aug 28 09:07:45 poppy audit[1957]: CRED_ACQ pid=1957 uid=0 auid=1001 ses=13 > subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred > grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ssh> > Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001 > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:> > Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001 > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:> > Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001 > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:> > Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot > make/remove an entry for the specified session > Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001 > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=PAM:session_open grantors=? acct="gabx" > exe="/usr/sbin/sshd" > hostname=212.147.52> > Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened > for user gabx by (uid=0) > Aug 28 09:07:45 poppy systemd[1]: Started Session 13 of user gabx. > Aug 28 09:07:45 poppy systemd-logind[841]: New session 13 of user gabx. > Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to get > valid context for gabx > > ---------------------------------------------------------------------------------------------------------- > ● sshd.service - OpenSSH server daemon > Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor > preset: enabled) > Active: active (running) since Tue 2019-08-27 22:38:04 UTC; 10h ago > Docs: man:sshd(8) > man:sshd_config(5) > Main PID: 993 (sshd) > Tasks: 1 (limit: 4915) > Memory: 6.2M > CGroup: /system.slice/sshd.service > └─993 /usr/sbin/sshd -D -oCiphers=aes256-gcm(a)openssh.com, > chacha20-poly1305@xxxxxxxxxxx,aes256-ctr,aes256-cbc,aes128-gcm(a)openssh.com,aes128-ctr,aes128-cbc > -oMACs=hmac-sha2-256-etm(a)openssh.com,hmac-sha1> > > Aug 28 09:06:56 poppy sshd[1947]: Accepted publickey for gabx from > 212.147.52.214 port 55887 ssh2: RSA > SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg > Aug 28 09:06:56 poppy sshd[1947]: pam_selinux(sshd:session): Unable to get > valid context for gabx > Aug 28 09:06:56 poppy sshd[1947]: pam_unix(sshd:session): session opened > for user gabx by (uid=0) > Aug 28 09:06:56 poppy sshd[1947]: error: PAM: pam_open_session(): Cannot > make/remove an entry for the specified session > Aug 28 09:06:56 poppy sshd[1947]: error: ssh_selinux_setup_pty: > security_compute_relabel: Invalid argument > Aug 28 09:07:45 poppy sshd[1954]: Accepted publickey for gabx from > 212.147.52.214 port 57268 ssh2: RSA > SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg > Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to get > valid context for gabx > Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened > for user gabx by (uid=0) > Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot > make/remove an entry for the specified session > Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty: > security_compute_relabel: Invalid argument > --------------------------------------------------------------------------------------------- > # cat /etc/pam.d/sshd > #%PAM-1.0 > > auth required pam_securetty.so # disable remote root > auth substack password-auth > auth include postlogin > account required pam_sepermit.so > account required pam_nologin.so > account include password-auth > password include password-auth > # pam_selinux.so close should be the first session rule > session required pam_selinux.so close > session required pam_loginuid.so > # pam_selinux.so open should only be followed by sessions to be executed in > the user context > session required pam_selinux.so open env_params > session required pam_namespace.so > session optional pam_keyinit.so force revoke > session optional pam_motd.so > session include password-auth > session include postlogin > > ---------------------------------------------------------------------------------------------------- > > 2- I can't load modules. > > With the help of ausearch and journalctl, I can identify SELinux messages, > I can write a *myapp.pp* module. But then: > > ----------------------------------- > # semodule -i myapp.pp > semodule: Failed on myapp.pp! > ------------------------------- > > NOTE: message is very poor and don't help. > > I would like to fix all these DELinux issues before I keep > setting/installing app on the server. > Thank you for help. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
