On Wed, Aug 28, 2019 at 1:19 PM Petr Lautrbach <plautrba@xxxxxxxxxxxxxxxxx> wrote:
> Until a few days ago, my Fedora 29 Atomic host was working perfectly with
> SELinux enforced. The server is only a few week old with nothing fancy yet
> set or installed.
>
> I changed recently my user (gabx) context from the default unconfined to
> systemand ran restorecon. This change may be the root of the problem. I
> ran a few a certbot-letsencrypt container which changed a few files
> contexts (container_t): maybe did it broke a few things?
What exactly you did when you changed "context from the default unconfined to system" ?
Fresh after install:
--------------------------------------------------
# semanage login -l
Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 gabx unconfined_u s0-s0:c0.c1023
--------------------------------
Then:
# semanage login -m -s sysadm_u --range s0-s0.c0.c1023# semanage login -l
gabx sysadm_u s0-s0:c0.c1023 *
# restorecon -RF /hone/gabx
# ls -alZ /home/gabx
drwxrwxr-x. 5 gabx gabx sysadm_u:object_r:config_home_t:s0 61 Aug 17 14:42 .config/
drwxrwxr-x. 2 gabx gabx sysadm_u:object_r:user_home_t:s0 6 Aug 21 14:09 hugo/
....
# vim /etc/sudoers.d/gabx
gabx ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r /bin/sh
----------------------------------------------------------------
When listing booleans to answer this thread, I realized I had this:
ssh_sysadm_login --> off
Turning it on allows user gabx to ssh. So it is a first good news. I am left now with the inability to load module.
As for the doc, it is my ref, I knpw it well.
The following 2 chapters for SELinux Users and Administration Guide could help you set you user correctly:
3.3. Confined and Unconfined Users https://docs.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
3.3.1. The sudo Transition and SELinux Roles https://docs.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users-sudo_Transition_and_SELinux_Roles
>
> I have now a few issues:
NOTE: SOLVED
> 1- user gabx can't no more ssh the server: "unable to get valid context for
> gabx" (same results from various machine)
> ---------------------------------------------------------------------------
> $ journalctl -r
> .....
> error: ssh_selinux_setup_pty:security_compute_relabel: Invalid argument
> .....
> error: PAM pam_open_session(): cannot make/remove an entry for the
> specified session
> ....
> pam_selinux(sshd:session):Unableto get valid context for gabx
>
> below complete lines:
> Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001
> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
> Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001
> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:>
> Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001
> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:>
> Aug 28 09:07:45 poppy audit[1954]: CRED_DISP pid=1954 uid=0 auid=1001
> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ss>
> Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001
> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
> Aug 28 09:07:45 poppy sshd[1957]: Disconnected from user gabx
> 212.147.52.214 port 57268
> Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001
> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> kind=session fp=? direction=both spid=1957 suid=1001 rport=57268 la>
> Aug 28 09:07:45 poppy sshd[1957]: Received disconnect from 212.147.52.214
> port 57268:11: disconnected by user
> Aug 28 09:07:45 poppy audit[1954]: USER_LOGOUT pid=1954 uid=0 auid=1001
> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001
> exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=su>
> Aug 28 09:07:45 poppy audit[1954]: USER_END pid=1954 uid=0 auid=1001 ses=13
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001
> exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=succe>
> Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001
> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
> Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001
> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001
> exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/>
> Aug 28 09:07:45 poppy audit[1954]: USER_LOGIN pid=1954 uid=0 auid=1001
> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001
> exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/>
> Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty:
> security_compute_relabel: Invalid argument
> Aug 28 09:07:45 poppy audit[1957]: CRED_ACQ pid=1957 uid=0 auid=1001 ses=13
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ssh>
> Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001
> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
> Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001
> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:>
> Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001
> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:>
> Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot
> make/remove an entry for the specified session
> Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001
> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=PAM:session_open grantors=? acct="gabx"
> exe="/usr/sbin/sshd"
> hostname=212.147.52>
> Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened
> for user gabx by (uid=0)
> Aug 28 09:07:45 poppy systemd[1]: Started Session 13 of user gabx.
> Aug 28 09:07:45 poppy systemd-logind[841]: New session 13 of user gabx.
> Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to get
> valid context for gabx
>
> ----------------------------------------------------------------------------------------------------------
> ● sshd.service - OpenSSH server daemon
> Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor
> preset: enabled)
> Active: active (running) since Tue 2019-08-27 22:38:04 UTC; 10h ago
> Docs: man:sshd(8)
> man:sshd_config(5)
> Main PID: 993 (sshd)
> Tasks: 1 (limit: 4915)
> Memory: 6.2M
> CGroup: /system.slice/sshd.service
> └─993 /usr/sbin/sshd -D -oCiphers=aes256-gcm(a)openssh.com,
> chacha20-poly1305@xxxxxxxxxxx,aes256-ctr,aes256-cbc,aes128-gcm(a)openssh.com,aes128-ctr,aes128-cbc
> -oMACs=hmac-sha2-256-etm(a)openssh.com,hmac-sha1>
>
> Aug 28 09:06:56 poppy sshd[1947]: Accepted publickey for gabx from
> 212.147.52.214 port 55887 ssh2: RSA
> SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg
> Aug 28 09:06:56 poppy sshd[1947]: pam_selinux(sshd:session): Unable to get
> valid context for gabx
> Aug 28 09:06:56 poppy sshd[1947]: pam_unix(sshd:session): session opened
> for user gabx by (uid=0)
> Aug 28 09:06:56 poppy sshd[1947]: error: PAM: pam_open_session(): Cannot
> make/remove an entry for the specified session
> Aug 28 09:06:56 poppy sshd[1947]: error: ssh_selinux_setup_pty:
> security_compute_relabel: Invalid argument
> Aug 28 09:07:45 poppy sshd[1954]: Accepted publickey for gabx from
> 212.147.52.214 port 57268 ssh2: RSA
> SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg
> Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to get
> valid context for gabx
> Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened
> for user gabx by (uid=0)
> Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot
> make/remove an entry for the specified session
> Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty:
> security_compute_relabel: Invalid argument
> ---------------------------------------------------------------------------------------------
> # cat /etc/pam.d/sshd
> #%PAM-1.0
>
> auth required pam_securetty.so # disable remote root
> auth substack password-auth
> auth include postlogin
> account required pam_sepermit.so
> account required pam_nologin.so
> account include password-auth
> password include password-auth
> # pam_selinux.so close should be the first session rule
> session required pam_selinux.so close
> session required pam_loginuid.so
> # pam_selinux.so open should only be followed by sessions to be executed in
> the user context
> session required pam_selinux.so open env_params
> session required pam_namespace.so
> session optional pam_keyinit.so force revoke
> session optional pam_motd.so
> session include password-auth
> session include postlogin
>
> ----------------------------------------------------------------------------------------------------
NOT SOLVED
> 2- I can't load modules.
>
> With the help of ausearch and journalctl, I can identify SELinux messages,
> I can write a *myapp.pp* module. But then:
>
> -----------------------------------
> # semodule -i myapp.pp
> semodule: Failed on myapp.pp!
> -------------------------------
>
> NOTE: message is very poor and don't help.
>
> I would like to fix all these DELinux issues before I keep
> setting/installing app on the server.
> Thank you for help.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx