Re: SELinux troubleshoot: can't install modules

arnaud gaboury <arnaud.gaboury@xxxxxxxxx> · Wed, 28 Aug 2019 14:05:37 +0200

On Wed, Aug 28, 2019 at 1:19 PM Petr Lautrbach <plautrba@xxxxxxxxxxxxxxxxx> wrote:
> Until a few days ago, my Fedora 29 Atomic host was working perfectly with

> SELinux enforced. The server is only a few week old with nothing fancy yet

> set or installed.

> 

> I changed recently my user (gabx) context from the default unconfined to

> systemand ran restorecon.  This change may be the root of the problem. I

> ran a few a certbot-letsencrypt container which changed a few files

> contexts (container_t): maybe did it broke a few things?

What exactly you did when you changed "context from the default unconfined to system" ?

Fresh after install:

--------------------------------------------------
# semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
gabx                      unconfined_u              s0-s0:c0.c1023
--------------------------------
Then:

# semanage login -m -s sysadm_u --range s0-s0.c0.c1023
# semanage login -l
gabx                 sysadm_u             s0-s0:c0.c1023       *
# restorecon -RF /hone/gabx
# ls -alZ /home/gabx
drwxrwxr-x. 5 gabx gabx sysadm_u:object_r:config_home_t:s0    61 Aug 17 14:42 .config/
drwxrwxr-x. 2 gabx gabx sysadm_u:object_r:user_home_t:s0       6 Aug 21 14:09 hugo/
....
# vim /etc/sudoers.d/gabx
gabx	ALL=(ALL)	TYPE=sysadm_t	ROLE=sysadm_r	/bin/sh
----------------------------------------------------------------

When listing booleans to answer this thread, I realized I had this:
ssh_sysadm_login --> off

Turning it on allows user gabx to ssh. So it is a first good news. I am left now with the inability to load module. 
As for the doc, it is my ref, I knpw it well.

The following 2 chapters for SELinux Users and Administration Guide could help you set you user correctly:

3.3. Confined and Unconfined Users https://docs.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html

3.3.1. The sudo Transition and SELinux Roles https://docs.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users-sudo_Transition_and_SELinux_Roles

> 

> I have now a few issues:

NOTE: SOLVED

> 1- user gabx can't no more ssh the server: "unable to get valid context for

> gabx" (same results from various machine)

> ---------------------------------------------------------------------------

> $ journalctl -r

> .....

> error: ssh_selinux_setup_pty:security_compute_relabel: Invalid argument

> .....

> error: PAM pam_open_session(): cannot make/remove an entry for the

> specified session

> ....

> pam_selinux(sshd:session):Unableto get valid context for gabx

> 

> below complete lines:

> Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001

> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy

> kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>

> Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001

> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy

> kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:>

> Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001

> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy

> kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:>

> Aug 28 09:07:45 poppy audit[1954]: CRED_DISP pid=1954 uid=0 auid=1001

> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred

> grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ss>

> Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001

> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy

> kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>

> Aug 28 09:07:45 poppy sshd[1957]: Disconnected from user gabx

> 212.147.52.214 port 57268

> Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001

> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy

> kind=session fp=? direction=both spid=1957 suid=1001 rport=57268 la>

> Aug 28 09:07:45 poppy sshd[1957]: Received disconnect from 212.147.52.214

> port 57268:11: disconnected by user

> Aug 28 09:07:45 poppy audit[1954]: USER_LOGOUT pid=1954 uid=0 auid=1001

> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001

> exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=su>

> Aug 28 09:07:45 poppy audit[1954]: USER_END pid=1954 uid=0 auid=1001 ses=13

> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001

> exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=succe>

> Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 auid=1001

> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy

> kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>

> Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001

> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001

> exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/>

> Aug 28 09:07:45 poppy audit[1954]: USER_LOGIN pid=1954 uid=0 auid=1001

> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001

> exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/>

> Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty:

> security_compute_relabel: Invalid argument

> Aug 28 09:07:45 poppy audit[1957]: CRED_ACQ pid=1957 uid=0 auid=1001 ses=13

> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred

> grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ssh>

> Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001

> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy

> kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>

> Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001

> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy

> kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:>

> Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 auid=1001

> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy

> kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:>

> Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot

> make/remove an entry for the specified session

> Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001

> ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023

> msg='op=PAM:session_open grantors=? acct="gabx"

> exe="/usr/sbin/sshd"

> hostname=212.147.52>

> Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened

> for user gabx by (uid=0)

> Aug 28 09:07:45 poppy systemd[1]: Started Session 13 of user gabx.

> Aug 28 09:07:45 poppy systemd-logind[841]: New session 13 of user gabx.

> Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to get

> valid context for gabx

> 

> ----------------------------------------------------------------------------------------------------------

> ● sshd.service - OpenSSH server daemon

>    Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor

> preset: enabled)

>    Active: active (running) since Tue 2019-08-27 22:38:04 UTC; 10h ago

>      Docs: man:sshd(8)

>            man:sshd_config(5)

>  Main PID: 993 (sshd)

>     Tasks: 1 (limit: 4915)

>    Memory: 6.2M

>    CGroup: /system.slice/sshd.service

>            └─993 /usr/sbin/sshd -D -oCiphers=aes256-gcm(a)openssh.com,

> chacha20-poly1305@xxxxxxxxxxx,aes256-ctr,aes256-cbc,aes128-gcm(a)openssh.com,aes128-ctr,aes128-cbc

> -oMACs=hmac-sha2-256-etm(a)openssh.com,hmac-sha1&gt;

> 

> Aug 28 09:06:56 poppy sshd[1947]: Accepted publickey for gabx from

> 212.147.52.214 port 55887 ssh2: RSA

> SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg

> Aug 28 09:06:56 poppy sshd[1947]: pam_selinux(sshd:session): Unable to get

> valid context for gabx

> Aug 28 09:06:56 poppy sshd[1947]: pam_unix(sshd:session): session opened

> for user gabx by (uid=0)

> Aug 28 09:06:56 poppy sshd[1947]: error: PAM: pam_open_session(): Cannot

> make/remove an entry for the specified session

> Aug 28 09:06:56 poppy sshd[1947]: error: ssh_selinux_setup_pty:

> security_compute_relabel: Invalid argument

> Aug 28 09:07:45 poppy sshd[1954]: Accepted publickey for gabx from

> 212.147.52.214 port 57268 ssh2: RSA

> SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg

> Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to get

> valid context for gabx

> Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened

> for user gabx by (uid=0)

> Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot

> make/remove an entry for the specified session

> Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty:

> security_compute_relabel: Invalid argument

> ---------------------------------------------------------------------------------------------

>  # cat /etc/pam.d/sshd

> #%PAM-1.0

> 

> auth  required pam_securetty.so # disable remote root

> auth       substack     password-auth

> auth       include      postlogin

> account    required     pam_sepermit.so

> account    required     pam_nologin.so

> account    include      password-auth

> password   include      password-auth

> # pam_selinux.so close should be the first session rule

> session    required     pam_selinux.so close

> session    required     pam_loginuid.so

> # pam_selinux.so open should only be followed by sessions to be executed in

> the user context

> session    required     pam_selinux.so open env_params

> session    required     pam_namespace.so

> session    optional     pam_keyinit.so force revoke

> session    optional     pam_motd.so

> session    include      password-auth

> session    include      postlogin

> 

> ----------------------------------------------------------------------------------------------------

NOT SOLVED

> 2- I can't load modules.

> 

> With the help of ausearch and journalctl, I can identify SELinux messages,

> I can write a *myapp.pp* module. But then:

> 

> -----------------------------------

> # semodule -i myapp.pp

> semodule:  Failed on myapp.pp!

> -------------------------------

> 

> NOTE: message is very poor and don't help.

> 

> I would like to fix all these DELinux issues before I keep

> setting/installing app on the server.

> Thank you for help.

_______________________________________________

users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx

To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx