Hi ,
Check the output for the same.
getsebool -a | grep ssh
fenced_can_ssh --> off
selinuxuser_use_ssh_chroot --> on
ssh_chroot_rw_homedirs --> off
ssh_keysign --> off
ssh_sysadm_login --> on
On Wed, Nov 29, 2017 at 1:52 PM, Dominick Grift <dac.override@xxxxxxxxx> wrote:
On Wed, Nov 29, 2017 at 09:33:31AM +0530, Aman Sharma wrote:
> Hi Stephen,
>
> Below is the output of command :
>
> * sestatus -v output*
> *SELinux status: enabled*
> *SELinuxfs mount: /sys/fs/selinux*
> *SELinux root directory: /etc/selinux*
> *Loaded policy name: targeted*
> *Current mode: enforcing*
> *Mode from config file: permissive*
> *Policy MLS status: enabled*
> *Policy deny_unknown status: allowed*
> *Max kernel policy version: 28*
>
> *Process contexts:*
> *Current context:
> system_u:system_r:unconfined_t:s0-s0:c0.c1023*
> *Init context: system_u:system_r:init_t:s0*
> */usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023*
>
> *File contexts:*
> *Controlling terminal: system_u:object_r:sshd_devpts_t:s0*
> */etc/passwd system_u:object_r:passwd_file_t:s0*
> */etc/shadow system_u:object_r:shadow_t:s0*
> */bin/bash system_u:object_r:shell_exec_t:s0*
> */bin/login system_u:object_r:login_exec_t:s0*
> */bin/sh system_u:object_r:bin_t:s0 ->
> system_u:object_r:shell_exec_t:s0*
> */sbin/agetty system_u:object_r:getty_exec_t:s0*
> */sbin/init system_u:object_r:bin_t:s0 ->
> system_u:object_r:init_exec_t:s0*
> */usr/sbin/sshd system_u:object_r:sshd_exec_t:s0*
> */lib/libc.so.6 system_u:object_r:lib_t:s0 ->
> system_u:object_r:lib_t:s0*
> */lib/ld-linux.so.2 system_u:object_r:lib_t:s0 ->
> system_u:object_r:ld_so_t:s0*
>
> *Also I am using ssh session for login.*
>
> *Please let me know how to change id command context to unconfined_u or
> Sysadm_u.*
>
> Thanks in advance
> Aman
not sure and shot in dark, but:
root is assoc. with sysadm_u. sysadm_u is only authorized to use sysadm_r.
if you have the boolean ssh_priv_login set to off then sysadm_u:sysadm_r:sysadm_t:s0 is inaccessible
pam_selinux attempts to use any other contexts that are accessible, and it appears that system_u:system_r:unconfined_t was it.
Do you have the ssh_priv_login boolean set to off? `getsebool -a | grep ssh`
--
>
> On Mon, Nov 27, 2017 at 9:29 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>
> > On Fri, 2017-11-24 at 10:47 +0530, Aman Sharma wrote:
> > >
> > >
> > > Hi All,
> > >
> > > Currently Working on Cent OS 7.3 and login as a root User and my Id
> > > command output is :
> > >
> > > id
> > > uid=0(root) gid=0(root) groups=0(root)
> > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> > >
> > > I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r
> > > or unconfined_u:unconfined_r.
> > >
> > > Also showing the output of following command :
> > >
> > > semanage user -l
> > >
> > > Labeling MLS/ MLS/
> > > SELinux User Prefix MCS Level MCS Range
> > > SELinux Roles
> > >
> > > admin_u user s0 s0-s0:c0.c1023
> > > sysadm_r system_r
> > > guest_u user s0 s0
> > > guest_r
> > > root user s0 s0-s0:c0.c1023
> > > staff_r sysadm_r
> > > specialuser_u user s0 s0
> > > sysadm_r system_r
> > > staff_u user s0 s0-s0:c0.c1023
> > > staff_r sysadm_r system_r
> > > sysadm_u user s0 s0-s0:c0.c1023
> > > sysadm_r
> > > system_u user s0 s0-s0:c0.c1023
> > > system_r
> > > unconfined_u user s0 s0-s0:c0.c1023
> > > system_r unconfined_r
> > > user_u user s0 s0
> > > user_r
> > > xguest_u user s0 s0
> > > xguest_r
> > >
> > >
> > > semanage login -l
> > >
> > > Login Name SELinux User MLS/MCS Range
> > > Service
> > >
> > > __default__ sysadm_u s0-s0:c0.c1023 *
> > > ccmservice specialuser_u s0 *
> > > cucm admin_u s0-s0:c0.c1023 *
> > > drfkeys specialuser_u s0 *
> > > drfuser specialuser_u s0 *
> > > informix specialuser_u s0 *
> > > pwrecovery specialuser_u s0 *
> > > root sysadm_u s0-s0:c0.c1023 *
> > > sftpuser specialuser_u s0 *
> > > system_u sysadm_u s0-s0:c0.c1023 *
> > >
> > >
> > > Can anybody Please help me.
> >
> > What is your sestatus -v output? How are you logging in (console, gdm,
> > ssh, ...)?
> >
> > You don't appear to be running the default policy, or if you are,
> > someone has heavily customized your user and login mappings.
> >
> >
> >
>
>
> --
>
> Thanks
> Aman
> Cell: +91 9990296404 | Email ID : amansh.sharma5@xxxxxxxxx
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search= 0x3B6C5F1D2C7B6B02
Dominick Grift
