On Wed, Nov 29, 2017 at 02:21:46PM +0530, Aman Sharma wrote: > Hi , > > Check the output for the same. > > * getsebool -a | grep ssh* > fenced_can_ssh --> off > selinuxuser_use_ssh_chroot --> on > ssh_chroot_rw_homedirs --> off > ssh_keysign --> off > ssh_sysadm_login --> on Thanks. That means I was wrong. > > > On Wed, Nov 29, 2017 at 1:52 PM, Dominick Grift <dac.override@xxxxxxxxx> > wrote: > > > On Wed, Nov 29, 2017 at 09:33:31AM +0530, Aman Sharma wrote: > > > Hi Stephen, > > > > > > Below is the output of command : > > > > > > * sestatus -v output* > > > *SELinux status: enabled* > > > *SELinuxfs mount: /sys/fs/selinux* > > > *SELinux root directory: /etc/selinux* > > > *Loaded policy name: targeted* > > > *Current mode: enforcing* > > > *Mode from config file: permissive* > > > *Policy MLS status: enabled* > > > *Policy deny_unknown status: allowed* > > > *Max kernel policy version: 28* > > > > > > *Process contexts:* > > > *Current context: > > > system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > > *Init context: system_u:system_r:init_t:s0* > > > */usr/sbin/sshd system_u:system_r:sshd_t:s0- > > s0:c0.c1023* > > > > > > *File contexts:* > > > *Controlling terminal: system_u:object_r:sshd_devpts_t:s0* > > > */etc/passwd system_u:object_r:passwd_file_t:s0* > > > */etc/shadow system_u:object_r:shadow_t:s0* > > > */bin/bash system_u:object_r:shell_exec_t:s0* > > > */bin/login system_u:object_r:login_exec_t:s0* > > > */bin/sh system_u:object_r:bin_t:s0 -> > > > system_u:object_r:shell_exec_t:s0* > > > */sbin/agetty system_u:object_r:getty_exec_t:s0* > > > */sbin/init system_u:object_r:bin_t:s0 -> > > > system_u:object_r:init_exec_t:s0* > > > */usr/sbin/sshd system_u:object_r:sshd_exec_t:s0* > > > */lib/libc.so.6 system_u:object_r:lib_t:s0 -> > > > system_u:object_r:lib_t:s0* > > > */lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> > > > system_u:object_r:ld_so_t:s0* > > > > > > *Also I am using ssh session for login.* > > > > > > *Please let me know how to change id command context to unconfined_u or > > > Sysadm_u.* > > > > > > Thanks in advance > > > Aman > > > > not sure and shot in dark, but: > > > > root is assoc. with sysadm_u. sysadm_u is only authorized to use sysadm_r. > > if you have the boolean ssh_priv_login set to off then > > sysadm_u:sysadm_r:sysadm_t:s0 is inaccessible > > pam_selinux attempts to use any other contexts that are accessible, and it > > appears that system_u:system_r:unconfined_t was it. > > > > Do you have the ssh_priv_login boolean set to off? `getsebool -a | grep > > ssh` > > > > > > > > On Mon, Nov 27, 2017 at 9:29 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> > > wrote: > > > > > > > On Fri, 2017-11-24 at 10:47 +0530, Aman Sharma wrote: > > > > > > > > > > > > > > > Hi All, > > > > > > > > > > Currently Working on Cent OS 7.3 and login as a root User and my Id > > > > > command output is : > > > > > > > > > > id > > > > > uid=0(root) gid=0(root) groups=0(root) > > > > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > > > > > > > I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r > > > > > or unconfined_u:unconfined_r. > > > > > > > > > > Also showing the output of following command : > > > > > > > > > > semanage user -l > > > > > > > > > > Labeling MLS/ MLS/ > > > > > SELinux User Prefix MCS Level MCS Range > > > > > SELinux Roles > > > > > > > > > > admin_u user s0 s0-s0:c0.c1023 > > > > > sysadm_r system_r > > > > > guest_u user s0 s0 > > > > > guest_r > > > > > root user s0 s0-s0:c0.c1023 > > > > > staff_r sysadm_r > > > > > specialuser_u user s0 s0 > > > > > sysadm_r system_r > > > > > staff_u user s0 s0-s0:c0.c1023 > > > > > staff_r sysadm_r system_r > > > > > sysadm_u user s0 s0-s0:c0.c1023 > > > > > sysadm_r > > > > > system_u user s0 s0-s0:c0.c1023 > > > > > system_r > > > > > unconfined_u user s0 s0-s0:c0.c1023 > > > > > system_r unconfined_r > > > > > user_u user s0 s0 > > > > > user_r > > > > > xguest_u user s0 s0 > > > > > xguest_r > > > > > > > > > > > > > > > semanage login -l > > > > > > > > > > Login Name SELinux User MLS/MCS Range > > > > > Service > > > > > > > > > > __default__ sysadm_u s0-s0:c0.c1023 * > > > > > ccmservice specialuser_u s0 * > > > > > cucm admin_u s0-s0:c0.c1023 * > > > > > drfkeys specialuser_u s0 * > > > > > drfuser specialuser_u s0 * > > > > > informix specialuser_u s0 * > > > > > pwrecovery specialuser_u s0 * > > > > > root sysadm_u s0-s0:c0.c1023 * > > > > > sftpuser specialuser_u s0 * > > > > > system_u sysadm_u s0-s0:c0.c1023 * > > > > > > > > > > > > > > > Can anybody Please help me. > > > > > > > > What is your sestatus -v output? How are you logging in (console, gdm, > > > > ssh, ...)? > > > > > > > > You don't appear to be running the default policy, or if you are, > > > > someone has heavily customized your user and login mappings. > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Thanks > > > Aman > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@xxxxxxxxx > > > > -- > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > > Dominick Grift > > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@xxxxxxxxx -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
