Is this a bug in cent OS 7.3 ?
On Tue, Dec 5, 2017 at 2:10 PM, Dominick Grift <dac.override@xxxxxxxxx> wrote:
On Tue, Dec 05, 2017 at 02:02:37PM +0530, Aman Sharma wrote:
> Hi Stephen,
>
> Below is the changes which I made in Login and ssh file :
>
> cat /etc/pam.d/sshd
> #%PAM-1.0
> auth required pam_sepermit.so
side note: this is a "bug"
https://src.fedoraproject.org/rpms/openssh/c/ e044c5cf76618b023a4315f41fe126 c80c06b833?branch=master
> auth include password-auth
> # Used with polkit to reauthorize users in remote sessions
> account required pam_nologin.so
> account include password-auth
> password include password-auth
> # pam_selinux.so close should be the first session rule
> session required pam_selinux.so close
> session required pam_loginuid.so
> # pam_selinux.so open should only be followed by sessions to be executed in
> the user context
> session required pam_selinux.so open env_params
> session required pam_namespace.so
> session optional pam_keyinit.so force revoke
> session include password-auth
> # Used with polkit to reauthorize users in remote sessions
>
>
> cat /etc/pam.d/login
> #%PAM-1.0
> auth [user_unknown=ignore success=ok ignore=ignore default=bad]
> pam_securetty.so
> auth include system-auth
> account required pam_nologin.so
> account include system-auth
> password include system-auth
> # pam_selinux.so close should be the first session rule
> session required pam_selinux.so close
> session required pam_loginuid.so
> session optional pam_console.so
> # pam_selinux.so restore should only be followed by sessions to be executed
> in the user context
> session required pam_selinux.so open
> session required pam_namespace.so
> session optional pam_keyinit.so force revoke
> session include system-auth
> -session optional pam_ck_connector.so
>
> Please Let me know if any comments are there.
>
> On Mon, Dec 4, 2017 at 10:08 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>
> > On Mon, 2017-12-04 at 22:04 +0530, Aman Sharma wrote:
> > > Hi Stephen,
> > >
> > > Thanks alot for the help.
> > >
> > > I got the issue. Its due to the problem in /etc/pam.d/sshd file.
> > >
> > > After fixing this, now is working fine. Thanks alot once again.
> >
> > Ok, can you explain what exactly what wrong in your /etc/pam.d/sshd
> > file, so that if someone else encounters this behavior in the future,
> > they can find a solution in the list archives?
> >
> > >
> > > On Mon, Dec 4, 2017 at 9:39 PM, Stephen Smalley <sds@xxxxxxxxxxxxx>
> > > wrote:
> > > > On Mon, 2017-12-04 at 21:31 +0530, Aman Sharma wrote:
> > > > > Hi Stephen,
> > > > >
> > > > > I got the below logs from the file .Can you please if these logs
> > > > are
> > > > > fine or not :
> > > > >
> > > > > journalctl | grep selinux
> > > > > Dec 05 02:55:46 localhost.localdomain kernel: EVM:
> > > > security.selinux
> > > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
> > > > > type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0
> > > > auid=0
> > > > > ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> > > > > msg='op=PAM:session_open
> > > > >
> > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_ namespace,pam_key
> > > > in
> > > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
> > > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
> > > > > addr=10.97.7.209 terminal=ssh res=success'
> > > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
> > > > > type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0
> > > > auid=0
> > > > > ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> > > > > msg='op=PAM:session_open
> > > > >
> > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_ namespace,pam_key
> > > > in
> > > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
> > > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
> > > > > addr=10.97.7.209 terminal=ssh res=success'
> > > > >
> > > > > Please let me know if any comments are there.
> > > >
> > > > Those are normal. Check journalctl and /var/log/secure for any
> > > > errors
> > > > from sshd.
> > > > Also try the selinuxdefcon command I mentioned.
> > > >
> > > > >
> > > > > On Mon, Dec 4, 2017 at 9:10 PM, Stephen Smalley <sds@xxxxxxxxxxxx
> > > > v>
> > > > > wrote:
> > > > > > On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote:
> > > > > > > Hi All,
> > > > > > >
> > > > > > > Thanks for the information.
> > > > > > >
> > > > > > > But after resetting the semanage User/login, and moving the
> > > > > > targeted
> > > > > > > folder to old one and then install the default target. then
> > > > also
> > > > > > its
> > > > > > > still showing the
> > > > > > > Id context as context=system_u:system_r:unconfined_t:s0-
> > > > > > s0:c0.c1023.
> > > > > > >
> > > > > > > What I observed is after changing the permission using
> > > > semanage
> > > > > > > command also, its still showing the system_u:system_r.
> > > > > > >
> > > > > > > Check the semanage login/User output :
> > > > > > >
> > > > > > > semanage login -l
> > > > > > >
> > > > > > > Login Name SELinux User MLS/MCS Range
> > > >
> > > > > > > Service
> > > > > > >
> > > > > > > __default__ unconfined_u s0-s0:c0.c1023
> > > > *
> > > > > > > root unconfined_u s0-s0:c0.c1023
> > > > *
> > > > > > > system_u system_u s0-s0:c0.c1023
> > > > *
> > > > > > >
> > > > > > >
> > > > > > > semanage user -l
> > > > > > >
> > > > > > > Labeling MLS/ MLS/
> > > >
> > > > > >
> > > > > > > SELinux User Prefix MCS Level MCS Range
> > > >
> > > > > >
> > > > > > > SELinux Roles
> > > > > > >
> > > > > > > guest_u user s0 s0
> > > >
> > > > > >
> > > > > > > guest_r
> > > > > > > root user s0 s0-s0:c0.c1023
> > > >
> > > > > >
> > > > > > > staff_r sysadm_r system_r unconfined_r
> > > > > > > staff_u user s0 s0-s0:c0.c1023
> > > >
> > > > > >
> > > > > > > staff_r sysadm_r system_r unconfined_r
> > > > > > > sysadm_u user s0 s0-s0:c0.c1023
> > > >
> > > > > >
> > > > > > > sysadm_r
> > > > > > > system_u user s0 s0-s0:c0.c1023
> > > >
> > > > > >
> > > > > > > system_r unconfined_r
> > > > > > > unconfined_u user s0 s0-s0:c0.c1023
> > > >
> > > > > >
> > > > > > > system_r unconfined_r
> > > > > > > user_u user s0 s0
> > > >
> > > > > >
> > > > > > > user_r
> > > > > > > xguest_u user s0 s0
> > > >
> > > > > >
> > > > > > > xguest_r
> > > > > > >
> > > > > > >
> > > > > > > Looks like its related to some other issue. What you think
> > > > about
> > > > > > > this.
> > > > > >
> > > > > > Do you have any relevant error messages in /var/log/secure or
> > > > > > journalctl -rb? Look for anything that refers to selinux or
> > > > > > context.
> > > > > >
> > > > > > I'm guessing that pam_selinux is unable to determine a valid
> > > > > > context
> > > > > > for your login for some reason, and this is causing it to fall
> > > > back
> > > > > > to
> > > > > > this one. Or something like that.
> > > > > >
> > > > > > You could try to emulate this process via selinuxdefcon,
> > > > although
> > > > > > I'm
> > > > > > not sure how closely it matches pam_selinux anymore. Sample
> > > > usage:
> > > > > >
> > > > > > 1. See what context sshd is running in.
> > > > > >
> > > > > > ps -eZ | grep sshd
> > > > > >
> > > > > > It should be:
> > > > > > system_u:system_r:sshd_t:s0-s0:c0.c1023
> > > > > >
> > > > > > 2. Run selinuxdefcon to compute the default context for root
> > > > when
> > > > > > logging in from sshd:
> > > > > >
> > > > > > # Second argument should be whatever was shown by ps -eZ | grep
> > > > > > sshd
> > > > > > above.
> > > > > > selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123
> > > > > >
> > > > > > It should be:
> > > > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > Thanks
> > > > > Aman
> > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@xxxxxxxxx
> > > >
> > >
> > >
> > >
> > > --
> > >
> > > Thanks
> > > Aman
> > > Cell: +91 9990296404 | Email ID : amansh.sharma5@xxxxxxxxx
> >
>
>
>
> --
>
> Thanks
> Aman
> Cell: +91 9990296404 | Email ID : amansh.sharma5@xxxxxxxxx
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search= 0x3B6C5F1D2C7B6B02
Dominick Grift
