On Tue, Dec 05, 2017 at 02:34:26PM +0530, Aman Sharma wrote: > Is this a bug in cent OS 7.3 ? I suppose.. but it will only affect you if you actually leverage pam_sepermit (ie. if you edit /etc/security/sepermit.conf) > > On Tue, Dec 5, 2017 at 2:10 PM, Dominick Grift <dac.override@xxxxxxxxx> > wrote: > > > On Tue, Dec 05, 2017 at 02:02:37PM +0530, Aman Sharma wrote: > > > Hi Stephen, > > > > > > Below is the changes which I made in Login and ssh file : > > > > > > cat /etc/pam.d/sshd > > > #%PAM-1.0 > > > auth required pam_sepermit.so > > > > side note: this is a "bug" > > https://src.fedoraproject.org/rpms/openssh/c/ > > e044c5cf76618b023a4315f41fe126c80c06b833?branch=master > > > > > auth include password-auth > > > # Used with polkit to reauthorize users in remote sessions > > > account required pam_nologin.so > > > account include password-auth > > > password include password-auth > > > # pam_selinux.so close should be the first session rule > > > session required pam_selinux.so close > > > session required pam_loginuid.so > > > # pam_selinux.so open should only be followed by sessions to be executed > > in > > > the user context > > > session required pam_selinux.so open env_params > > > session required pam_namespace.so > > > session optional pam_keyinit.so force revoke > > > session include password-auth > > > # Used with polkit to reauthorize users in remote sessions > > > > > > > > > cat /etc/pam.d/login > > > #%PAM-1.0 > > > auth [user_unknown=ignore success=ok ignore=ignore default=bad] > > > pam_securetty.so > > > auth include system-auth > > > account required pam_nologin.so > > > account include system-auth > > > password include system-auth > > > # pam_selinux.so close should be the first session rule > > > session required pam_selinux.so close > > > session required pam_loginuid.so > > > session optional pam_console.so > > > # pam_selinux.so restore should only be followed by sessions to be > > executed > > > in the user context > > > session required pam_selinux.so open > > > session required pam_namespace.so > > > session optional pam_keyinit.so force revoke > > > session include system-auth > > > -session optional pam_ck_connector.so > > > > > > Please Let me know if any comments are there. > > > > > > On Mon, Dec 4, 2017 at 10:08 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> > > wrote: > > > > > > > On Mon, 2017-12-04 at 22:04 +0530, Aman Sharma wrote: > > > > > Hi Stephen, > > > > > > > > > > Thanks alot for the help. > > > > > > > > > > I got the issue. Its due to the problem in /etc/pam.d/sshd file. > > > > > > > > > > After fixing this, now is working fine. Thanks alot once again. > > > > > > > > Ok, can you explain what exactly what wrong in your /etc/pam.d/sshd > > > > file, so that if someone else encounters this behavior in the future, > > > > they can find a solution in the list archives? > > > > > > > > > > > > > > On Mon, Dec 4, 2017 at 9:39 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> > > > > > wrote: > > > > > > On Mon, 2017-12-04 at 21:31 +0530, Aman Sharma wrote: > > > > > > > Hi Stephen, > > > > > > > > > > > > > > I got the below logs from the file .Can you please if these logs > > > > > > are > > > > > > > fine or not : > > > > > > > > > > > > > > journalctl | grep selinux > > > > > > > Dec 05 02:55:46 localhost.localdomain kernel: EVM: > > > > > > security.selinux > > > > > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > > > > > > > type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0 > > > > > > auid=0 > > > > > > > ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > > > > msg='op=PAM:session_open > > > > > > > > > > > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_ > > namespace,pam_key > > > > > > in > > > > > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > > > > > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > > > > > > > addr=10.97.7.209 terminal=ssh res=success' > > > > > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > > > > > > > type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0 > > > > > > auid=0 > > > > > > > ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > > > > msg='op=PAM:session_open > > > > > > > > > > > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_ > > namespace,pam_key > > > > > > in > > > > > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > > > > > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > > > > > > > addr=10.97.7.209 terminal=ssh res=success' > > > > > > > > > > > > > > Please let me know if any comments are there. > > > > > > > > > > > > Those are normal. Check journalctl and /var/log/secure for any > > > > > > errors > > > > > > from sshd. > > > > > > Also try the selinuxdefcon command I mentioned. > > > > > > > > > > > > > > > > > > > > On Mon, Dec 4, 2017 at 9:10 PM, Stephen Smalley <sds@xxxxxxxxxxxx > > > > > > v> > > > > > > > wrote: > > > > > > > > On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote: > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > > > Thanks for the information. > > > > > > > > > > > > > > > > > > But after resetting the semanage User/login, and moving the > > > > > > > > targeted > > > > > > > > > folder to old one and then install the default target. then > > > > > > also > > > > > > > > its > > > > > > > > > still showing the > > > > > > > > > Id context as context=system_u:system_r:unconfined_t:s0- > > > > > > > > s0:c0.c1023. > > > > > > > > > > > > > > > > > > What I observed is after changing the permission using > > > > > > semanage > > > > > > > > > command also, its still showing the system_u:system_r. > > > > > > > > > > > > > > > > > > Check the semanage login/User output : > > > > > > > > > > > > > > > > > > semanage login -l > > > > > > > > > > > > > > > > > > Login Name SELinux User MLS/MCS Range > > > > > > > > > > > > > > > Service > > > > > > > > > > > > > > > > > > __default__ unconfined_u s0-s0:c0.c1023 > > > > > > * > > > > > > > > > root unconfined_u s0-s0:c0.c1023 > > > > > > * > > > > > > > > > system_u system_u s0-s0:c0.c1023 > > > > > > * > > > > > > > > > > > > > > > > > > > > > > > > > > > semanage user -l > > > > > > > > > > > > > > > > > > Labeling MLS/ MLS/ > > > > > > > > > > > > > > > > > > > > > > > SELinux User Prefix MCS Level MCS Range > > > > > > > > > > > > > > > > > > > > > > > SELinux Roles > > > > > > > > > > > > > > > > > > guest_u user s0 s0 > > > > > > > > > > > > > > > > > > > > > > > guest_r > > > > > > > > > root user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > > > > > > staff_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > > > > > > sysadm_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > sysadm_r > > > > > > > > > system_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > system_r unconfined_r > > > > > > > > > unconfined_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > system_r unconfined_r > > > > > > > > > user_u user s0 s0 > > > > > > > > > > > > > > > > > > > > > > > user_r > > > > > > > > > xguest_u user s0 s0 > > > > > > > > > > > > > > > > > > > > > > > xguest_r > > > > > > > > > > > > > > > > > > > > > > > > > > > Looks like its related to some other issue. What you think > > > > > > about > > > > > > > > > this. > > > > > > > > > > > > > > > > Do you have any relevant error messages in /var/log/secure or > > > > > > > > journalctl -rb? Look for anything that refers to selinux or > > > > > > > > context. > > > > > > > > > > > > > > > > I'm guessing that pam_selinux is unable to determine a valid > > > > > > > > context > > > > > > > > for your login for some reason, and this is causing it to fall > > > > > > back > > > > > > > > to > > > > > > > > this one. Or something like that. > > > > > > > > > > > > > > > > You could try to emulate this process via selinuxdefcon, > > > > > > although > > > > > > > > I'm > > > > > > > > not sure how closely it matches pam_selinux anymore. Sample > > > > > > usage: > > > > > > > > > > > > > > > > 1. See what context sshd is running in. > > > > > > > > > > > > > > > > ps -eZ | grep sshd > > > > > > > > > > > > > > > > It should be: > > > > > > > > system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > > > > > > > > > > > > > 2. Run selinuxdefcon to compute the default context for root > > > > > > when > > > > > > > > logging in from sshd: > > > > > > > > > > > > > > > > # Second argument should be whatever was shown by ps -eZ | grep > > > > > > > > sshd > > > > > > > > above. > > > > > > > > selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123 > > > > > > > > > > > > > > > > It should be: > > > > > > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > Thanks > > > > > > > Aman > > > > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@xxxxxxxxx > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Thanks > > > > > Aman > > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@xxxxxxxxx > > > > > > > > > > > > > > > > -- > > > > > > Thanks > > > Aman > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@xxxxxxxxx > > > > -- > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > > Dominick Grift > > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@xxxxxxxxx -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
