Hi All,
Below is the output of semanage USer command output for sftpuser:
specialuser_u user s0 s0 sysadm_r system_r
and for command semanage login -l , output is :
sftpuser specialuser_u s0 *
and also, after adding the debugging option, its showing the below error message as :
Dec 13 15:46:10 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session): Unable to get valid context for sftpuser
Dec 13 15:46:10 cucmSUB authpriv 5 sshd: pam_selinux(sshd:session): Open Session
Dec 13 15:46:11 cucmSUB authpriv 7 sshd: pam_selinux(sshd:session): Username= sftpuser SELinux User= specialuser_u Level= s0
Dec 13 15:46:11 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session): Unable to get valid context for sftpuser
also Selinuxdefcon command is showing error while running for sftpuser i.e.
sudo /usr/sbin/selinuxdefcon sftpuser system_u:system_r:sshd_t:s0
/usr/sbin/selinuxdefcon: Invalid argument
Please let me know your comments on this.
Thanks
Aman
On Thu, Dec 14, 2017 at 12:45 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Wed, 2017-12-13 at 21:40 +0530, Aman Sharma wrote:
> Hi Stephen,
>
> Yes , I am using open env_params for it. But for this, my sftp is not
> working and getting the below error message :
>
> Dec 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session):
> Unable to get valid context for sftpuser
> Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session
> opened for user sftpuser by (uid=0)
>
> Please let me know if you have any idea on this.
Do you have any semanage login mapping for sftpuser or is it just using
the __default__ entry? (what does semanage login -l show) How was
sftpuser created?
You could add the debug option on the pam_selinux.so line to try to get
more information.
You could run selinuxdefcon to query what context would be used for
that user, e.g.
selinuxdefcon sftpuser system_u:system_r:sshd_t:s0-s0.c0123
>
> On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley <sds@xxxxxxxxxxxxx>
> wrote:
> > On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote:
> > > Hi All,
> > >
> > > just wanted to know the meaning of line session required
> > > pam_selinux.so open env_params added in /etc/pam.d/sshd file.
> > > Actually I am facing one issue related to this. When I changed
> > this
> > > env_params to restore then my Sftp is not working.
> > >
> > > Can anybody Please guide me on this.
> >
> > man pam_selinux describes the options and what they mean.
> > Why did you change it to restore? Per the man page, restore is to
> > temporarily restore the contexts and would be a separate entry in
> > the
> > PAM stack before the module that needs the original contexts,
> > followed
> > by a pam_selinux.so open env_params after that module to set them
> > up
> > again. But don't use restore unless you actually need it for some
> > reason.
> >
> >
> >
> >
>
>
>
> --
>
> Thanks
> Aman
> Cell: +91 9990296404 | Email ID : amansh.sharma5@xxxxxxxxx
