Good afternoon, BLUF: Logging in via SSH or directly at the console results in "Unable to get valid context...". Help! Much info included. I'm working on a software diode implementing a linear assured pipeline which is secured with SELinux. As part of this, I am defining a number of SELinux users, with the goal being that Linux users belonging to a specific Linux group will, at login, be assigned to the applicable SELinux user, then role, then type, etc. However. When I log in as my test user, icmc01, via the console or via SSH, I get the message "Unable to get valid context for icmc01". A check with "id -Z" shows that my test user has the following context: system_u:system_r:unconfined_t:s0-s0:c0.c1023 I really want them to have the context: CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0-s0:c0.c1023 (In fact, I don't care about the MLS/MCS portion, I am more than happy to accept system defaults; I'm really only going for the MAC.) What follows is everything I could think to include, from their passwd entry and the group file to semanage settings, from the contexts and content of various SELinux configuration files to the relevant snips of the TE file itself. NOTE: This is all under permissive mode, targeted policy. Any insight or direction will be much appreciated, I am tearing out my hair. Thank you! % grep icmc01 /etc/passwd icmc01:x:2105:2105::/home/icmc01:/bin/bash % grep 2105 /etc/group CDTml_high2local:x:2105: % semanage login -l |grep CDTml_high2local_u %CDTml_high2local CDTml_high2local_u s0-s0:c0.c1023 * % semanage user -l |grep CDTml_high2local_u CDTml_high2local_u user s0 s0-s0:c0.c1023 CDTml_high2local_r % ls -lZ /etc/selinux/targeted/contexts/users/CDTml_high2local_u -rw-r--r--. root root system_u:object_r:default_context_t:s0 /etc/selinux/targeted/contexts/users/CDTml_high2local_u % cat /etc/selinux/targeted/contexts/users/CDTml_high2local_u system_r:crond_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:initrc_su_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:local_login_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:remote_login_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:sshd_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 % ls -lZ /etc/selinux/targeted/contexts/default_* -rw-r--r--. root root system_u:object_r:default_context_t:s0 /etc/selinux/targeted/contexts/default_contexts -rw-r--r--. root root system_u:object_r:default_context_t:s0 /etc/selinux/targeted/contexts/default_type % cat /etc/selinux/targeted/contexts/default_contexts system_r:crond_t:s0 system_r:system_cronjob_t:s0 system_r:local_login_t:s0 user_r:user_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 system_r:xdm_t:s0 user_r:user_t:s0 % uname -a Linux localhost.localdomain 3.10.0-1160.6.1.el7.x86_64 #1 SMP Wed Oct 21 13:44:38 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux % more /etc/redhat-release Red Hat Enterprise Linux Server release 7.9 (Maipo) % yum info installed \*selinux\*|grep -A3 '^Name' Name : libselinux Arch : x86_64 Version : 2.5 Release : 15.el7 -- Name : libselinux-python Arch : x86_64 Version : 2.5 Release : 15.el7 -- Name : libselinux-utils Arch : x86_64 Version : 2.5 Release : 15.el7 -- Name : selinux-policy Arch : noarch Version : 3.13.1 Release : 268.el7_9.2 -- Name : selinux-policy-devel Arch : noarch Version : 3.13.1 Release : 268.el7_9.2 -- Name : selinux-policy-targeted Arch : noarch Version : 3.13.1 Release : 268.el7_9.2 % grep -C3 CDTml_high2local_r CDTml.te # and grant them access to our types role CDTml_low2local_r; role CDTml_local2high_r; role CDTml_high2local_r; role CDTml_local2low_r; role CDTml_auditor_r; allow system_r { CDTml_low2local_r CDTml_local2high_r CDTml_high2local_r CDTml_local2low_r CDTml_auditor_r }; allow unconfined_r { CDTml_low2local_r CDTml_local2high_r CDTml_high2local_r CDTml_local2low_r CDTml_auditor_r }; -- xferLocal2High_t xferLocal2High_exec_t }; role CDTml_high2local_r types { xferHigh2Local_t xferHigh2Local_exec_t }; % tail -f /var/log/secure Feb 11 14:57:44 localhost login: pam_selinux(login:session): Open Session Feb 11 14:57:44 localhost login: pam_selinux(login:session): Open Session Feb 11 14:57:44 localhost login: pam_selinux(login:session): Username= icmc01 SELinux User= CDTml_high2local_u Level= s0-s0:c0.c1023 Feb 11 14:57:44 localhost login: pam_selinux(login:session): Unable to get valid context for icmc01 Feb 11 14:57:44 localhost login: pam_unix(login:session): session opened for user icmc01 by LOGIN(uid=0) Feb 11 14:57:44 localhost login: LOGIN ON tty2 BY icmc01 Peter Whittaker Director, Business Development www.SphyrnaSecurity.com +1 613 864 5337