Re: Defining SELinux users, "Unable to get valid context...". Help!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes:

> Good afternoon,
>
>     BLUF: Logging in via SSH or directly at the console results
>     in "Unable to get valid context...". Help! Much info included.
>
> I'm working on a software diode implementing a linear assured pipeline
> which is secured with SELinux. As part of this, I am defining a number
> of SELinux users, with the goal being that Linux users belonging to a
> specific Linux group will, at login, be assigned to the applicable
> SELinux user, then role, then type, etc.
>
> However. When I log in as my test user, icmc01, via the console or via
> SSH, I get the message "Unable to get valid context for icmc01". A
> check with "id -Z" shows that my test user has the following context:
>
>     system_u:system_r:unconfined_t:s0-s0:c0.c1023
>
> I really want them to have the context:
>
>     CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0-s0:c0.c1023
>
> (In fact, I don't care about the MLS/MCS portion, I am more than happy
> to accept system defaults; I'm really only going for the MAC.)
>
> What follows is everything I could think to include, from their passwd
> entry and the group file to semanage settings, from the contexts and
> content of various SELinux configuration files to the relevant snips
> of the TE file itself.

A few things that I could find but that are needed for computing
contexts are:

the login programs need to be allowed to manual transition to the user
type. So for example if you want to login with sshd_t:
allow sshd_t xferHigh2Local_t:process transition;

The user type needs to be a bin and shell entry type:
allow xferHigh2Local_t { bin_t shell_exec_t }:file entrypoint;

There is probably more that i am overlooking but these, i think, are
important part for computation of contexts

See where those get you.

>
> NOTE: This is all under permissive mode, targeted policy.
>
> Any insight or direction will be much appreciated, I am tearing out
> my hair. Thank you!
>
>     % grep icmc01 /etc/passwd
>     icmc01:x:2105:2105::/home/icmc01:/bin/bash
>
>     % grep 2105 /etc/group
>     CDTml_high2local:x:2105:
>
>     % semanage login -l |grep CDTml_high2local_u
>     %CDTml_high2local    CDTml_high2local_u   s0-s0:c0.c1023       *
>
>     % semanage user -l |grep CDTml_high2local_u
>     CDTml_high2local_u user       s0         s0-s0:c0.c1023
>      CDTml_high2local_r
>
>     % ls -lZ /etc/selinux/targeted/contexts/users/CDTml_high2local_u
>     -rw-r--r--. root root system_u:object_r:default_context_t:s0
> /etc/selinux/targeted/contexts/users/CDTml_high2local_u
>
>     % cat /etc/selinux/targeted/contexts/users/CDTml_high2local_u
>     system_r:crond_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
>     system_r:initrc_su_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
>     system_r:local_login_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
>     system_r:remote_login_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
>     system_r:sshd_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
>     CDTml_high2local_r:xferHigh2Local_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
>
>     % ls -lZ /etc/selinux/targeted/contexts/default_*
>     -rw-r--r--. root root system_u:object_r:default_context_t:s0
> /etc/selinux/targeted/contexts/default_contexts
>     -rw-r--r--. root root system_u:object_r:default_context_t:s0
> /etc/selinux/targeted/contexts/default_type
>
>     % cat /etc/selinux/targeted/contexts/default_contexts
>     system_r:crond_t:s0 system_r:system_cronjob_t:s0
>     system_r:local_login_t:s0 user_r:user_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
>     system_r:remote_login_t:s0 user_r:user_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
>     system_r:sshd_t:s0 user_r:user_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0
>     system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
>     system_r:xdm_t:s0 user_r:user_t:s0
>
>     % uname -a
>     Linux localhost.localdomain 3.10.0-1160.6.1.el7.x86_64 #1 SMP Wed
> Oct 21 13:44:38 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux
>
>     % more /etc/redhat-release
>     Red Hat Enterprise Linux Server release 7.9 (Maipo)
>
>     % yum info installed \*selinux\*|grep -A3 '^Name'
>     Name        : libselinux
>     Arch        : x86_64
>     Version     : 2.5
>     Release     : 15.el7
>     --
>     Name        : libselinux-python
>     Arch        : x86_64
>     Version     : 2.5
>     Release     : 15.el7
>     --
>     Name        : libselinux-utils
>     Arch        : x86_64
>     Version     : 2.5
>     Release     : 15.el7
>     --
>     Name        : selinux-policy
>     Arch        : noarch
>     Version     : 3.13.1
>     Release     : 268.el7_9.2
>     --
>     Name        : selinux-policy-devel
>     Arch        : noarch
>     Version     : 3.13.1
>     Release     : 268.el7_9.2
>     --
>     Name        : selinux-policy-targeted
>     Arch        : noarch
>     Version     : 3.13.1
>     Release     : 268.el7_9.2
>
>     % grep -C3 CDTml_high2local_r CDTml.te
>     # and grant them access to our types
>     role CDTml_low2local_r;
>     role CDTml_local2high_r;
>     role CDTml_high2local_r;
>     role CDTml_local2low_r;
>     role CDTml_auditor_r;
>
>     allow system_r {
>         CDTml_low2local_r
>         CDTml_local2high_r
>         CDTml_high2local_r
>         CDTml_local2low_r
>         CDTml_auditor_r
>     };
>     allow unconfined_r {
>         CDTml_low2local_r
>         CDTml_local2high_r
>         CDTml_high2local_r
>         CDTml_local2low_r
>         CDTml_auditor_r
>     };
>     --
>         xferLocal2High_t
>         xferLocal2High_exec_t
>     };
>     role CDTml_high2local_r types {
>         xferHigh2Local_t
>         xferHigh2Local_exec_t
>     };
>
>     % tail -f /var/log/secure
>     Feb 11 14:57:44 localhost login: pam_selinux(login:session): Open Session
>     Feb 11 14:57:44 localhost login: pam_selinux(login:session): Open Session
>     Feb 11 14:57:44 localhost login: pam_selinux(login:session):
> Username= icmc01 SELinux User= CDTml_high2local_u Level=
> s0-s0:c0.c1023
>     Feb 11 14:57:44 localhost login: pam_selinux(login:session):
> Unable to get valid context for icmc01
>     Feb 11 14:57:44 localhost login: pam_unix(login:session): session
> opened for user icmc01 by LOGIN(uid=0)
>     Feb 11 14:57:44 localhost login: LOGIN ON tty2 BY icmc01
>
>
> Peter Whittaker
> Director, Business Development
> www.SphyrnaSecurity.com
> +1 613 864 5337

-- 
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux