On 13.2.2021 18.09, Dominick Grift wrote:
Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes:
On Sat, Feb 13, 2021 at 2:24 AM Dominick Grift
<dominick.grift@xxxxxxxxxxx> wrote:
Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes:
On Fri, Feb 12, 2021 at 4:52 PM Dominick Grift
<dominick.grift@xxxxxxxxxxx> wrote:
Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes:
On Fri, Feb 12, 2021 at 2:58 AM Dominick Grift
<dominick.grift@xxxxxxxxxxx> wrote:
Dominick Grift <dominick.grift@xxxxxxxxxxx> writes:
Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes:
BLUF: Logging in via SSH or directly at the console results
in "Unable to get valid context...". Help! Much info included.
You missed a fundamental type attribute association:
type xferHigh2Local_t, CDTml_types, userdomain, process_user_target;
It seems that you did not associate your process types with "domain":
typeattribute xferHigh2Local_t domain;
See if adding that helps
It didn't - but! The failure motivated me to dive more deeply back
into /var/log/audit/audit.log, wherein I noticed that the desired user
context has been being computed correctly since sometime yesterday
(15:29:25 EST, in fact) - but SSH logins were still failing to assign
that context. So I tried a console login and it worked (I've not made
any console related changes since you started helping me with this).
Okay but all processes should alway's associate with the domain attribute
Progress: The desired context is properly computed and assigned, at
least with console (local) login. This leaves me two major items to
figure out:
1. Of the changes I have applied over the last 1-3 days,
what is the minimum set required to achieve this? My
immediate future includes bisection.
Yes i guess work your way back and see...
2. Why doesn't it work with SSH, when it does work with
the console (yes, the ssh_sysadm_login is on)?
see if the ssh daemon runs with the expected:
system_u:system_r:sshd_t:s0 context (ps auxZ | grep ssh)
then doubt check that
/etc/selinux/targeted/contexts/users/CDTml_high2local_u has:
system_r:sshd_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0
And use sesearch to verify that the following queries return:
sesearch -A -s sshd_t -t xferHigh2Local_t -c process -p transition
sesearch -A -s xferHigh2Local_t bin_t -c file -p entrypoint
sesearch -A -s xferHigh2Local_t shell_exec_t -c file -p entrypoint
There's also `sedta` (Debian: setools package) which AFAICT walks
through the login process (except for the part that tries to find out
the default context for the user):
$ sedta -s sshd_t -t user_t -S
Domain transition path 1:
Step 1: sshd_t -> user_t
Domain transition rule(s):
allow sshd_t userdomain:process transition; [ ssh_sysadm_login ]:True
allow sshd_t unpriv_userdomain:process transition; [ ssh_sysadm_login
]:False
Set execution context rule(s):
allow sshd_t sshd_t:process { fork getcap getsched setcap setexec
setkeycreate setrlimit setsched sigchld signal };
Entrypoint bin_t:
Domain entrypoint rule(s):
allow user_t bin_t:file { entrypoint execute execute_no_trans
getattr ioctl lock map open read };
File execute rule(s):
allow sshd_t bin_t:file { execute execute_no_trans getattr
ioctl lock map open read };
Entrypoint shell_exec_t:
Domain entrypoint rule(s):
allow user_t shell_exec_t:file { entrypoint execute
execute_no_trans getattr ioctl lock map open read };
File execute rule(s):
allow sshd_t shell_exec_t:file { execute execute_no_trans
getattr ioctl lock map open read };
allow sshd_t shell_exec_t:file { execute getattr ioctl map open
read }; [ ssh_sysadm_login ]:True
allow sshd_t shell_exec_t:file { execute getattr ioctl map open
read }; [ ssh_sysadm_login ]:False
1 domain transition path(s) found.
$ sedta -s local_login_t -t user_t -S
Domain transition path 1:
Step 1: local_login_t -> user_t
Domain transition rule(s):
allow local_login_t userdomain:process { sigchld signal transition };
Set execution context rule(s):
allow local_login_t local_login_t:process { fork getcap setcap setexec
setkeycreate setrlimit setsched sigchld };
Entrypoint shell_exec_t:
Domain entrypoint rule(s):
allow user_t shell_exec_t:file { entrypoint execute
execute_no_trans getattr ioctl lock map open read };
File execute rule(s):
allow local_login_t shell_exec_t:file { execute
execute_no_trans getattr ioctl lock map open read };
Entrypoint bin_t:
Domain entrypoint rule(s):
allow user_t bin_t:file { entrypoint execute execute_no_trans
getattr ioctl lock map open read };
File execute rule(s):
allow local_login_t bin_t:file { execute execute_no_trans
getattr ioctl lock map open read };
1 domain transition path(s) found.
-Topi
Also, just in case, try in permissive mode to see if that changes
anything (unlikely but worth a try)
I've read that the latter may have to do with network labelling and/or
default network context, I may need to explore that.
I dont think that is related
All suggestions welcome!
Thanks! Progress restores optimism.
P