Re: Defining SELinux users, "Unable to get valid context...". Help!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 13.2.2021 18.09, Dominick Grift wrote:
Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes:

On Sat, Feb 13, 2021 at 2:24 AM Dominick Grift
<dominick.grift@xxxxxxxxxxx> wrote:
Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes:
On Fri, Feb 12, 2021 at 4:52 PM Dominick Grift
<dominick.grift@xxxxxxxxxxx> wrote:
Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes:
On Fri, Feb 12, 2021 at 2:58 AM Dominick Grift
<dominick.grift@xxxxxxxxxxx> wrote:
Dominick Grift <dominick.grift@xxxxxxxxxxx> writes:
Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes:
     BLUF: Logging in via SSH or directly at the console results
     in "Unable to get valid context...". Help! Much info included.

You missed a fundamental type attribute association:

type xferHigh2Local_t, CDTml_types, userdomain, process_user_target;

It seems that you did not associate your process types with "domain":

typeattribute xferHigh2Local_t domain;

See if adding that helps

It didn't - but! The failure motivated me to dive more deeply back
into /var/log/audit/audit.log, wherein I noticed that the desired user
context has been being computed correctly since sometime yesterday
(15:29:25 EST, in fact) - but SSH logins were still failing to assign
that context. So I tried a console login and it worked (I've not made
any console related changes since you started helping me with this).

Okay but all processes should alway's associate with the domain attribute


Progress: The desired context is properly computed and assigned, at
least with console (local) login. This leaves me two major items to
figure out:

     1. Of the changes I have applied over the last 1-3 days,
         what is the minimum set required to achieve this? My
         immediate future includes bisection.

Yes i guess work your way back and see...


      2. Why doesn't it work with SSH, when it does work with
           the console (yes, the ssh_sysadm_login is on)?

see if the ssh daemon runs with the expected:
system_u:system_r:sshd_t:s0 context (ps auxZ | grep ssh)

then doubt check that
/etc/selinux/targeted/contexts/users/CDTml_high2local_u has:
system_r:sshd_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0

And use sesearch to verify that the following queries return:

sesearch -A -s sshd_t -t xferHigh2Local_t -c process -p transition
sesearch -A -s xferHigh2Local_t bin_t -c file -p entrypoint
sesearch -A -s xferHigh2Local_t shell_exec_t -c file -p entrypoint

There's also `sedta` (Debian: setools package) which AFAICT walks through the login process (except for the part that tries to find out the default context for the user):
$ sedta -s sshd_t -t user_t -S
Domain transition path 1:
Step 1: sshd_t -> user_t

Domain transition rule(s):
allow sshd_t userdomain:process transition; [ ssh_sysadm_login ]:True
allow sshd_t unpriv_userdomain:process transition; [ ssh_sysadm_login ]:False

Set execution context rule(s):
allow sshd_t sshd_t:process { fork getcap getsched setcap setexec setkeycreate setrlimit setsched sigchld signal };

Entrypoint bin_t:
        Domain entrypoint rule(s):
allow user_t bin_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };

        File execute rule(s):
allow sshd_t bin_t:file { execute execute_no_trans getattr ioctl lock map open read };


Entrypoint shell_exec_t:
        Domain entrypoint rule(s):
allow user_t shell_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };

        File execute rule(s):
allow sshd_t shell_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; allow sshd_t shell_exec_t:file { execute getattr ioctl map open read }; [ ssh_sysadm_login ]:True allow sshd_t shell_exec_t:file { execute getattr ioctl map open read }; [ ssh_sysadm_login ]:False


1 domain transition path(s) found.

$ sedta -s local_login_t -t user_t -S
Domain transition path 1:
Step 1: local_login_t -> user_t

Domain transition rule(s):
allow local_login_t userdomain:process { sigchld signal transition };

Set execution context rule(s):
allow local_login_t local_login_t:process { fork getcap setcap setexec setkeycreate setrlimit setsched sigchld };

Entrypoint shell_exec_t:
        Domain entrypoint rule(s):
allow user_t shell_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };

        File execute rule(s):
allow local_login_t shell_exec_t:file { execute execute_no_trans getattr ioctl lock map open read };


Entrypoint bin_t:
        Domain entrypoint rule(s):
allow user_t bin_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };

        File execute rule(s):
allow local_login_t bin_t:file { execute execute_no_trans getattr ioctl lock map open read };


1 domain transition path(s) found.

-Topi


Also, just in case, try in permissive mode to see if that changes
anything (unlikely but worth a try)


I've read that the latter may have to do with network labelling and/or
default network context, I may need to explore that.

I dont think that is related


All suggestions welcome!

Thanks! Progress restores optimism.

P





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux