Dominick Grift <dominick.grift@xxxxxxxxxxx> writes: > Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes: > >> On Sun, Feb 14, 2021 at 2:32 AM Dominick Grift >> <dominick.grift@xxxxxxxxxxx> wrote: >>> Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes: >>> >>> > Yes, I may need it, but at this point I want to understand why one >>> > works and the other doesn't. >>> >>> I know that the openssh-server in red-hat based distributions has custom >>> selinux patches. >> >> Well. Just fixed it by accident. The relevant line of /etc/pam.d/sshd was >> >> session required pam_selinux.so open env_params >> >> In an attempt to debug the problem, I changed this to >> >> session required pam_selinux.so open select_context >> >> PAM did not ask me for a context, but did set the context correctly. >> >> session required pam_selinux.so open >> >> also worked fine. > > oh right! ... yes corner case... > > to make it work with env_params you need: > > allow xferHigh2Local_t self:context contains; > > Sorry for overlooking that > >> >> I need to do some research on this. The env_params option was a system >> default, I dislike changing system defaults unless I understand why. >> >> Now to figure why the auditor's context is failing to be set. I think this patch is why you need "context containts" when you have "env_params" set: https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-role-mls.patch >> >> P >> >> Peter Whittaker >> Director, Business Development >> www.SphyrnaSecurity.com >> +1 613 864 5337 -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift