On Wed, Aug 28, 2019 at 1:19 PM Petr Lautrbach <plaut...@fedoraproject.org>
wrote:

> > Until a few days ago, my Fedora 29 Atomic host was working perfectly with
> > SELinux enforced. The server is only a few week old with nothing fancy
> yet
> > set or installed.
> >
> > I changed recently my user (gabx) context from the default unconfined to
> > systemand ran restorecon.  This change may be the root of the problem. I
> > ran a few a certbot-letsencrypt container which changed a few files
> > contexts (container_t): maybe did it broke a few things?
>
> What exactly you did when you changed "context from the default unconfined
> to system" ?
>

Fresh after install:

--------------------------------------------------

# semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
gabx                      unconfined_u              s0-s0:c0.c1023
--------------------------------

Then:

# semanage login -m -s sysadm_u --range s0-s0.c0.c1023
# semanage login -l
gabx                 sysadm_u             s0-s0:c0.c1023       *

# restorecon -RF /hone/gabx

# ls -alZ /home/gabx
drwxrwxr-x. 5 gabx gabx sysadm_u:object_r:config_home_t:s0    61 Aug
17 14:42 .config/
drwxrwxr-x. 2 gabx gabx sysadm_u:object_r:user_home_t:s0       6 Aug
21 14:09 hugo/
....

# vim /etc/sudoers.d/gabx
gabx    ALL=(ALL)       TYPE=sysadm_t   ROLE=sysadm_r   /bin/sh

----------------------------------------------------------------

When listing booleans to answer this thread, I realized I had this:
ssh_sysadm_login --> off

Turning it on allows user gabx to ssh. So it is a first good news. I
am left now with the inability to load module.

As for the doc, it is my ref, I knpw it well.







>
> The following 2 chapters for SELinux Users and Administration Guide could
> help you set you user correctly:
>
> 3.3. Confined and Unconfined Users
> https://docs.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
> 3.3.1. The sudo Transition and SELinux Roles
> https://docs.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users-sudo_Transition_and_SELinux_Roles
>
>
> >
> > I have now a few issues:
>
>
NOTE: SOLVED

> 1- user gabx can't no more ssh the server: "unable to get valid context
> for
> > gabx" (same results from various machine)
> >
> ---------------------------------------------------------------------------
> > $ journalctl -r
> > .....
> > error: ssh_selinux_setup_pty:security_compute_relabel: Invalid argument
> > .....
> > error: PAM pam_open_session(): cannot make/remove an entry for the
> > specified session
> > ....
> > pam_selinux(sshd:session):Unableto get valid context for gabx
> >
> > below complete lines:
> > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0
> auid=1001
> > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> > kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
> > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0
> auid=1001
> > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> > kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:>
> > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0
> auid=1001
> > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> > kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:>
> > Aug 28 09:07:45 poppy audit[1954]: CRED_DISP pid=1954 uid=0 auid=1001
> > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> > grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ss>
> > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0
> auid=1001
> > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> > kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
> > Aug 28 09:07:45 poppy sshd[1957]: Disconnected from user gabx
> > 212.147.52.214 port 57268
> > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0
> auid=1001
> > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> > kind=session fp=? direction=both spid=1957 suid=1001 rport=57268 la>
> > Aug 28 09:07:45 poppy sshd[1957]: Received disconnect from 212.147.52.214
> > port 57268:11: disconnected by user
> > Aug 28 09:07:45 poppy audit[1954]: USER_LOGOUT pid=1954 uid=0 auid=1001
> > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001
> > exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=su>
> > Aug 28 09:07:45 poppy audit[1954]: USER_END pid=1954 uid=0 auid=1001
> ses=13
> > subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001
> > exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=succe>
> > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0
> auid=1001
> > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> > kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
> > Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001
> > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001
> > exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/>
> > Aug 28 09:07:45 poppy audit[1954]: USER_LOGIN pid=1954 uid=0 auid=1001
> > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001
> > exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/>
> > Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty:
> > security_compute_relabel: Invalid argument
> > Aug 28 09:07:45 poppy audit[1957]: CRED_ACQ pid=1957 uid=0 auid=1001
> ses=13
> > subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> > grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ssh>
> > Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0
> auid=1001
> > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> > kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:>
> > Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0
> auid=1001
> > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> > kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:>
> > Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0
> auid=1001
> > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy
> > kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:>
> > Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot
> > make/remove an entry for the specified session
> > Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001
> > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> > msg='op=PAM:session_open grantors=? acct="gabx"
> > exe="/usr/sbin/sshd"
> > hostname=212.147.52>
> > Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened
> > for user gabx by (uid=0)
> > Aug 28 09:07:45 poppy systemd[1]: Started Session 13 of user gabx.
> > Aug 28 09:07:45 poppy systemd-logind[841]: New session 13 of user gabx.
> > Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to
> get
> > valid context for gabx
> >
> >
> ----------------------------------------------------------------------------------------------------------
> > ● sshd.service - OpenSSH server daemon
> >    Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor
> > preset: enabled)
> >    Active: active (running) since Tue 2019-08-27 22:38:04 UTC; 10h ago
> >      Docs: man:sshd(8)
> >            man:sshd_config(5)
> >  Main PID: 993 (sshd)
> >     Tasks: 1 (limit: 4915)
> >    Memory: 6.2M
> >    CGroup: /system.slice/sshd.service
> >            └─993 /usr/sbin/sshd -D -oCiphers=aes256-gcm(a)openssh.com,
> > chacha20-poly1...@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm(a)
> openssh.com,aes128-ctr,aes128-cbc
> > -oMACs=hmac-sha2-256-etm(a)openssh.com,hmac-sha1&gt;
> >
> > Aug 28 09:06:56 poppy sshd[1947]: Accepted publickey for gabx from
> > 212.147.52.214 port 55887 ssh2: RSA
> > SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg
> > Aug 28 09:06:56 poppy sshd[1947]: pam_selinux(sshd:session): Unable to
> get
> > valid context for gabx
> > Aug 28 09:06:56 poppy sshd[1947]: pam_unix(sshd:session): session opened
> > for user gabx by (uid=0)
> > Aug 28 09:06:56 poppy sshd[1947]: error: PAM: pam_open_session(): Cannot
> > make/remove an entry for the specified session
> > Aug 28 09:06:56 poppy sshd[1947]: error: ssh_selinux_setup_pty:
> > security_compute_relabel: Invalid argument
> > Aug 28 09:07:45 poppy sshd[1954]: Accepted publickey for gabx from
> > 212.147.52.214 port 57268 ssh2: RSA
> > SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg
> > Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to
> get
> > valid context for gabx
> > Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened
> > for user gabx by (uid=0)
> > Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot
> > make/remove an entry for the specified session
> > Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty:
> > security_compute_relabel: Invalid argument
> >
> ---------------------------------------------------------------------------------------------
> >  # cat /etc/pam.d/sshd
> > #%PAM-1.0
> >
> > auth  required pam_securetty.so # disable remote root
> > auth       substack     password-auth
> > auth       include      postlogin
> > account    required     pam_sepermit.so
> > account    required     pam_nologin.so
> > account    include      password-auth
> > password   include      password-auth
> > # pam_selinux.so close should be the first session rule
> > session    required     pam_selinux.so close
> > session    required     pam_loginuid.so
> > # pam_selinux.so open should only be followed by sessions to be executed
> in
> > the user context
> > session    required     pam_selinux.so open env_params
> > session    required     pam_namespace.so
> > session    optional     pam_keyinit.so force revoke
> > session    optional     pam_motd.so
> > session    include      password-auth
> > session    include      postlogin
> >
> >
> ----------------------------------------------------------------------------------------------------
>
>
NOT SOLVED

> 2- I can't load modules.
> >
> > With the help of ausearch and journalctl, I can identify SELinux
> messages,
> > I can write a *myapp.pp* module. But then:
> >
> > -----------------------------------
> > # semodule -i myapp.pp
> > semodule:  Failed on myapp.pp!
> > -------------------------------
> >
> > NOTE: message is very poor and don't help.
> >
> > I would like to fix all these DELinux issues before I keep
> > setting/installing app on the server.
> > Thank you for help.
> _______________________________________________
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
>
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Reply via email to