On Wed, Aug 28, 2019 at 1:19 PM Petr Lautrbach <plaut...@fedoraproject.org> wrote:
> > Until a few days ago, my Fedora 29 Atomic host was working perfectly with > > SELinux enforced. The server is only a few week old with nothing fancy > yet > > set or installed. > > > > I changed recently my user (gabx) context from the default unconfined to > > systemand ran restorecon. This change may be the root of the problem. I > > ran a few a certbot-letsencrypt container which changed a few files > > contexts (container_t): maybe did it broke a few things? > > What exactly you did when you changed "context from the default unconfined > to system" ? > Fresh after install: -------------------------------------------------- # semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 gabx unconfined_u s0-s0:c0.c1023 -------------------------------- Then: # semanage login -m -s sysadm_u --range s0-s0.c0.c1023 # semanage login -l gabx sysadm_u s0-s0:c0.c1023 * # restorecon -RF /hone/gabx # ls -alZ /home/gabx drwxrwxr-x. 5 gabx gabx sysadm_u:object_r:config_home_t:s0 61 Aug 17 14:42 .config/ drwxrwxr-x. 2 gabx gabx sysadm_u:object_r:user_home_t:s0 6 Aug 21 14:09 hugo/ .... # vim /etc/sudoers.d/gabx gabx ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r /bin/sh ---------------------------------------------------------------- When listing booleans to answer this thread, I realized I had this: ssh_sysadm_login --> off Turning it on allows user gabx to ssh. So it is a first good news. I am left now with the inability to load module. As for the doc, it is my ref, I knpw it well. > > The following 2 chapters for SELinux Users and Administration Guide could > help you set you user correctly: > > 3.3. Confined and Unconfined Users > https://docs.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html > 3.3.1. The sudo Transition and SELinux Roles > https://docs.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users-sudo_Transition_and_SELinux_Roles > > > > > > I have now a few issues: > > NOTE: SOLVED > 1- user gabx can't no more ssh the server: "unable to get valid context > for > > gabx" (same results from various machine) > > > --------------------------------------------------------------------------- > > $ journalctl -r > > ..... > > error: ssh_selinux_setup_pty:security_compute_relabel: Invalid argument > > ..... > > error: PAM pam_open_session(): cannot make/remove an entry for the > > specified session > > .... > > pam_selinux(sshd:session):Unableto get valid context for gabx > > > > below complete lines: > > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 > auid=1001 > > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > > kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:> > > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 > auid=1001 > > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > > kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:> > > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 > auid=1001 > > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > > kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:> > > Aug 28 09:07:45 poppy audit[1954]: CRED_DISP pid=1954 uid=0 auid=1001 > > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred > > grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ss> > > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 > auid=1001 > > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > > kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:> > > Aug 28 09:07:45 poppy sshd[1957]: Disconnected from user gabx > > 212.147.52.214 port 57268 > > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 > auid=1001 > > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > > kind=session fp=? direction=both spid=1957 suid=1001 rport=57268 la> > > Aug 28 09:07:45 poppy sshd[1957]: Received disconnect from 212.147.52.214 > > port 57268:11: disconnected by user > > Aug 28 09:07:45 poppy audit[1954]: USER_LOGOUT pid=1954 uid=0 auid=1001 > > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 > > exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=su> > > Aug 28 09:07:45 poppy audit[1954]: USER_END pid=1954 uid=0 auid=1001 > ses=13 > > subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 > > exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/2 res=succe> > > Aug 28 09:07:45 poppy audit[1954]: CRYPTO_KEY_USER pid=1954 uid=0 > auid=1001 > > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > > kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:> > > Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001 > > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 > > exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/> > > Aug 28 09:07:45 poppy audit[1954]: USER_LOGIN pid=1954 uid=0 auid=1001 > > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1001 > > exe="/usr/sbin/sshd" hostname=? addr=212.147.52.214 terminal=/dev/> > > Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty: > > security_compute_relabel: Invalid argument > > Aug 28 09:07:45 poppy audit[1957]: CRED_ACQ pid=1957 uid=0 auid=1001 > ses=13 > > subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred > > grantors=pam_securetty,pam_env,pam_unix acct="gabx" exe="/usr/sbin/ssh> > > Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 > auid=1001 > > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > > kind=server fp=SHA256:30:af:76:06:1b:6f:fe:b1:55:f5:6b:6c:70:4a:76:> > > Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 > auid=1001 > > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > > kind=server fp=SHA256:ae:a4:a7:92:35:d0:2e:ea:47:82:c7:79:f0:17:db:> > > Aug 28 09:07:45 poppy audit[1957]: CRYPTO_KEY_USER pid=1957 uid=0 > auid=1001 > > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy > > kind=server fp=SHA256:4e:d3:d2:82:9e:72:16:4e:a7:61:8b:00:88:0e:69:> > > Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot > > make/remove an entry for the specified session > > Aug 28 09:07:45 poppy audit[1954]: USER_START pid=1954 uid=0 auid=1001 > > ses=13 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > msg='op=PAM:session_open grantors=? acct="gabx" > > exe="/usr/sbin/sshd" > > hostname=212.147.52> > > Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened > > for user gabx by (uid=0) > > Aug 28 09:07:45 poppy systemd[1]: Started Session 13 of user gabx. > > Aug 28 09:07:45 poppy systemd-logind[841]: New session 13 of user gabx. > > Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to > get > > valid context for gabx > > > > > ---------------------------------------------------------------------------------------------------------- > > ● sshd.service - OpenSSH server daemon > > Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor > > preset: enabled) > > Active: active (running) since Tue 2019-08-27 22:38:04 UTC; 10h ago > > Docs: man:sshd(8) > > man:sshd_config(5) > > Main PID: 993 (sshd) > > Tasks: 1 (limit: 4915) > > Memory: 6.2M > > CGroup: /system.slice/sshd.service > > └─993 /usr/sbin/sshd -D -oCiphers=aes256-gcm(a)openssh.com, > > chacha20-poly1...@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm(a) > openssh.com,aes128-ctr,aes128-cbc > > -oMACs=hmac-sha2-256-etm(a)openssh.com,hmac-sha1> > > > > Aug 28 09:06:56 poppy sshd[1947]: Accepted publickey for gabx from > > 212.147.52.214 port 55887 ssh2: RSA > > SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg > > Aug 28 09:06:56 poppy sshd[1947]: pam_selinux(sshd:session): Unable to > get > > valid context for gabx > > Aug 28 09:06:56 poppy sshd[1947]: pam_unix(sshd:session): session opened > > for user gabx by (uid=0) > > Aug 28 09:06:56 poppy sshd[1947]: error: PAM: pam_open_session(): Cannot > > make/remove an entry for the specified session > > Aug 28 09:06:56 poppy sshd[1947]: error: ssh_selinux_setup_pty: > > security_compute_relabel: Invalid argument > > Aug 28 09:07:45 poppy sshd[1954]: Accepted publickey for gabx from > > 212.147.52.214 port 57268 ssh2: RSA > > SHA256:EGj/SuwIAfpC5I4gOw1zdFSUYQ3UBqQdUr2y/Q71nJg > > Aug 28 09:07:45 poppy sshd[1954]: pam_selinux(sshd:session): Unable to > get > > valid context for gabx > > Aug 28 09:07:45 poppy sshd[1954]: pam_unix(sshd:session): session opened > > for user gabx by (uid=0) > > Aug 28 09:07:45 poppy sshd[1954]: error: PAM: pam_open_session(): Cannot > > make/remove an entry for the specified session > > Aug 28 09:07:45 poppy sshd[1954]: error: ssh_selinux_setup_pty: > > security_compute_relabel: Invalid argument > > > --------------------------------------------------------------------------------------------- > > # cat /etc/pam.d/sshd > > #%PAM-1.0 > > > > auth required pam_securetty.so # disable remote root > > auth substack password-auth > > auth include postlogin > > account required pam_sepermit.so > > account required pam_nologin.so > > account include password-auth > > password include password-auth > > # pam_selinux.so close should be the first session rule > > session required pam_selinux.so close > > session required pam_loginuid.so > > # pam_selinux.so open should only be followed by sessions to be executed > in > > the user context > > session required pam_selinux.so open env_params > > session required pam_namespace.so > > session optional pam_keyinit.so force revoke > > session optional pam_motd.so > > session include password-auth > > session include postlogin > > > > > ---------------------------------------------------------------------------------------------------- > > NOT SOLVED > 2- I can't load modules. > > > > With the help of ausearch and journalctl, I can identify SELinux > messages, > > I can write a *myapp.pp* module. But then: > > > > ----------------------------------- > > # semodule -i myapp.pp > > semodule: Failed on myapp.pp! > > ------------------------------- > > > > NOTE: message is very poor and don't help. > > > > I would like to fix all these DELinux issues before I keep > > setting/installing app on the server. > > Thank you for help. > _______________________________________________ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org >
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org