[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: Re: Qwery regarding Selinux Change Id context
From: Aman Sharma <amansh.sharma5 () gmail ! com>
Date: 2017-12-05 9:16:26
Message-ID: CAPMH7-8_h9rChh2j00FjCgqiVA1rYEJiBy+nszy_bkRFa28ZHw () mail ! gmail ! com
[Download RAW message or body]
Is this a bug in cent OS 7.3 ?
On Tue, Dec 5, 2017 at 2:10 PM, Dominick Grift <dac.override@gmail.com>
wrote:
> On Tue, Dec 05, 2017 at 02:02:37PM +0530, Aman Sharma wrote:
> > Hi Stephen,
> >
> > Below is the changes which I made in Login and ssh file :
> >
> > cat /etc/pam.d/sshd
> > #%PAM-1.0
> > auth required pam_sepermit.so
>
> side note: this is a "bug"
> https://src.fedoraproject.org/rpms/openssh/c/
> e044c5cf76618b023a4315f41fe126c80c06b833?branch=master
>
> > auth include password-auth
> > # Used with polkit to reauthorize users in remote sessions
> > account required pam_nologin.so
> > account include password-auth
> > password include password-auth
> > # pam_selinux.so close should be the first session rule
> > session required pam_selinux.so close
> > session required pam_loginuid.so
> > # pam_selinux.so open should only be followed by sessions to be executed
> in
> > the user context
> > session required pam_selinux.so open env_params
> > session required pam_namespace.so
> > session optional pam_keyinit.so force revoke
> > session include password-auth
> > # Used with polkit to reauthorize users in remote sessions
> >
> >
> > cat /etc/pam.d/login
> > #%PAM-1.0
> > auth [user_unknown=ignore success=ok ignore=ignore default=bad]
> > pam_securetty.so
> > auth include system-auth
> > account required pam_nologin.so
> > account include system-auth
> > password include system-auth
> > # pam_selinux.so close should be the first session rule
> > session required pam_selinux.so close
> > session required pam_loginuid.so
> > session optional pam_console.so
> > # pam_selinux.so restore should only be followed by sessions to be
> executed
> > in the user context
> > session required pam_selinux.so open
> > session required pam_namespace.so
> > session optional pam_keyinit.so force revoke
> > session include system-auth
> > -session optional pam_ck_connector.so
> >
> > Please Let me know if any comments are there.
> >
> > On Mon, Dec 4, 2017 at 10:08 PM, Stephen Smalley <sds@tycho.nsa.gov>
> wrote:
> >
> > > On Mon, 2017-12-04 at 22:04 +0530, Aman Sharma wrote:
> > > > Hi Stephen,
> > > >
> > > > Thanks alot for the help.
> > > >
> > > > I got the issue. Its due to the problem in /etc/pam.d/sshd file.
> > > >
> > > > After fixing this, now is working fine. Thanks alot once again.
> > >
> > > Ok, can you explain what exactly what wrong in your /etc/pam.d/sshd
> > > file, so that if someone else encounters this behavior in the future,
> > > they can find a solution in the list archives?
> > >
> > > >
> > > > On Mon, Dec 4, 2017 at 9:39 PM, Stephen Smalley <sds@tycho.nsa.gov>
> > > > wrote:
> > > > > On Mon, 2017-12-04 at 21:31 +0530, Aman Sharma wrote:
> > > > > > Hi Stephen,
> > > > > >
> > > > > > I got the below logs from the file .Can you please if these logs
> > > > > are
> > > > > > fine or not :
> > > > > >
> > > > > > journalctl | grep selinux
> > > > > > Dec 05 02:55:46 localhost.localdomain kernel: EVM:
> > > > > security.selinux
> > > > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
> > > > > > type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0
> > > > > auid=0
> > > > > > ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> > > > > > msg='op=PAM:session_open
> > > > > >
> > > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_
> namespace,pam_key
> > > > > in
> > > > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
> > > > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
> > > > > > addr=10.97.7.209 terminal=ssh res=success'
> > > > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
> > > > > > type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0
> > > > > auid=0
> > > > > > ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> > > > > > msg='op=PAM:session_open
> > > > > >
> > > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_
> namespace,pam_key
> > > > > in
> > > > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
> > > > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
> > > > > > addr=10.97.7.209 terminal=ssh res=success'
> > > > > >
> > > > > > Please let me know if any comments are there.
> > > > >
> > > > > Those are normal. Check journalctl and /var/log/secure for any
> > > > > errors
> > > > > from sshd.
> > > > > Also try the selinuxdefcon command I mentioned.
> > > > >
> > > > > >
> > > > > > On Mon, Dec 4, 2017 at 9:10 PM, Stephen Smalley <sds@tycho.nsa.go
> > > > > v>
> > > > > > wrote:
> > > > > > > On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote:
> > > > > > > > Hi All,
> > > > > > > >
> > > > > > > > Thanks for the information.
> > > > > > > >
> > > > > > > > But after resetting the semanage User/login, and moving the
> > > > > > > targeted
> > > > > > > > folder to old one and then install the default target. then
> > > > > also
> > > > > > > its
> > > > > > > > still showing the
> > > > > > > > Id context as context=system_u:system_r:unconfined_t:s0-
> > > > > > > s0:c0.c1023.
> > > > > > > >
> > > > > > > > What I observed is after changing the permission using
> > > > > semanage
> > > > > > > > command also, its still showing the system_u:system_r.
> > > > > > > >
> > > > > > > > Check the semanage login/User output :
> > > > > > > >
> > > > > > > > semanage login -l
> > > > > > > >
> > > > > > > > Login Name SELinux User MLS/MCS Range
> > > > >
> > > > > > > > Service
> > > > > > > >
> > > > > > > > __default__ unconfined_u s0-s0:c0.c1023
> > > > > *
> > > > > > > > root unconfined_u s0-s0:c0.c1023
> > > > > *
> > > > > > > > system_u system_u s0-s0:c0.c1023
> > > > > *
> > > > > > > >
> > > > > > > >
> > > > > > > > semanage user -l
> > > > > > > >
> > > > > > > > Labeling MLS/ MLS/
> > > > >
> > > > > > >
> > > > > > > > SELinux User Prefix MCS Level MCS Range
> > > > >
> > > > > > >
> > > > > > > > SELinux Roles
> > > > > > > >
> > > > > > > > guest_u user s0 s0
> > > > >
> > > > > > >
> > > > > > > > guest_r
> > > > > > > > root user s0 s0-s0:c0.c1023
> > > > >
> > > > > > >
> > > > > > > > staff_r sysadm_r system_r unconfined_r
> > > > > > > > staff_u user s0 s0-s0:c0.c1023
> > > > >
> > > > > > >
> > > > > > > > staff_r sysadm_r system_r unconfined_r
> > > > > > > > sysadm_u user s0 s0-s0:c0.c1023
> > > > >
> > > > > > >
> > > > > > > > sysadm_r
> > > > > > > > system_u user s0 s0-s0:c0.c1023
> > > > >
> > > > > > >
> > > > > > > > system_r unconfined_r
> > > > > > > > unconfined_u user s0 s0-s0:c0.c1023
> > > > >
> > > > > > >
> > > > > > > > system_r unconfined_r
> > > > > > > > user_u user s0 s0
> > > > >
> > > > > > >
> > > > > > > > user_r
> > > > > > > > xguest_u user s0 s0
> > > > >
> > > > > > >
> > > > > > > > xguest_r
> > > > > > > >
> > > > > > > >
> > > > > > > > Looks like its related to some other issue. What you think
> > > > > about
> > > > > > > > this.
> > > > > > >
> > > > > > > Do you have any relevant error messages in /var/log/secure or
> > > > > > > journalctl -rb? Look for anything that refers to selinux or
> > > > > > > context.
> > > > > > >
> > > > > > > I'm guessing that pam_selinux is unable to determine a valid
> > > > > > > context
> > > > > > > for your login for some reason, and this is causing it to fall
> > > > > back
> > > > > > > to
> > > > > > > this one. Or something like that.
> > > > > > >
> > > > > > > You could try to emulate this process via selinuxdefcon,
> > > > > although
> > > > > > > I'm
> > > > > > > not sure how closely it matches pam_selinux anymore. Sample
> > > > > usage:
> > > > > > >
> > > > > > > 1. See what context sshd is running in.
> > > > > > >
> > > > > > > ps -eZ | grep sshd
> > > > > > >
> > > > > > > It should be:
> > > > > > > system_u:system_r:sshd_t:s0-s0:c0.c1023
> > > > > > >
> > > > > > > 2. Run selinuxdefcon to compute the default context for root
> > > > > when
> > > > > > > logging in from sshd:
> > > > > > >
> > > > > > > # Second argument should be whatever was shown by ps -eZ | grep
> > > > > > > sshd
> > > > > > > above.
> > > > > > > selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123
> > > > > > >
> > > > > > > It should be:
> > > > > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > >
> > > > > > Thanks
> > > > > > Aman
> > > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > Thanks
> > > > Aman
> > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com
> > >
> >
> >
> >
> > --
> >
> > Thanks
> > Aman
> > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
>
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com
[Attachment #3 (text/html)]
<div dir="ltr">Is this a bug in cent OS 7.3 ?</div><div class="gmail_extra"><br><div \
class="gmail_quote">On Tue, Dec 5, 2017 at 2:10 PM, Dominick Grift <span \
dir="ltr"><<a href="mailto:dac.override@gmail.com" \
target="_blank">dac.override@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class="">On Tue, Dec 05, 2017 at 02:02:37PM +0530, Aman \
Sharma wrote:<br> > Hi Stephen,<br>
><br>
</span><span class="">> Below is the changes which I made in Login and ssh file \
:<br> ><br>
> cat /etc/pam.d/sshd<br>
> #%PAM-1.0<br>
> auth required pam_sepermit.so<br>
<br>
</span>side note: this is a "bug"<br>
<a href="https://src.fedoraproject.org/rpms/openssh/c/e044c5cf76618b023a4315f41fe126c80c06b833?branch=master" \
rel="noreferrer" target="_blank">https://src.fedoraproject.org/<wbr>rpms/openssh/c/<wbr>e044c5cf76618b023a4315f41fe126<wbr>c80c06b833?branch=master</a><br>
<div class="HOEnZb"><div class="h5"><br>
> auth include password-auth<br>
> # Used with polkit to reauthorize users in remote sessions<br>
> account required pam_nologin.so<br>
> account include password-auth<br>
> password include password-auth<br>
> # pam_selinux.so close should be the first session rule<br>
> session required pam_selinux.so close<br>
> session required pam_loginuid.so<br>
> # pam_selinux.so open should only be followed by sessions to be executed in<br>
> the user context<br>
> session required pam_selinux.so open env_params<br>
> session required pam_namespace.so<br>
> session optional pam_keyinit.so force revoke<br>
> session include password-auth<br>
> # Used with polkit to reauthorize users in remote sessions<br>
><br>
><br>
> cat /etc/pam.d/login<br>
> #%PAM-1.0<br>
> auth [user_unknown=ignore success=ok ignore=ignore default=bad]<br>
> pam_securetty.so<br>
> auth include system-auth<br>
> account required pam_nologin.so<br>
> account include system-auth<br>
> password include system-auth<br>
> # pam_selinux.so close should be the first session rule<br>
> session required pam_selinux.so close<br>
> session required pam_loginuid.so<br>
> session optional pam_console.so<br>
> # pam_selinux.so restore should only be followed by sessions to be executed<br>
> in the user context<br>
> session required pam_selinux.so open<br>
> session required pam_namespace.so<br>
> session optional pam_keyinit.so force revoke<br>
> session include system-auth<br>
> -session optional pam_ck_connector.so<br>
><br>
> Please Let me know if any comments are there.<br>
><br>
> On Mon, Dec 4, 2017 at 10:08 PM, Stephen Smalley <<a \
href="mailto:sds@tycho.nsa.gov">sds@tycho.nsa.gov</a>> wrote:<br> ><br>
> > On Mon, 2017-12-04 at 22:04 +0530, Aman Sharma wrote:<br>
> > > Hi Stephen,<br>
> > ><br>
> > > Thanks alot for the help.<br>
> > ><br>
> > > I got the issue. Its due to the problem in /etc/pam.d/sshd file.<br>
> > ><br>
> > > After fixing this, now is working fine. Thanks alot once again.<br>
> ><br>
> > Ok, can you explain what exactly what wrong in your /etc/pam.d/sshd<br>
> > file, so that if someone else encounters this behavior in the future,<br>
> > they can find a solution in the list archives?<br>
> ><br>
> > ><br>
> > > On Mon, Dec 4, 2017 at 9:39 PM, Stephen Smalley <<a \
href="mailto:sds@tycho.nsa.gov">sds@tycho.nsa.gov</a>><br> > > > \
wrote:<br> > > > > On Mon, 2017-12-04 at 21:31 +0530, Aman Sharma \
wrote:<br> > > > > > Hi Stephen,<br>
> > > > ><br>
> > > > > I got the below logs from the file .Can you please if these \
logs<br> > > > > are<br>
> > > > > fine or not :<br>
> > > > ><br>
> > > > > journalctl | grep selinux<br>
> > > > > Dec 05 02:55:46 localhost.localdomain kernel: EVM:<br>
> > > > security.selinux<br>
> > > > > Dec 04 21:26:10 cucm audispd[569]: \
node=localhost.localdomain<br> > > > > > type=USER_START \
msg=audit(1512402970.129:107): pid=7145 uid=0<br> > > > > auid=0<br>
> > > > > ses=2 subj=system_u:system_r:sshd_t:<wbr>s0-s0:c0.c1023<br>
> > > > > msg='op=PAM:session_open<br>
> > > > ><br>
> > > > grantors=pam_selinux,pam_<wbr>loginuid,pam_selinux,pam_<wbr>namespace,pam_key<br>
> > > > in<br>
> > > > > \
it,pam_keyinit,pam_limits,pam_<wbr>systemd,pam_unix,pam_lastlog<br> > > > \
> > acct="root" exe="/usr/sbin/sshd" \
hostname=10.97.7.209<br> > > > > > addr=10.97.7.209 terminal=ssh \
res=success'<br> > > > > > Dec 04 21:26:10 cucm audispd[569]: \
node=localhost.localdomain<br> > > > > > type=USER_START \
msg=audit(1512402970.131:108): pid=7568 uid=0<br> > > > > auid=0<br>
> > > > > ses=3 subj=system_u:system_r:sshd_t:<wbr>s0-s0:c0.c1023<br>
> > > > > msg='op=PAM:session_open<br>
> > > > ><br>
> > > > grantors=pam_selinux,pam_<wbr>loginuid,pam_selinux,pam_<wbr>namespace,pam_key<br>
> > > > in<br>
> > > > > \
it,pam_keyinit,pam_limits,pam_<wbr>systemd,pam_unix,pam_lastlog<br> > > > \
> > acct="root" exe="/usr/sbin/sshd" \
hostname=10.97.7.209<br> > > > > > addr=10.97.7.209 terminal=ssh \
res=success'<br> > > > > ><br>
> > > > > Please let me know if any comments are there.<br>
> > > ><br>
> > > > Those are normal. Check journalctl and /var/log/secure for \
any<br> > > > > errors<br>
> > > > from sshd.<br>
> > > > Also try the selinuxdefcon command I mentioned.<br>
> > > ><br>
> > > > ><br>
> > > > > On Mon, Dec 4, 2017 at 9:10 PM, Stephen Smalley \
<sds@tycho.nsa.go<br> > > > > v><br>
> > > > > wrote:<br>
> > > > > > On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma \
wrote:<br> > > > > > > > Hi All,<br>
> > > > > > ><br>
> > > > > > > Thanks for the information.<br>
> > > > > > ><br>
> > > > > > > But after resetting the semanage User/login, and \
moving the<br> > > > > > > targeted<br>
> > > > > > > folder to old one and then install the default \
target. then<br> > > > > also<br>
> > > > > > its<br>
> > > > > > > still showing the<br>
> > > > > > > Id context as \
context=system_u:system_r:<wbr>unconfined_t:s0-<br> > > > > > > \
s0:c0.c1023.<br> > > > > > > ><br>
> > > > > > > What I observed is after changing the permission \
using<br> > > > > semanage<br>
> > > > > > > command also, its still showing the \
system_u:system_r.<br> > > > > > > ><br>
> > > > > > > Check the semanage login/User output :<br>
> > > > > > ><br>
> > > > > > > semanage login -l<br>
> > > > > > ><br>
> > > > > > > Login Name SELinux User \
MLS/MCS Range<br> > > > ><br>
> > > > > > > Service<br>
> > > > > > ><br>
> > > > > > > __default__ unconfined_u \
s0-s0:c0.c1023<br> > > > > *<br>
> > > > > > > root unconfined_u \
s0-s0:c0.c1023<br> > > > > *<br>
> > > > > > > system_u system_u \
s0-s0:c0.c1023<br> > > > > *<br>
> > > > > > ><br>
> > > > > > ><br>
> > > > > > > semanage user -l<br>
> > > > > > ><br>
> > > > > > > Labeling MLS/ \
MLS/<br> > > > ><br>
> > > > > ><br>
> > > > > > > SELinux User Prefix MCS Level MCS \
Range<br> > > > ><br>
> > > > > ><br>
> > > > > > > SELinux Roles<br>
> > > > > > ><br>
> > > > > > > guest_u user s0 \
s0<br> > > > ><br>
> > > > > ><br>
> > > > > > > guest_r<br>
> > > > > > > root user s0 \
s0-s0:c0.c1023<br> > > > ><br>
> > > > > ><br>
> > > > > > > staff_r sysadm_r system_r unconfined_r<br>
> > > > > > > staff_u user s0 \
s0-s0:c0.c1023<br> > > > ><br>
> > > > > ><br>
> > > > > > > staff_r sysadm_r system_r unconfined_r<br>
> > > > > > > sysadm_u user s0 \
s0-s0:c0.c1023<br> > > > ><br>
> > > > > ><br>
> > > > > > > sysadm_r<br>
> > > > > > > system_u user s0 \
s0-s0:c0.c1023<br> > > > ><br>
> > > > > ><br>
> > > > > > > system_r unconfined_r<br>
> > > > > > > unconfined_u user s0 \
s0-s0:c0.c1023<br> > > > ><br>
> > > > > ><br>
> > > > > > > system_r unconfined_r<br>
> > > > > > > user_u user s0 \
s0<br> > > > ><br>
> > > > > ><br>
> > > > > > > user_r<br>
> > > > > > > xguest_u user s0 \
s0<br> > > > ><br>
> > > > > ><br>
> > > > > > > xguest_r<br>
> > > > > > ><br>
> > > > > > ><br>
> > > > > > > Looks like its related to some other issue. What \
you think<br> > > > > about<br>
> > > > > > > this.<br>
> > > > > ><br>
> > > > > > Do you have any relevant error messages in \
/var/log/secure or<br> > > > > > > journalctl -rb? Look for \
anything that refers to selinux or<br> > > > > > > context.<br>
> > > > > ><br>
> > > > > > I'm guessing that pam_selinux is unable to \
determine a valid<br> > > > > > > context<br>
> > > > > > for your login for some reason, and this is causing it \
to fall<br> > > > > back<br>
> > > > > > to<br>
> > > > > > this one. Or something like that.<br>
> > > > > ><br>
> > > > > > You could try to emulate this process via \
selinuxdefcon,<br> > > > > although<br>
> > > > > > I'm<br>
> > > > > > not sure how closely it matches pam_selinux anymore. \
Sample<br> > > > > usage:<br>
> > > > > ><br>
> > > > > > 1. See what context sshd is running in.<br>
> > > > > ><br>
> > > > > > ps -eZ | grep sshd<br>
> > > > > ><br>
> > > > > > It should be:<br>
> > > > > > system_u:system_r:sshd_t:s0-<wbr>s0:c0.c1023<br>
> > > > > ><br>
> > > > > > 2. Run selinuxdefcon to compute the default context for \
root<br> > > > > when<br>
> > > > > > logging in from sshd:<br>
> > > > > ><br>
> > > > > > # Second argument should be whatever was shown by ps \
-eZ | grep<br> > > > > > > sshd<br>
> > > > > > above.<br>
> > > > > > selinuxdefcon root \
system_u:system_r:sshd_t:s0-<wbr>s0.c0123<br> > > > > > ><br>
> > > > > > It should be:<br>
> > > > > > \
unconfined_u:unconfined_r:<wbr>unconfined_t:s0-s0:c0.c1023<br> > > > > \
> ><br> > > > > > ><br>
> > > > > ><br>
> > > > ><br>
> > > > ><br>
> > > > ><br>
> > > > > --<br>
> > > > ><br>
> > > > > Thanks<br>
> > > > > Aman<br>
> > > > > Cell: +91 9990296404 | Email ID : <a \
href="mailto:amansh.sharma5@gmail.com">amansh.sharma5@gmail.com</a><br> > > \
> ><br> > > ><br>
> > ><br>
> > ><br>
> > > --<br>
> > ><br>
> > > Thanks<br>
> > > Aman<br>
> > > Cell: +91 9990296404 | Email ID : <a \
href="mailto:amansh.sharma5@gmail.com">amansh.sharma5@gmail.com</a><br> > ><br>
><br>
><br>
><br>
> --<br>
><br>
> Thanks<br>
> Aman<br>
> Cell: +91 9990296404 | Email ID : <a \
href="mailto:amansh.sharma5@gmail.com">amansh.sharma5@gmail.com</a><br> <br>
</div></div><div class="HOEnZb"><div class="h5">--<br>
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02<br>
<a href="https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02" \
rel="noreferrer" target="_blank">https://sks-keyservers.net/<wbr>pks/lookup?op=get&search=<wbr>0x3B6C5F1D2C7B6B02</a><br>
Dominick Grift<br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div \
class="gmail_signature" data-smartmail="gmail_signature"><div \
dir="ltr"><div><br></div><div>Thanks</div><div>Aman</div><div>Cell: +91 9990296404 | \
Email ID : <a href="mailto:amansh.sharma5@gmail.com" \
target="_blank">amansh.sharma5@gmail.com</a></div></div></div> </div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic