From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 From: Aman Sharma Date: Wed, 13 Dec 2017 10:17:46 +0530 Message-ID: To: SELinux , Stephen Smalley , centos@centos.org Content-Type: multipart/alternative; boundary="001a11351a0007b2c005603178f8" Subject: PAM Security related issue List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: --001a11351a0007b2c005603178f8 Content-Type: text/plain; charset="UTF-8" Hi All, just wanted to know the meaning of line *session required pam_selinux.so open env_params *added in */etc/pam.d/sshd *file. Actually I am facing one issue related to this. When I changed this *env_params to restore *then my Sftp is not working. Can anybody Please guide me on this. -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com --001a11351a0007b2c005603178f8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi All,

just wanted to know the meaning= of line=C2=A0session=C2=A0 =C2=A0 required=C2=A0 =C2=A0 =C2=A0pam_selin= ux.so open env_params added in /etc/pam.d/sshd file. Actually I = am facing one issue related to this. When I changed this env_params to r= estore then my Sftp is not working.=C2=A0

Can = anybody Please guide me on this.
=C2=A0=C2=A0
=
--

<= /div>
Thanks
Aman
Cell: +91 9990296404 | =C2=A0Emai= l ID : amansh= .sharma5@gmail.com
--001a11351a0007b2c005603178f8-- From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: From: Aman Sharma Date: Wed, 13 Dec 2017 14:44:37 +0530 Message-ID: To: SELinux , Stephen Smalley , centos@centos.org Content-Type: multipart/alternative; boundary="001a113a9a3e5a1bbe056035326f" Subject: Re: PAM Security related issue List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: --001a113a9a3e5a1bbe056035326f Content-Type: text/plain; charset="UTF-8" Also in the logs, I am getting the below error message : Dec 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session): Unable to get valid context for sftpuser Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session opened for user sftpuser by (uid=0) On Wed, Dec 13, 2017 at 10:17 AM, Aman Sharma wrote: > Hi All, > > just wanted to know the meaning of line *session required > pam_selinux.so open env_params *added in */etc/pam.d/sshd *file. > Actually I am facing one issue related to this. When I changed this *env_params > to restore *then my Sftp is not working. > > Can anybody Please guide me on this. > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com --001a113a9a3e5a1bbe056035326f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Also in the logs, I am getting the below error message :

Dec 13 13:00:00 aman authpriv 3 sshd:= pam_selinux(sshd:session): Unable to get valid context for sftpuser
<= div>Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session o= pened for user sftpuser by (uid=3D0)

On Wed, Dec 13, 2017 at 10:17 AM, Aman= Sharma <amansh.sharma5@gmail.com> wrote:
Hi All,

just wan= ted to know the meaning of line=C2=A0session=C2=A0 =C2=A0 required=C2=A0= =C2=A0 =C2=A0pam_selinux.so open env_params added in /etc/pam.d/ssh= d file. Actually I am facing one issue related to this. When I changed = this env_params to restore then my Sftp is not working.=C2=A0
<= div>
Can anybody Please guide me on this.
=C2=A0=C2=A0

<= /div>--

Thanks
Aman
Cell: +91 9990= 296404 | =C2=A0Email ID : amansh.sharma5@gmail.com



--

Thanks
Aman
Cell: +91 9990296404 | = =C2=A0Email ID : amansh.sharma5@gmail.com
--001a113a9a3e5a1bbe056035326f-- From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <1513178677.19161.10.camel@tycho.nsa.gov> From: Stephen Smalley To: Aman Sharma , SELinux , "centos@centos.org" Date: Wed, 13 Dec 2017 10:24:37 -0500 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Subject: Re: PAM Security related issue List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote: > Hi All, > > just wanted to know the meaning of line session    required    >  pam_selinux.so open env_params added in /etc/pam.d/sshd file. > Actually I am facing one issue related to this. When I changed this > env_params to restore then my Sftp is not working.  > > Can anybody Please guide me on this. man pam_selinux describes the options and what they mean. Why did you change it to restore? Per the man page, restore is to temporarily restore the contexts and would be a separate entry in the PAM stack before the module that needs the original contexts, followed by a pam_selinux.so open env_params after that module to set them up again. But don't use restore unless you actually need it for some reason. From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <1513178677.19161.10.camel@tycho.nsa.gov> References: <1513178677.19161.10.camel@tycho.nsa.gov> From: Aman Sharma Date: Wed, 13 Dec 2017 21:40:25 +0530 Message-ID: To: Stephen Smalley Cc: SELinux , "centos@centos.org" Content-Type: multipart/alternative; boundary="001a113dbf6a6652bd05603b01ec" Subject: Re: PAM Security related issue List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: --001a113dbf6a6652bd05603b01ec Content-Type: text/plain; charset="UTF-8" Hi Stephen, Yes , I am using open env_params for it. But for this, my sftp is not working and getting the below error message : Dec 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session): Unable to get valid context for sftpuser Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session opened for user sftpuser by (uid=0) Please let me know if you have any idea on this. On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley wrote: > On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote: > > Hi All, > > > > just wanted to know the meaning of line session required > > pam_selinux.so open env_params added in /etc/pam.d/sshd file. > > Actually I am facing one issue related to this. When I changed this > > env_params to restore then my Sftp is not working. > > > > Can anybody Please guide me on this. > > man pam_selinux describes the options and what they mean. > Why did you change it to restore? Per the man page, restore is to > temporarily restore the contexts and would be a separate entry in the > PAM stack before the module that needs the original contexts, followed > by a pam_selinux.so open env_params after that module to set them up > again. But don't use restore unless you actually need it for some > reason. > > > > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com --001a113dbf6a6652bd05603b01ec Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Stephen,

Yes , I am using open env_p= arams for it. But for this, my sftp is not working and getting the below er= ror message :

Dec = 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session): Unable to get = valid context for sftpuser
Dec 13 13:0= 0:00 aman authpriv 6 sshd: pam_unix(sshd:session): session opened for user = sftpuser by (uid=3D0)

=
Please let me know if you have any idea on = this.

= On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley <sds@tycho.nsa.gov>= ; wrote:
On Tue, = 2017-12-12 at 23:47 -0500, Aman Sharma wrote:
> Hi All,
>
> just wanted to know the meaning of line=C2=A0session=C2=A0 =C2=A0 requ= ired=C2=A0 =C2=A0
> =C2=A0pam_selinux.so open env_params added in /etc/pam.d/sshd file. > Actually I am facing one issue related to this. When I changed this > env_params to restore then my Sftp is not working.=C2=A0
>
> Can anybody Please guide me on this.

man pam_selinux describes the options and what they mean.
Why did you change it to restore?=C2=A0 Per the man page, restore is to
temporarily restore the contexts and would be a separate entry in the
PAM stack before the module that needs the original contexts, followed
by a pam_selinux.so open env_params after that module to set them up
again.=C2=A0 But don't use restore unless you actually need it for some=
reason.






--

Thanks
Aman
Cell: +91 9990296404 | = =C2=A0Email ID : amansh.sharma5@gmail.com
--001a113dbf6a6652bd05603b01ec-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id vBDIHlad016651 for ; Wed, 13 Dec 2017 13:17:47 -0500 Received: by mail-wm0-f52.google.com with SMTP id b76so6973876wmg.1 for ; Wed, 13 Dec 2017 10:17:38 -0800 (PST) Received: from julius.enp8s0.d30 ([217.19.26.10]) by smtp.gmail.com with ESMTPSA id n3sm1934199edb.46.2017.12.13.10.17.34 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 13 Dec 2017 10:17:34 -0800 (PST) Date: Wed, 13 Dec 2017 19:17:33 +0100 From: Dominick Grift To: selinux@tycho.nsa.gov Message-ID: <20171213181733.GA17558@julius.enp8s0.d30> References: <1513178677.19161.10.camel@tycho.nsa.gov> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe" In-Reply-To: Subject: Re: PAM Security related issue List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 13, 2017 at 09:40:25PM +0530, Aman Sharma wrote: > Hi Stephen, >=20 > Yes , I am using open env_params for it. But for this, my sftp is not > working and getting the below error message : >=20 > Dec 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session): Unable to > get valid context for sftpuser > Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session > opened for user sftpuser by (uid=3D0) Not sure if this is actually the issue but: AFAIK the user must have access to "context contains" for env_params See if the context assoc. with the sftpuser process has access to context c= ontains >=20 > Please let me know if you have any idea on this. >=20 > On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley wrot= e: >=20 > > On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote: > > > Hi All, > > > > > > just wanted to know the meaning of line session required > > > pam_selinux.so open env_params added in /etc/pam.d/sshd file. > > > Actually I am facing one issue related to this. When I changed this > > > env_params to restore then my Sftp is not working. > > > > > > Can anybody Please guide me on this. > > > > man pam_selinux describes the options and what they mean. > > Why did you change it to restore? Per the man page, restore is to > > temporarily restore the contexts and would be a separate entry in the > > PAM stack before the module that needs the original contexts, followed > > by a pam_selinux.so open env_params after that module to set them up > > again. But don't use restore unless you actually need it for some > > reason. > > > > > > > > >=20 >=20 > --=20 >=20 > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAloxbrkACgkQJXSOVTf5 R2mrMAv9GBQNIy/6Q0k0paUKFnS7D9IyKPowObsBaEZRHvuVJbalWurEWI6RZnow 78IZ4DS8zbvqHnL3XZA7vjI4sXztMlonvkG1t5I7pRDAu2k9knhTq/oPkY0khiy8 +CO1vLrpTlH0cBkrYF7/IknLaEaLWnFOiKlu9SDLSoLXqQ1Mh3Vv+IU0UMXpJMSE gKMpAF+Fck9N3aELAobtpB6TmVS2RF3i+1VFel0ZHiJW7rRObo45e2/rwrxKtta1 raz/xntEgVfO0ry9ivoGVBP+UUSb6Zf4myWI8zDX5M8lJJJHqMyYkXuG0YlY4719 VSJSmlrJdrG4pSoCzBDwkYun9tDJBIm7+/oGKvV447CmmFzRMHi3N/CIumRMbUD1 MyPze+FobrWBcbOt3KNAfseMZfj0fuuLgDzsmOYAMd6Ws+q/MqcHVF92TDA39rJW JF4JtgA0pyZp3t9N6PE3HFPQFKIpPdD+Ynzt7+5zcZascrmTLi9Q8MFozu48ibWg sNEOrv+T =5CFp -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe-- From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <1513192514.25026.5.camel@tycho.nsa.gov> From: Stephen Smalley To: Aman Sharma Cc: SELinux Date: Wed, 13 Dec 2017 14:15:14 -0500 In-Reply-To: References: <1513178677.19161.10.camel@tycho.nsa.gov> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Subject: Re: PAM Security related issue List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On Wed, 2017-12-13 at 21:40 +0530, Aman Sharma wrote: > Hi Stephen, > > Yes , I am using open env_params for it. But for this, my sftp is not > working and getting the below error message : > > Dec 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session): > Unable to get valid context for sftpuser > Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session > opened for user sftpuser by (uid=0) > > Please let me know if you have any idea on this. Do you have any semanage login mapping for sftpuser or is it just using the __default__ entry? (what does semanage login -l show) How was sftpuser created? You could add the debug option on the pam_selinux.so line to try to get more information. You could run selinuxdefcon to query what context would be used for that user, e.g. selinuxdefcon sftpuser system_u:system_r:sshd_t:s0-s0.c0123 > > On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley > wrote: > > On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote: > > > Hi All, > > > > > > just wanted to know the meaning of line session    required    > > >  pam_selinux.so open env_params added in /etc/pam.d/sshd file. > > > Actually I am facing one issue related to this. When I changed > > this > > > env_params to restore then my Sftp is not working.  > > > > > > Can anybody Please guide me on this. > > > > man pam_selinux describes the options and what they mean. > > Why did you change it to restore?  Per the man page, restore is to > > temporarily restore the contexts and would be a separate entry in > > the > > PAM stack before the module that needs the original contexts, > > followed > > by a pam_selinux.so open env_params after that module to set them > > up > > again.  But don't use restore unless you actually need it for some > > reason. > > > > > > > > > > > > --  > > Thanks > Aman > Cell: +91 9990296404 |  Email ID : amansh.sharma5@gmail.com From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <1513192514.25026.5.camel@tycho.nsa.gov> References: <1513178677.19161.10.camel@tycho.nsa.gov> <1513192514.25026.5.camel@tycho.nsa.gov> From: Aman Sharma Date: Thu, 14 Dec 2017 12:48:42 +0530 Message-ID: To: Stephen Smalley Cc: SELinux Content-Type: multipart/alternative; boundary="94eb2c04e9509f5fdf056047b192" Subject: Re: PAM Security related issue List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: --94eb2c04e9509f5fdf056047b192 Content-Type: text/plain; charset="UTF-8" Hi All, Below is the output of semanage USer command output for sftpuser: *specialuser_u user s0 s0 sysadm_r system_r* and for command semanage login -l , output is : *sftpuser specialuser_u s0 ** *and also, after adding the debugging option, its showing the below error message as :* Dec 13 15:46:10 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session): Unable to get valid context for sftpuser Dec 13 15:46:10 cucmSUB authpriv 5 sshd: pam_selinux(sshd:session): Open Session Dec 13 15:46:11 cucmSUB authpriv 7 sshd: pam_selinux(sshd:session): Username= sftpuser SELinux User= specialuser_u Level= s0 Dec 13 15:46:11 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session): Unable to get valid context for sftpuser also Selinuxdefcon command is showing error while running for sftpuser i.e. *sudo /usr/sbin/selinuxdefcon sftpuser system_u:system_r:sshd_t:s0* */usr/sbin/selinuxdefcon: Invalid argument* *Please let me know your comments on this.* *Thanks* *Aman* On Thu, Dec 14, 2017 at 12:45 AM, Stephen Smalley wrote: > On Wed, 2017-12-13 at 21:40 +0530, Aman Sharma wrote: > > Hi Stephen, > > > > Yes , I am using open env_params for it. But for this, my sftp is not > > working and getting the below error message : > > > > Dec 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session): > > Unable to get valid context for sftpuser > > Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session > > opened for user sftpuser by (uid=0) > > > > Please let me know if you have any idea on this. > > Do you have any semanage login mapping for sftpuser or is it just using > the __default__ entry? (what does semanage login -l show) How was > sftpuser created? > > You could add the debug option on the pam_selinux.so line to try to get > more information. > > You could run selinuxdefcon to query what context would be used for > that user, e.g. > selinuxdefcon sftpuser system_u:system_r:sshd_t:s0-s0.c0123 > > > > > On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley > > wrote: > > > On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote: > > > > Hi All, > > > > > > > > just wanted to know the meaning of line session required > > > > pam_selinux.so open env_params added in /etc/pam.d/sshd file. > > > > Actually I am facing one issue related to this. When I changed > > > this > > > > env_params to restore then my Sftp is not working. > > > > > > > > Can anybody Please guide me on this. > > > > > > man pam_selinux describes the options and what they mean. > > > Why did you change it to restore? Per the man page, restore is to > > > temporarily restore the contexts and would be a separate entry in > > > the > > > PAM stack before the module that needs the original contexts, > > > followed > > > by a pam_selinux.so open env_params after that module to set them > > > up > > > again. But don't use restore unless you actually need it for some > > > reason. > > > > > > > > > > > > > > > > > > > > -- > > > > Thanks > > Aman > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com --94eb2c04e9509f5fdf056047b192 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi All,

Below is the output of semanage= USer command output for sftpuser:

speci= aluser_u=C2=A0 =C2=A0user=C2=A0 =C2=A0 =C2=A0 =C2=A0s0=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0s0=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0sysadm_r system_r

and for command semanage login -l , output is :
<= div>
sftpuser=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0specialuser_u=C2=A0 =C2=A0 =C2=A0 =C2=A0 s0=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0*

=
and also, after adding the debugging option, its showing = the below error message as :

Dec 13 15:46:10 cuc= mSUB authpriv 3 sshd: pam_selinux(sshd:session): Unable to get valid context for sftpuser

Dec 13 15:46:10 cuc= mSUB authpriv 5 sshd: pam_selinux(sshd:session): Open Session

Dec 13 15:46:11 cuc= mSUB authpriv 7 sshd: pam_selinux(sshd:session): Username=3D sftpuser SELinux User=3D specialuser_u Level=3D s0

Dec 13 15:46:11 cuc= mSUB authpriv 3 sshd: pam_selinux(sshd:session): Unable to get valid context for sftpuser


also Selinuxdefcon command is showing error while running= for sftpuser i.e.=C2=A0

sudo /usr/sbin/selinuxde= fcon sftpuser system_u:system_r:sshd_t:s0

/usr/sbin/selinuxdefcon: Invalid argument


Please let me know your c= omments on this.


Thanks

Aman


On Thu, Dec 14, 2017 at 12:45 AM, Stephen Smalley <sds@tycho.nsa.gov&= gt; wrote:
On Wed= , 2017-12-13 at 21:40 +0530, Aman Sharma wrote:
> Hi Stephen,
>
> Yes , I am using open env_params for it. But for this, my sftp is not<= br> > working and getting the below error message :
>
> Dec 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session):
> Unable to get valid context for sftpuser
> Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session<= br> > opened for user sftpuser by (uid=3D0)
>
> Please let me know if you have any idea on this.

Do you have any semanage login mapping for sftpuser or is it just us= ing
the __default__ entry? (what does semanage login -l show)=C2=A0 How was
sftpuser created?

You could add the debug option on the pam_selinux.so line to try to get
more information.

You could run selinuxdefcon to query what context would be used for
that user, e.g.
selinuxdefcon sftpuser system_u:system_r:sshd_t:s0-s0.c0123

>
> On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley <sds@tycho.nsa.gov>
> wrote:
> > On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote:
> > > Hi All,
> > >
> > > just wanted to know the meaning of line=C2=A0session=C2=A0 = =C2=A0 required=C2=A0 =C2=A0
> > > =C2=A0pam_selinux.so open env_params added in /etc/pam.d/ssh= d file.
> > > Actually I am facing one issue related to this. When I chang= ed
> > this
> > > env_params to restore then my Sftp is not working.=C2=A0
> > >
> > > Can anybody Please guide me on this.
> >
> > man pam_selinux describes the options and what they mean.
> > Why did you change it to restore?=C2=A0 Per the man page, restore= is to
> > temporarily restore the contexts and would be a separate entry in=
> > the
> > PAM stack before the module that needs the original contexts,
> > followed
> > by a pam_selinux.so open env_params after that module to set them=
> > up
> > again.=C2=A0 But don't use restore unless you actually need i= t for some
> > reason.
> >
> >
> >
> >
>
>
>
> --=C2=A0
>
> Thanks
> Aman
> Cell: +91 9990296404 | =C2=A0Email ID : amansh.sharma5@gmail.com



--
=

Thanks
Aman
Cell: +91 9990= 296404 | =C2=A0Email ID : amansh.sharma5@gmail.com
--94eb2c04e9509f5fdf056047b192-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id vBE8GWdB020855 for ; Thu, 14 Dec 2017 03:16:32 -0500 Received: from localhost.localdomain (localhost [127.0.0.1]) by UPDCF3IC14.oob.disa.mil (Postfix) with SMTP id 3yy5xS0ymSzJ3JJ for ; Thu, 14 Dec 2017 08:16:28 +0000 (UTC) Received: from UPBD19PA04.eemsg.mil (unknown [192.168.18.5]) by UPDCF3IC14.oob.disa.mil (Postfix) with ESMTP id 3yy5xR35SjzJ3JP for ; Thu, 14 Dec 2017 08:16:27 +0000 (UTC) Received: by mail-wm0-f51.google.com with SMTP id t8so9554506wmc.3 for ; Thu, 14 Dec 2017 00:16:26 -0800 (PST) Received: from julius.enp8s0.d30 ([217.19.26.10]) by smtp.gmail.com with ESMTPSA id g20sm3101791edb.75.2017.12.14.00.16.24 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 14 Dec 2017 00:16:25 -0800 (PST) Date: Thu, 14 Dec 2017 09:16:23 +0100 From: Dominick Grift To: selinux@tycho.nsa.gov Message-ID: <20171214081623.GB17558@julius.enp8s0.d30> References: <1513178677.19161.10.camel@tycho.nsa.gov> <1513192514.25026.5.camel@tycho.nsa.gov> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="b5gNqxB1S1yM7hjW" In-Reply-To: Subject: Re: PAM Security related issue List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: --b5gNqxB1S1yM7hjW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable 1. cat /etc/selinux/targeted/contexts/users/specialuser_u 2. priv logins are allowed as per the ssh_priv_logins boolean? 3. do you get the same result when you associate "sftpuser" with selinux us= er "user_u"? On Thu, Dec 14, 2017 at 12:48:42PM +0530, Aman Sharma wrote: > Hi All, >=20 > Below is the output of semanage USer command output for sftpuser: >=20 > *specialuser_u user s0 s0 > sysadm_r system_r* >=20 > and for command semanage login -l , output is : >=20 > *sftpuser specialuser_u s0 ** >=20 > *and also, after adding the debugging option, its showing the below error > message as :* >=20 > Dec 13 15:46:10 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session): Unable > to get valid context for sftpuser >=20 > Dec 13 15:46:10 cucmSUB authpriv 5 sshd: pam_selinux(sshd:session): Open > Session >=20 > Dec 13 15:46:11 cucmSUB authpriv 7 sshd: pam_selinux(sshd:session): > Username=3D sftpuser SELinux User=3D specialuser_u Level=3D s0 >=20 > Dec 13 15:46:11 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session): Unable > to get valid context for sftpuser >=20 >=20 > also Selinuxdefcon command is showing error while running for sftpuser i.= e. >=20 > *sudo /usr/sbin/selinuxdefcon sftpuser system_u:system_r:sshd_t:s0* >=20 > */usr/sbin/selinuxdefcon: Invalid argument* >=20 >=20 > *Please let me know your comments on this.* >=20 >=20 > *Thanks* >=20 > *Aman* >=20 > On Thu, Dec 14, 2017 at 12:45 AM, Stephen Smalley wro= te: >=20 > > On Wed, 2017-12-13 at 21:40 +0530, Aman Sharma wrote: > > > Hi Stephen, > > > > > > Yes , I am using open env_params for it. But for this, my sftp is not > > > working and getting the below error message : > > > > > > Dec 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session): > > > Unable to get valid context for sftpuser > > > Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session > > > opened for user sftpuser by (uid=3D0) > > > > > > Please let me know if you have any idea on this. > > > > Do you have any semanage login mapping for sftpuser or is it just using > > the __default__ entry? (what does semanage login -l show) How was > > sftpuser created? > > > > You could add the debug option on the pam_selinux.so line to try to get > > more information. > > > > You could run selinuxdefcon to query what context would be used for > > that user, e.g. > > selinuxdefcon sftpuser system_u:system_r:sshd_t:s0-s0.c0123 > > > > > > > > On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley > > > wrote: > > > > On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote: > > > > > Hi All, > > > > > > > > > > just wanted to know the meaning of line session required > > > > > pam_selinux.so open env_params added in /etc/pam.d/sshd file. > > > > > Actually I am facing one issue related to this. When I changed > > > > this > > > > > env_params to restore then my Sftp is not working. > > > > > > > > > > Can anybody Please guide me on this. > > > > > > > > man pam_selinux describes the options and what they mean. > > > > Why did you change it to restore? Per the man page, restore is to > > > > temporarily restore the contexts and would be a separate entry in > > > > the > > > > PAM stack before the module that needs the original contexts, > > > > followed > > > > by a pam_selinux.so open env_params after that module to set them > > > > up > > > > again. But don't use restore unless you actually need it for some > > > > reason. > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Thanks > > > Aman > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > >=20 >=20 >=20 > --=20 >=20 > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --b5gNqxB1S1yM7hjW Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAloyM1MACgkQJXSOVTf5 R2nCbAv+P6gCCU/RFgS17LzmVuYceT8bQRpHr00pZLRzXOlRjLwWc/K+UMURD88J I+Z/+a4plREGl6iFPxXdjexOQFBhSRzeBieo3tArG8chw7yoftcRVLro8b1KxvEd 2lpxtpq7a2h3cPdB+w+ZDdrOsdrVUAc4z2YOeC/PBKy3VSZwQC0jSdW/WWdvvlwt sOmHkIFA4odmhs5bsctr1xgNlQctx49AG2gKTSAGm5duwroO9DqRi776ecQY1QKV WCT/j8vWqngBjo0a0jr74DL7KCZwa+JaYf4Kb9RV1HWUwssdVO+3lIBwzem1Qx7W CbqsW+8wbUuliYlbVJgMgfDGAZKDFiqD4NepHRQjr1frn67b58ztg0huak4eiDV/ efHttN0TpcQLQxGhNA71MV/B3x2thgEBOKsrTQh5IWc0dyzXhaXeKgFde9+Ow6iM xoO7/BAexutWBxFNAdzWzz3sf4k423DqYmvF2nWixyrigyyWqgn5wgl3o6GZ0dho AXFueEBx =1yXq -----END PGP SIGNATURE----- --b5gNqxB1S1yM7hjW-- From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <1513259397.18008.3.camel@tycho.nsa.gov> From: Stephen Smalley To: Aman Sharma Cc: SELinux Date: Thu, 14 Dec 2017 08:49:57 -0500 In-Reply-To: References: <1513178677.19161.10.camel@tycho.nsa.gov> <1513192514.25026.5.camel@tycho.nsa.gov> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Subject: Re: PAM Security related issue List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On Thu, 2017-12-14 at 12:48 +0530, Aman Sharma wrote: > Hi All, > > Below is the output of semanage USer command output for sftpuser: > > specialuser_u   user       s0         s0                            >  sysadm_r system_r > > and for command semanage login -l , output is : > > sftpuser             specialuser_u        s0                   * > > and also, after adding the debugging option, its showing the below > error message as > > Dec 13 15:46:10 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session): > Unable to get valid context for sftpuser > Dec 13 15:46:10 cucmSUB authpriv 5 sshd: pam_selinux(sshd:session): > Open Session > Dec 13 15:46:11 cucmSUB authpriv 7 sshd: pam_selinux(sshd:session): > Username= sftpuser SELinux User= specialuser_u Level= s0 > Dec 13 15:46:11 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session): > Unable to get valid context for sftpuser > > also Selinuxdefcon command is showing error while running for > sftpuser i.e.  > sudo /usr/sbin/selinuxdefcon sftpuser system_u:system_r:sshd_t:s0 > /usr/sbin/selinuxdefcon: Invalid argument > > Please let me know your comments on this. Is there a reason why you've added your own unique SELinux user and login entries for sftpuser rather than either just mapping to one of the existing users if you want it to be confined or leaving it unspecified and just using the __default__ entry if you want it to be unconfined? The entries above say that sftpuser is to be mapped to specialuser_u, and that specialuser_u can only use the sysadm_r or system_r roles. To make that work, you would also need to enable the ssh_sysadm_login boolean and cp /etc/selinux/targeted/contexts/users/sysadm_u /etc/selinux/targeted/contexts/users/specialuser_u. But that seems pointless since you could just leave it unmapped or map it to sysadm_u in the first place if that was really what you wanted. If you want sftpuser to be unrestricted, just remove the mappings, i.e. $ sudo semanage login -d sftpuser $ sudo semanage user -d specialuser_u $ selinuxdefcon sftpuser system_u:system_r:sshd_t:s0-s0:c0.c1023 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023