From: Stephen Smalley <sds@tycho.nsa.gov>
To: Aman Sharma <amansh.sharma5@gmail.com>
Cc: SELinux <selinux@tycho.nsa.gov>
Subject: Re: PAM Security related issue
Date: Thu, 14 Dec 2017 08:49:57 -0500 [thread overview]
Message-ID: <1513259397.18008.3.camel@tycho.nsa.gov> (raw)
In-Reply-To: <CAPMH7-9F4H_e-VmHqOzdpCq0JkN-y71-ye152yBixZrHHmOd5g@mail.gmail.com>
On Thu, 2017-12-14 at 12:48 +0530, Aman Sharma wrote:
> Hi All,
>
> Below is the output of semanage USer command output for sftpuser:
>
> specialuser_u user s0 s0
> sysadm_r system_r
>
> and for command semanage login -l , output is :
>
> sftpuser specialuser_u s0 *
>
> and also, after adding the debugging option, its showing the below
> error message as
>
> Dec 13 15:46:10 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session):
> Unable to get valid context for sftpuser
> Dec 13 15:46:10 cucmSUB authpriv 5 sshd: pam_selinux(sshd:session):
> Open Session
> Dec 13 15:46:11 cucmSUB authpriv 7 sshd: pam_selinux(sshd:session):
> Username= sftpuser SELinux User= specialuser_u Level= s0
> Dec 13 15:46:11 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session):
> Unable to get valid context for sftpuser
>
> also Selinuxdefcon command is showing error while running for
> sftpuser i.e.
> sudo /usr/sbin/selinuxdefcon sftpuser system_u:system_r:sshd_t:s0
> /usr/sbin/selinuxdefcon: Invalid argument
>
> Please let me know your comments on this.
Is there a reason why you've added your own unique SELinux user and
login entries for sftpuser rather than either just mapping to one of
the existing users if you want it to be confined or leaving it
unspecified and just using the __default__ entry if you want it to be
unconfined?
The entries above say that sftpuser is to be mapped to specialuser_u,
and that specialuser_u can only use the sysadm_r or system_r roles. To
make that work, you would also need to enable the ssh_sysadm_login
boolean and cp /etc/selinux/targeted/contexts/users/sysadm_u
/etc/selinux/targeted/contexts/users/specialuser_u. But that seems
pointless since you could just leave it unmapped or map it to sysadm_u
in the first place if that was really what you wanted.
If you want sftpuser to be unrestricted, just remove the mappings, i.e.
$ sudo semanage login -d sftpuser
$ sudo semanage user -d specialuser_u
$ selinuxdefcon sftpuser system_u:system_r:sshd_t:s0-s0:c0.c1023
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
prev parent reply other threads:[~2017-12-14 13:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-13 4:47 PAM Security related issue Aman Sharma
2017-12-13 9:14 ` Aman Sharma
2017-12-13 15:24 ` Stephen Smalley
2017-12-13 16:10 ` Aman Sharma
2017-12-13 18:17 ` Dominick Grift
2017-12-13 19:15 ` Stephen Smalley
2017-12-14 7:18 ` Aman Sharma
2017-12-14 8:16 ` Dominick Grift
2017-12-14 13:49 ` Stephen Smalley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1513259397.18008.3.camel@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=amansh.sharma5@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.