1. cat /etc/selinux/targeted/contexts/users/specialuser_u 2. priv logins are allowed as per the ssh_priv_logins boolean? 3. do you get the same result when you associate "sftpuser" with selinux user "user_u"? On Thu, Dec 14, 2017 at 12:48:42PM +0530, Aman Sharma wrote: > Hi All, > > Below is the output of semanage USer command output for sftpuser: > > *specialuser_u user s0 s0 > sysadm_r system_r* > > and for command semanage login -l , output is : > > *sftpuser specialuser_u s0 ** > > *and also, after adding the debugging option, its showing the below error > message as :* > > Dec 13 15:46:10 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session): Unable > to get valid context for sftpuser > > Dec 13 15:46:10 cucmSUB authpriv 5 sshd: pam_selinux(sshd:session): Open > Session > > Dec 13 15:46:11 cucmSUB authpriv 7 sshd: pam_selinux(sshd:session): > Username= sftpuser SELinux User= specialuser_u Level= s0 > > Dec 13 15:46:11 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session): Unable > to get valid context for sftpuser > > > also Selinuxdefcon command is showing error while running for sftpuser i.e. > > *sudo /usr/sbin/selinuxdefcon sftpuser system_u:system_r:sshd_t:s0* > > */usr/sbin/selinuxdefcon: Invalid argument* > > > *Please let me know your comments on this.* > > > *Thanks* > > *Aman* > > On Thu, Dec 14, 2017 at 12:45 AM, Stephen Smalley wrote: > > > On Wed, 2017-12-13 at 21:40 +0530, Aman Sharma wrote: > > > Hi Stephen, > > > > > > Yes , I am using open env_params for it. But for this, my sftp is not > > > working and getting the below error message : > > > > > > Dec 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session): > > > Unable to get valid context for sftpuser > > > Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session > > > opened for user sftpuser by (uid=0) > > > > > > Please let me know if you have any idea on this. > > > > Do you have any semanage login mapping for sftpuser or is it just using > > the __default__ entry? (what does semanage login -l show) How was > > sftpuser created? > > > > You could add the debug option on the pam_selinux.so line to try to get > > more information. > > > > You could run selinuxdefcon to query what context would be used for > > that user, e.g. > > selinuxdefcon sftpuser system_u:system_r:sshd_t:s0-s0.c0123 > > > > > > > > On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley > > > wrote: > > > > On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote: > > > > > Hi All, > > > > > > > > > > just wanted to know the meaning of line session required > > > > > pam_selinux.so open env_params added in /etc/pam.d/sshd file. > > > > > Actually I am facing one issue related to this. When I changed > > > > this > > > > > env_params to restore then my Sftp is not working. > > > > > > > > > > Can anybody Please guide me on this. > > > > > > > > man pam_selinux describes the options and what they mean. > > > > Why did you change it to restore? Per the man page, restore is to > > > > temporarily restore the contexts and would be a separate entry in > > > > the > > > > PAM stack before the module that needs the original contexts, > > > > followed > > > > by a pam_selinux.so open env_params after that module to set them > > > > up > > > > again. But don't use restore unless you actually need it for some > > > > reason. > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Thanks > > > Aman > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift