* Fwd: Qwery regarding Selinux Change Id context [not found] ` <CAPMH7-_i8y2J217Pp86Evgd8rBB6a4zGRah=nB=gcWb0i+a+Rg@mail.gmail.com> @ 2017-11-24 5:17 ` Aman Sharma 2017-11-24 6:52 ` Ravi Kumar 2017-11-27 15:59 ` Fwd: " Stephen Smalley 0 siblings, 2 replies; 43+ messages in thread From: Aman Sharma @ 2017-11-24 5:17 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 2048 bytes --] Hi All, Currently Working on Cent OS 7.3 and login as a root User and my Id command output is : *id* *uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* I want to change *System_u:system_r:unconfined_t to sysadm_u:sysadm_r or * *unconfined_u:**unconfined_r**. * *Also showing the output of following command :* *semanage user -l* * Labeling MLS/ MLS/ * *SELinux User Prefix MCS Level MCS Range SELinux Roles* *admin_u user s0 s0-s0:c0.c1023 sysadm_r system_r* *guest_u user s0 s0 guest_r* *root user s0 s0-s0:c0.c1023 staff_r sysadm_r* *specialuser_u user s0 s0 sysadm_r system_r* *staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r* *sysadm_u user s0 s0-s0:c0.c1023 sysadm_r* *system_u user s0 s0-s0:c0.c1023 system_r* *unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r* *user_u user s0 s0 user_r* *xguest_u user s0 s0 xguest_r* * semanage login -l* *Login Name SELinux User MLS/MCS Range Service* *__default__ sysadm_u s0-s0:c0.c1023 ** *ccmservice specialuser_u s0 ** *cucm admin_u s0-s0:c0.c1023 ** *drfkeys specialuser_u s0 ** *drfuser specialuser_u s0 ** *informix specialuser_u s0 ** *pwrecovery specialuser_u s0 ** *root sysadm_u s0-s0:c0.c1023 ** *sftpuser specialuser_u s0 ** *system_u sysadm_u s0-s0:c0.c1023 ** *Can anybody Please help me.* -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 4190 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-11-24 5:17 ` Fwd: Qwery regarding Selinux Change Id context Aman Sharma @ 2017-11-24 6:52 ` Ravi Kumar 2017-11-24 7:09 ` Aman Sharma 2017-11-27 15:59 ` Fwd: " Stephen Smalley 1 sibling, 1 reply; 43+ messages in thread From: Ravi Kumar @ 2017-11-24 6:52 UTC (permalink / raw) To: Aman Sharma; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 2476 bytes --] Based on the config each type of login ( ssh ,shell ) will have it own role . if this is just for testing you can try setting the bool value if you are logging via ssh. setsebool -P ssh_sysadm_login 1 Regards, Ravi On Fri, Nov 24, 2017 at 10:47 AM, Aman Sharma <amansh.sharma5@gmail.com> wrote: > > > Hi All, > > Currently Working on Cent OS 7.3 and login as a root User and my Id > command output is : > > *id* > *uid=0(root) gid=0(root) groups=0(root) > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > I want to change *System_u:system_r:unconfined_t to sysadm_u:sysadm_r or * > *unconfined_u:**unconfined_r**. * > > *Also showing the output of following command :* > > *semanage user -l* > > * Labeling MLS/ MLS/ * > *SELinux User Prefix MCS Level MCS Range > SELinux Roles* > > *admin_u user s0 s0-s0:c0.c1023 > sysadm_r system_r* > *guest_u user s0 s0 > guest_r* > *root user s0 s0-s0:c0.c1023 > staff_r sysadm_r* > *specialuser_u user s0 s0 > sysadm_r system_r* > *staff_u user s0 s0-s0:c0.c1023 > staff_r sysadm_r system_r* > *sysadm_u user s0 s0-s0:c0.c1023 > sysadm_r* > *system_u user s0 s0-s0:c0.c1023 > system_r* > *unconfined_u user s0 s0-s0:c0.c1023 > system_r unconfined_r* > *user_u user s0 s0 > user_r* > *xguest_u user s0 s0 > xguest_r* > > > * semanage login -l* > > *Login Name SELinux User MLS/MCS Range Service* > > *__default__ sysadm_u s0-s0:c0.c1023 ** > *ccmservice specialuser_u s0 ** > *cucm admin_u s0-s0:c0.c1023 ** > *drfkeys specialuser_u s0 ** > *drfuser specialuser_u s0 ** > *informix specialuser_u s0 ** > *pwrecovery specialuser_u s0 ** > *root sysadm_u s0-s0:c0.c1023 ** > *sftpuser specialuser_u s0 ** > *system_u sysadm_u s0-s0:c0.c1023 ** > > > *Can anybody Please help me.* > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > [-- Attachment #2: Type: text/html, Size: 5052 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-11-24 6:52 ` Ravi Kumar @ 2017-11-24 7:09 ` Aman Sharma 2017-11-25 17:25 ` Simon Sekidde 0 siblings, 1 reply; 43+ messages in thread From: Aman Sharma @ 2017-11-24 7:09 UTC (permalink / raw) To: Ravi Kumar; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 3126 bytes --] Hi Ravi, Thanks for your reply but SSH and Sysadm_login is already enabled. Actually I need to change the root context from*System_u:system_r:unconfined_t to sysadm_u:sysadm_r or **unconfined_u:**unconfined_r**.* *I found one command (**runcon unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 /bin/bash**) but that command will not work after reboot . Is there any parmanent solution for this.* On Fri, Nov 24, 2017 at 12:22 PM, Ravi Kumar <nxp.ravi@gmail.com> wrote: > Based on the config each type of login ( ssh ,shell ) will have it own > role . if this is just for testing you can try setting the bool value if > you are logging via ssh. > > setsebool -P ssh_sysadm_login 1 > > > > Regards, > Ravi > > On Fri, Nov 24, 2017 at 10:47 AM, Aman Sharma <amansh.sharma5@gmail.com> > wrote: > >> >> >> Hi All, >> >> Currently Working on Cent OS 7.3 and login as a root User and my Id >> command output is : >> >> *id* >> *uid=0(root) gid=0(root) groups=0(root) >> context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* >> >> I want to change *System_u:system_r:unconfined_t to sysadm_u:sysadm_r >> or **unconfined_u:**unconfined_r**. * >> >> *Also showing the output of following command :* >> >> *semanage user -l* >> >> * Labeling MLS/ MLS/ * >> *SELinux User Prefix MCS Level MCS Range >> SELinux Roles* >> >> *admin_u user s0 s0-s0:c0.c1023 >> sysadm_r system_r* >> *guest_u user s0 s0 >> guest_r* >> *root user s0 s0-s0:c0.c1023 >> staff_r sysadm_r* >> *specialuser_u user s0 s0 >> sysadm_r system_r* >> *staff_u user s0 s0-s0:c0.c1023 >> staff_r sysadm_r system_r* >> *sysadm_u user s0 s0-s0:c0.c1023 >> sysadm_r* >> *system_u user s0 s0-s0:c0.c1023 >> system_r* >> *unconfined_u user s0 s0-s0:c0.c1023 >> system_r unconfined_r* >> *user_u user s0 s0 >> user_r* >> *xguest_u user s0 s0 >> xguest_r* >> >> >> * semanage login -l* >> >> *Login Name SELinux User MLS/MCS Range Service* >> >> *__default__ sysadm_u s0-s0:c0.c1023 ** >> *ccmservice specialuser_u s0 ** >> *cucm admin_u s0-s0:c0.c1023 ** >> *drfkeys specialuser_u s0 ** >> *drfuser specialuser_u s0 ** >> *informix specialuser_u s0 ** >> *pwrecovery specialuser_u s0 ** >> *root sysadm_u s0-s0:c0.c1023 ** >> *sftpuser specialuser_u s0 ** >> *system_u sysadm_u s0-s0:c0.c1023 ** >> >> >> *Can anybody Please help me.* >> >> -- >> >> Thanks >> Aman >> Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com >> >> > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 6808 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-11-24 7:09 ` Aman Sharma @ 2017-11-25 17:25 ` Simon Sekidde 2017-11-27 5:56 ` Aman Sharma 0 siblings, 1 reply; 43+ messages in thread From: Simon Sekidde @ 2017-11-25 17:25 UTC (permalink / raw) To: Aman Sharma; +Cc: Ravi Kumar, SELinux ----- Original Message ----- > From: "Aman Sharma" <amansh.sharma5@gmail.com> > To: "Ravi Kumar" <nxp.ravi@gmail.com> > Cc: "SELinux" <selinux@tycho.nsa.gov> > Sent: Friday, November 24, 2017 2:09:05 AM > Subject: Re: Qwery regarding Selinux Change Id context > > Hi Ravi, > > Thanks for your reply but SSH and Sysadm_login is already enabled. > > Actually I need to change the root context > from*System_u:system_r:unconfined_t > to sysadm_u:sysadm_r or **unconfined_u:**unconfined_r**.* > > *I found one command (**runcon > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 /bin/bash**) but that > command will not work after reboot . Is there any parmanent solution for > this.* > It should be unconfined by default if you are running policy in targeted mode # cat /etc/selinux/targeted/seusers root:unconfined_u:s0-s0:c0.c1023 system_u:system_u:s0-s0:c0.c1023 __default__:unconfined_u:s0-s0:c0.c1023 try something like `semanage login -m -s unconfined_u root; restorecon -RF /root` > On Fri, Nov 24, 2017 at 12:22 PM, Ravi Kumar <nxp.ravi@gmail.com> wrote: > > > Based on the config each type of login ( ssh ,shell ) will have it own > > role . if this is just for testing you can try setting the bool value if > > you are logging via ssh. > > > > setsebool -P ssh_sysadm_login 1 > > > > > > > > Regards, > > Ravi > > > > On Fri, Nov 24, 2017 at 10:47 AM, Aman Sharma <amansh.sharma5@gmail.com> > > wrote: > > > >> > >> > >> Hi All, > >> > >> Currently Working on Cent OS 7.3 and login as a root User and my Id > >> command output is : > >> > >> *id* > >> *uid=0(root) gid=0(root) groups=0(root) > >> context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* > >> > >> I want to change *System_u:system_r:unconfined_t to sysadm_u:sysadm_r > >> or **unconfined_u:**unconfined_r**. * > >> > >> *Also showing the output of following command :* > >> > >> *semanage user -l* > >> > >> * Labeling MLS/ MLS/ * > >> *SELinux User Prefix MCS Level MCS Range > >> SELinux Roles* > >> > >> *admin_u user s0 s0-s0:c0.c1023 > >> sysadm_r system_r* > >> *guest_u user s0 s0 > >> guest_r* > >> *root user s0 s0-s0:c0.c1023 > >> staff_r sysadm_r* > >> *specialuser_u user s0 s0 > >> sysadm_r system_r* > >> *staff_u user s0 s0-s0:c0.c1023 > >> staff_r sysadm_r system_r* > >> *sysadm_u user s0 s0-s0:c0.c1023 > >> sysadm_r* > >> *system_u user s0 s0-s0:c0.c1023 > >> system_r* > >> *unconfined_u user s0 s0-s0:c0.c1023 > >> system_r unconfined_r* > >> *user_u user s0 s0 > >> user_r* > >> *xguest_u user s0 s0 > >> xguest_r* > >> > >> > >> * semanage login -l* > >> > >> *Login Name SELinux User MLS/MCS Range Service* > >> > >> *__default__ sysadm_u s0-s0:c0.c1023 ** > >> *ccmservice specialuser_u s0 ** > >> *cucm admin_u s0-s0:c0.c1023 ** > >> *drfkeys specialuser_u s0 ** > >> *drfuser specialuser_u s0 ** > >> *informix specialuser_u s0 ** > >> *pwrecovery specialuser_u s0 ** > >> *root sysadm_u s0-s0:c0.c1023 ** > >> *sftpuser specialuser_u s0 ** > >> *system_u sysadm_u s0-s0:c0.c1023 ** > >> > >> > >> *Can anybody Please help me.* > >> > >> -- > >> > >> Thanks > >> Aman > >> Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > >> > >> > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > -- Simon Sekidde gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-11-25 17:25 ` Simon Sekidde @ 2017-11-27 5:56 ` Aman Sharma 0 siblings, 0 replies; 43+ messages in thread From: Aman Sharma @ 2017-11-27 5:56 UTC (permalink / raw) To: Simon Sekidde; +Cc: Ravi Kumar, SELinux [-- Attachment #1: Type: text/plain, Size: 4771 bytes --] Hi Simon, After applying the commands which you mentioned previously is working fine but its still showing the ID command output as same i.e. **id*> >> *uid=0(root) gid=0(root) groups=0(root)> >> context=system_u:system_r:unconfined_t:s0-s0:c0.c1023** Do you know how to reset this System_u to Unconfined_u i.e. to the default behavior. Thanks for the help. Aman On Sat, Nov 25, 2017 at 10:55 PM, Simon Sekidde <ssekidde@redhat.com> wrote: > > > ----- Original Message ----- > > From: "Aman Sharma" <amansh.sharma5@gmail.com> > > To: "Ravi Kumar" <nxp.ravi@gmail.com> > > Cc: "SELinux" <selinux@tycho.nsa.gov> > > Sent: Friday, November 24, 2017 2:09:05 AM > > Subject: Re: Qwery regarding Selinux Change Id context > > > > Hi Ravi, > > > > Thanks for your reply but SSH and Sysadm_login is already enabled. > > > > Actually I need to change the root context > > from*System_u:system_r:unconfined_t > > to sysadm_u:sysadm_r or **unconfined_u:**unconfined_r**.* > > > > *I found one command (**runcon > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 /bin/bash**) but > that > > command will not work after reboot . Is there any parmanent solution for > > this.* > > > > It should be unconfined by default if you are running policy in targeted > mode > > # cat /etc/selinux/targeted/seusers > root:unconfined_u:s0-s0:c0.c1023 > system_u:system_u:s0-s0:c0.c1023 > __default__:unconfined_u:s0-s0:c0.c1023 > > try something like `semanage login -m -s unconfined_u root; restorecon -RF > /root` > > > > On Fri, Nov 24, 2017 at 12:22 PM, Ravi Kumar <nxp.ravi@gmail.com> wrote: > > > > > Based on the config each type of login ( ssh ,shell ) will have it > own > > > role . if this is just for testing you can try setting the bool > value if > > > you are logging via ssh. > > > > > > setsebool -P ssh_sysadm_login 1 > > > > > > > > > > > > Regards, > > > Ravi > > > > > > On Fri, Nov 24, 2017 at 10:47 AM, Aman Sharma < > amansh.sharma5@gmail.com> > > > wrote: > > > > > >> > > >> > > >> Hi All, > > >> > > >> Currently Working on Cent OS 7.3 and login as a root User and my Id > > >> command output is : > > >> > > >> *id* > > >> *uid=0(root) gid=0(root) groups=0(root) > > >> context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > >> > > >> I want to change *System_u:system_r:unconfined_t to sysadm_u:sysadm_r > > >> or **unconfined_u:**unconfined_r**. * > > >> > > >> *Also showing the output of following command :* > > >> > > >> *semanage user -l* > > >> > > >> * Labeling MLS/ MLS/ * > > >> *SELinux User Prefix MCS Level MCS Range > > >> SELinux Roles* > > >> > > >> *admin_u user s0 s0-s0:c0.c1023 > > >> sysadm_r system_r* > > >> *guest_u user s0 s0 > > >> guest_r* > > >> *root user s0 s0-s0:c0.c1023 > > >> staff_r sysadm_r* > > >> *specialuser_u user s0 s0 > > >> sysadm_r system_r* > > >> *staff_u user s0 s0-s0:c0.c1023 > > >> staff_r sysadm_r system_r* > > >> *sysadm_u user s0 s0-s0:c0.c1023 > > >> sysadm_r* > > >> *system_u user s0 s0-s0:c0.c1023 > > >> system_r* > > >> *unconfined_u user s0 s0-s0:c0.c1023 > > >> system_r unconfined_r* > > >> *user_u user s0 s0 > > >> user_r* > > >> *xguest_u user s0 s0 > > >> xguest_r* > > >> > > >> > > >> * semanage login -l* > > >> > > >> *Login Name SELinux User MLS/MCS Range > Service* > > >> > > >> *__default__ sysadm_u s0-s0:c0.c1023 ** > > >> *ccmservice specialuser_u s0 ** > > >> *cucm admin_u s0-s0:c0.c1023 ** > > >> *drfkeys specialuser_u s0 ** > > >> *drfuser specialuser_u s0 ** > > >> *informix specialuser_u s0 ** > > >> *pwrecovery specialuser_u s0 ** > > >> *root sysadm_u s0-s0:c0.c1023 ** > > >> *sftpuser specialuser_u s0 ** > > >> *system_u sysadm_u s0-s0:c0.c1023 ** > > >> > > >> > > >> *Can anybody Please help me.* > > >> > > >> -- > > >> > > >> Thanks > > >> Aman > > >> Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > >> > > >> > > > > > > > > > -- > > > > Thanks > > Aman > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > -- > Simon Sekidde > gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E > > > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 8104 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-24 5:17 ` Fwd: Qwery regarding Selinux Change Id context Aman Sharma 2017-11-24 6:52 ` Ravi Kumar @ 2017-11-27 15:59 ` Stephen Smalley 2017-11-29 4:03 ` Aman Sharma 1 sibling, 1 reply; 43+ messages in thread From: Stephen Smalley @ 2017-11-27 15:59 UTC (permalink / raw) To: Aman Sharma, selinux On Fri, 2017-11-24 at 10:47 +0530, Aman Sharma wrote: > > > Hi All, > > Currently Working on Cent OS 7.3 and login as a root User and my Id > command output is : > > id > uid=0(root) gid=0(root) groups=0(root) > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r > or unconfined_u:unconfined_r. > > Also showing the output of following command : > > semanage user -l > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range > SELinux Roles > > admin_u user s0 s0-s0:c0.c1023 > sysadm_r system_r > guest_u user s0 s0 > guest_r > root user s0 s0-s0:c0.c1023 > staff_r sysadm_r > specialuser_u user s0 s0 > sysadm_r system_r > staff_u user s0 s0-s0:c0.c1023 > staff_r sysadm_r system_r > sysadm_u user s0 s0-s0:c0.c1023 > sysadm_r > system_u user s0 s0-s0:c0.c1023 > system_r > unconfined_u user s0 s0-s0:c0.c1023 > system_r unconfined_r > user_u user s0 s0 > user_r > xguest_u user s0 s0 > xguest_r > > > semanage login -l > > Login Name SELinux User MLS/MCS Range > Service > > __default__ sysadm_u s0-s0:c0.c1023 * > ccmservice specialuser_u s0 * > cucm admin_u s0-s0:c0.c1023 * > drfkeys specialuser_u s0 * > drfuser specialuser_u s0 * > informix specialuser_u s0 * > pwrecovery specialuser_u s0 * > root sysadm_u s0-s0:c0.c1023 * > sftpuser specialuser_u s0 * > system_u sysadm_u s0-s0:c0.c1023 * > > > Can anybody Please help me. What is your sestatus -v output? How are you logging in (console, gdm, ssh, ...)? You don't appear to be running the default policy, or if you are, someone has heavily customized your user and login mappings. ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-27 15:59 ` Fwd: " Stephen Smalley @ 2017-11-29 4:03 ` Aman Sharma 2017-11-29 8:22 ` Dominick Grift 2017-11-29 13:51 ` Stephen Smalley 0 siblings, 2 replies; 43+ messages in thread From: Aman Sharma @ 2017-11-29 4:03 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 4248 bytes --] Hi Stephen, Below is the output of command : * sestatus -v output* *SELinux status: enabled* *SELinuxfs mount: /sys/fs/selinux* *SELinux root directory: /etc/selinux* *Loaded policy name: targeted* *Current mode: enforcing* *Mode from config file: permissive* *Policy MLS status: enabled* *Policy deny_unknown status: allowed* *Max kernel policy version: 28* *Process contexts:* *Current context: system_u:system_r:unconfined_t:s0-s0:c0.c1023* *Init context: system_u:system_r:init_t:s0* */usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023* *File contexts:* *Controlling terminal: system_u:object_r:sshd_devpts_t:s0* */etc/passwd system_u:object_r:passwd_file_t:s0* */etc/shadow system_u:object_r:shadow_t:s0* */bin/bash system_u:object_r:shell_exec_t:s0* */bin/login system_u:object_r:login_exec_t:s0* */bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0* */sbin/agetty system_u:object_r:getty_exec_t:s0* */sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0* */usr/sbin/sshd system_u:object_r:sshd_exec_t:s0* */lib/libc.so.6 system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0* */lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0* *Also I am using ssh session for login.* *Please let me know how to change id command context to unconfined_u or Sysadm_u.* Thanks in advance Aman On Mon, Nov 27, 2017 at 9:29 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Fri, 2017-11-24 at 10:47 +0530, Aman Sharma wrote: > > > > > > Hi All, > > > > Currently Working on Cent OS 7.3 and login as a root User and my Id > > command output is : > > > > id > > uid=0(root) gid=0(root) groups=0(root) > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r > > or unconfined_u:unconfined_r. > > > > Also showing the output of following command : > > > > semanage user -l > > > > Labeling MLS/ MLS/ > > SELinux User Prefix MCS Level MCS Range > > SELinux Roles > > > > admin_u user s0 s0-s0:c0.c1023 > > sysadm_r system_r > > guest_u user s0 s0 > > guest_r > > root user s0 s0-s0:c0.c1023 > > staff_r sysadm_r > > specialuser_u user s0 s0 > > sysadm_r system_r > > staff_u user s0 s0-s0:c0.c1023 > > staff_r sysadm_r system_r > > sysadm_u user s0 s0-s0:c0.c1023 > > sysadm_r > > system_u user s0 s0-s0:c0.c1023 > > system_r > > unconfined_u user s0 s0-s0:c0.c1023 > > system_r unconfined_r > > user_u user s0 s0 > > user_r > > xguest_u user s0 s0 > > xguest_r > > > > > > semanage login -l > > > > Login Name SELinux User MLS/MCS Range > > Service > > > > __default__ sysadm_u s0-s0:c0.c1023 * > > ccmservice specialuser_u s0 * > > cucm admin_u s0-s0:c0.c1023 * > > drfkeys specialuser_u s0 * > > drfuser specialuser_u s0 * > > informix specialuser_u s0 * > > pwrecovery specialuser_u s0 * > > root sysadm_u s0-s0:c0.c1023 * > > sftpuser specialuser_u s0 * > > system_u sysadm_u s0-s0:c0.c1023 * > > > > > > Can anybody Please help me. > > What is your sestatus -v output? How are you logging in (console, gdm, > ssh, ...)? > > You don't appear to be running the default policy, or if you are, > someone has heavily customized your user and login mappings. > > > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 6798 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-29 4:03 ` Aman Sharma @ 2017-11-29 8:22 ` Dominick Grift 2017-11-29 8:51 ` Aman Sharma 2017-11-29 13:51 ` Stephen Smalley 1 sibling, 1 reply; 43+ messages in thread From: Dominick Grift @ 2017-11-29 8:22 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 5281 bytes --] On Wed, Nov 29, 2017 at 09:33:31AM +0530, Aman Sharma wrote: > Hi Stephen, > > Below is the output of command : > > * sestatus -v output* > *SELinux status: enabled* > *SELinuxfs mount: /sys/fs/selinux* > *SELinux root directory: /etc/selinux* > *Loaded policy name: targeted* > *Current mode: enforcing* > *Mode from config file: permissive* > *Policy MLS status: enabled* > *Policy deny_unknown status: allowed* > *Max kernel policy version: 28* > > *Process contexts:* > *Current context: > system_u:system_r:unconfined_t:s0-s0:c0.c1023* > *Init context: system_u:system_r:init_t:s0* > */usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023* > > *File contexts:* > *Controlling terminal: system_u:object_r:sshd_devpts_t:s0* > */etc/passwd system_u:object_r:passwd_file_t:s0* > */etc/shadow system_u:object_r:shadow_t:s0* > */bin/bash system_u:object_r:shell_exec_t:s0* > */bin/login system_u:object_r:login_exec_t:s0* > */bin/sh system_u:object_r:bin_t:s0 -> > system_u:object_r:shell_exec_t:s0* > */sbin/agetty system_u:object_r:getty_exec_t:s0* > */sbin/init system_u:object_r:bin_t:s0 -> > system_u:object_r:init_exec_t:s0* > */usr/sbin/sshd system_u:object_r:sshd_exec_t:s0* > */lib/libc.so.6 system_u:object_r:lib_t:s0 -> > system_u:object_r:lib_t:s0* > */lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> > system_u:object_r:ld_so_t:s0* > > *Also I am using ssh session for login.* > > *Please let me know how to change id command context to unconfined_u or > Sysadm_u.* > > Thanks in advance > Aman not sure and shot in dark, but: root is assoc. with sysadm_u. sysadm_u is only authorized to use sysadm_r. if you have the boolean ssh_priv_login set to off then sysadm_u:sysadm_r:sysadm_t:s0 is inaccessible pam_selinux attempts to use any other contexts that are accessible, and it appears that system_u:system_r:unconfined_t was it. Do you have the ssh_priv_login boolean set to off? `getsebool -a | grep ssh` > > On Mon, Nov 27, 2017 at 9:29 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > > On Fri, 2017-11-24 at 10:47 +0530, Aman Sharma wrote: > > > > > > > > > Hi All, > > > > > > Currently Working on Cent OS 7.3 and login as a root User and my Id > > > command output is : > > > > > > id > > > uid=0(root) gid=0(root) groups=0(root) > > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > > > I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r > > > or unconfined_u:unconfined_r. > > > > > > Also showing the output of following command : > > > > > > semanage user -l > > > > > > Labeling MLS/ MLS/ > > > SELinux User Prefix MCS Level MCS Range > > > SELinux Roles > > > > > > admin_u user s0 s0-s0:c0.c1023 > > > sysadm_r system_r > > > guest_u user s0 s0 > > > guest_r > > > root user s0 s0-s0:c0.c1023 > > > staff_r sysadm_r > > > specialuser_u user s0 s0 > > > sysadm_r system_r > > > staff_u user s0 s0-s0:c0.c1023 > > > staff_r sysadm_r system_r > > > sysadm_u user s0 s0-s0:c0.c1023 > > > sysadm_r > > > system_u user s0 s0-s0:c0.c1023 > > > system_r > > > unconfined_u user s0 s0-s0:c0.c1023 > > > system_r unconfined_r > > > user_u user s0 s0 > > > user_r > > > xguest_u user s0 s0 > > > xguest_r > > > > > > > > > semanage login -l > > > > > > Login Name SELinux User MLS/MCS Range > > > Service > > > > > > __default__ sysadm_u s0-s0:c0.c1023 * > > > ccmservice specialuser_u s0 * > > > cucm admin_u s0-s0:c0.c1023 * > > > drfkeys specialuser_u s0 * > > > drfuser specialuser_u s0 * > > > informix specialuser_u s0 * > > > pwrecovery specialuser_u s0 * > > > root sysadm_u s0-s0:c0.c1023 * > > > sftpuser specialuser_u s0 * > > > system_u sysadm_u s0-s0:c0.c1023 * > > > > > > > > > Can anybody Please help me. > > > > What is your sestatus -v output? How are you logging in (console, gdm, > > ssh, ...)? > > > > You don't appear to be running the default policy, or if you are, > > someone has heavily customized your user and login mappings. > > > > > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 659 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-29 8:22 ` Dominick Grift @ 2017-11-29 8:51 ` Aman Sharma 2017-11-29 9:11 ` Dominick Grift 0 siblings, 1 reply; 43+ messages in thread From: Aman Sharma @ 2017-11-29 8:51 UTC (permalink / raw) To: SELinux [-- Attachment #1: Type: text/plain, Size: 5777 bytes --] Hi , Check the output for the same. * getsebool -a | grep ssh* fenced_can_ssh --> off selinuxuser_use_ssh_chroot --> on ssh_chroot_rw_homedirs --> off ssh_keysign --> off ssh_sysadm_login --> on On Wed, Nov 29, 2017 at 1:52 PM, Dominick Grift <dac.override@gmail.com> wrote: > On Wed, Nov 29, 2017 at 09:33:31AM +0530, Aman Sharma wrote: > > Hi Stephen, > > > > Below is the output of command : > > > > * sestatus -v output* > > *SELinux status: enabled* > > *SELinuxfs mount: /sys/fs/selinux* > > *SELinux root directory: /etc/selinux* > > *Loaded policy name: targeted* > > *Current mode: enforcing* > > *Mode from config file: permissive* > > *Policy MLS status: enabled* > > *Policy deny_unknown status: allowed* > > *Max kernel policy version: 28* > > > > *Process contexts:* > > *Current context: > > system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > *Init context: system_u:system_r:init_t:s0* > > */usr/sbin/sshd system_u:system_r:sshd_t:s0- > s0:c0.c1023* > > > > *File contexts:* > > *Controlling terminal: system_u:object_r:sshd_devpts_t:s0* > > */etc/passwd system_u:object_r:passwd_file_t:s0* > > */etc/shadow system_u:object_r:shadow_t:s0* > > */bin/bash system_u:object_r:shell_exec_t:s0* > > */bin/login system_u:object_r:login_exec_t:s0* > > */bin/sh system_u:object_r:bin_t:s0 -> > > system_u:object_r:shell_exec_t:s0* > > */sbin/agetty system_u:object_r:getty_exec_t:s0* > > */sbin/init system_u:object_r:bin_t:s0 -> > > system_u:object_r:init_exec_t:s0* > > */usr/sbin/sshd system_u:object_r:sshd_exec_t:s0* > > */lib/libc.so.6 system_u:object_r:lib_t:s0 -> > > system_u:object_r:lib_t:s0* > > */lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> > > system_u:object_r:ld_so_t:s0* > > > > *Also I am using ssh session for login.* > > > > *Please let me know how to change id command context to unconfined_u or > > Sysadm_u.* > > > > Thanks in advance > > Aman > > not sure and shot in dark, but: > > root is assoc. with sysadm_u. sysadm_u is only authorized to use sysadm_r. > if you have the boolean ssh_priv_login set to off then > sysadm_u:sysadm_r:sysadm_t:s0 is inaccessible > pam_selinux attempts to use any other contexts that are accessible, and it > appears that system_u:system_r:unconfined_t was it. > > Do you have the ssh_priv_login boolean set to off? `getsebool -a | grep > ssh` > > > > > On Mon, Nov 27, 2017 at 9:29 PM, Stephen Smalley <sds@tycho.nsa.gov> > wrote: > > > > > On Fri, 2017-11-24 at 10:47 +0530, Aman Sharma wrote: > > > > > > > > > > > > Hi All, > > > > > > > > Currently Working on Cent OS 7.3 and login as a root User and my Id > > > > command output is : > > > > > > > > id > > > > uid=0(root) gid=0(root) groups=0(root) > > > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > > > > > I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r > > > > or unconfined_u:unconfined_r. > > > > > > > > Also showing the output of following command : > > > > > > > > semanage user -l > > > > > > > > Labeling MLS/ MLS/ > > > > SELinux User Prefix MCS Level MCS Range > > > > SELinux Roles > > > > > > > > admin_u user s0 s0-s0:c0.c1023 > > > > sysadm_r system_r > > > > guest_u user s0 s0 > > > > guest_r > > > > root user s0 s0-s0:c0.c1023 > > > > staff_r sysadm_r > > > > specialuser_u user s0 s0 > > > > sysadm_r system_r > > > > staff_u user s0 s0-s0:c0.c1023 > > > > staff_r sysadm_r system_r > > > > sysadm_u user s0 s0-s0:c0.c1023 > > > > sysadm_r > > > > system_u user s0 s0-s0:c0.c1023 > > > > system_r > > > > unconfined_u user s0 s0-s0:c0.c1023 > > > > system_r unconfined_r > > > > user_u user s0 s0 > > > > user_r > > > > xguest_u user s0 s0 > > > > xguest_r > > > > > > > > > > > > semanage login -l > > > > > > > > Login Name SELinux User MLS/MCS Range > > > > Service > > > > > > > > __default__ sysadm_u s0-s0:c0.c1023 * > > > > ccmservice specialuser_u s0 * > > > > cucm admin_u s0-s0:c0.c1023 * > > > > drfkeys specialuser_u s0 * > > > > drfuser specialuser_u s0 * > > > > informix specialuser_u s0 * > > > > pwrecovery specialuser_u s0 * > > > > root sysadm_u s0-s0:c0.c1023 * > > > > sftpuser specialuser_u s0 * > > > > system_u sysadm_u s0-s0:c0.c1023 * > > > > > > > > > > > > Can anybody Please help me. > > > > > > What is your sestatus -v output? How are you logging in (console, gdm, > > > ssh, ...)? > > > > > > You don't appear to be running the default policy, or if you are, > > > someone has heavily customized your user and login mappings. > > > > > > > > > > > > > > > -- > > > > Thanks > > Aman > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 8635 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-29 8:51 ` Aman Sharma @ 2017-11-29 9:11 ` Dominick Grift 0 siblings, 0 replies; 43+ messages in thread From: Dominick Grift @ 2017-11-29 9:11 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 6554 bytes --] On Wed, Nov 29, 2017 at 02:21:46PM +0530, Aman Sharma wrote: > Hi , > > Check the output for the same. > > * getsebool -a | grep ssh* > fenced_can_ssh --> off > selinuxuser_use_ssh_chroot --> on > ssh_chroot_rw_homedirs --> off > ssh_keysign --> off > ssh_sysadm_login --> on Thanks. That means I was wrong. > > > On Wed, Nov 29, 2017 at 1:52 PM, Dominick Grift <dac.override@gmail.com> > wrote: > > > On Wed, Nov 29, 2017 at 09:33:31AM +0530, Aman Sharma wrote: > > > Hi Stephen, > > > > > > Below is the output of command : > > > > > > * sestatus -v output* > > > *SELinux status: enabled* > > > *SELinuxfs mount: /sys/fs/selinux* > > > *SELinux root directory: /etc/selinux* > > > *Loaded policy name: targeted* > > > *Current mode: enforcing* > > > *Mode from config file: permissive* > > > *Policy MLS status: enabled* > > > *Policy deny_unknown status: allowed* > > > *Max kernel policy version: 28* > > > > > > *Process contexts:* > > > *Current context: > > > system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > > *Init context: system_u:system_r:init_t:s0* > > > */usr/sbin/sshd system_u:system_r:sshd_t:s0- > > s0:c0.c1023* > > > > > > *File contexts:* > > > *Controlling terminal: system_u:object_r:sshd_devpts_t:s0* > > > */etc/passwd system_u:object_r:passwd_file_t:s0* > > > */etc/shadow system_u:object_r:shadow_t:s0* > > > */bin/bash system_u:object_r:shell_exec_t:s0* > > > */bin/login system_u:object_r:login_exec_t:s0* > > > */bin/sh system_u:object_r:bin_t:s0 -> > > > system_u:object_r:shell_exec_t:s0* > > > */sbin/agetty system_u:object_r:getty_exec_t:s0* > > > */sbin/init system_u:object_r:bin_t:s0 -> > > > system_u:object_r:init_exec_t:s0* > > > */usr/sbin/sshd system_u:object_r:sshd_exec_t:s0* > > > */lib/libc.so.6 system_u:object_r:lib_t:s0 -> > > > system_u:object_r:lib_t:s0* > > > */lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> > > > system_u:object_r:ld_so_t:s0* > > > > > > *Also I am using ssh session for login.* > > > > > > *Please let me know how to change id command context to unconfined_u or > > > Sysadm_u.* > > > > > > Thanks in advance > > > Aman > > > > not sure and shot in dark, but: > > > > root is assoc. with sysadm_u. sysadm_u is only authorized to use sysadm_r. > > if you have the boolean ssh_priv_login set to off then > > sysadm_u:sysadm_r:sysadm_t:s0 is inaccessible > > pam_selinux attempts to use any other contexts that are accessible, and it > > appears that system_u:system_r:unconfined_t was it. > > > > Do you have the ssh_priv_login boolean set to off? `getsebool -a | grep > > ssh` > > > > > > > > On Mon, Nov 27, 2017 at 9:29 PM, Stephen Smalley <sds@tycho.nsa.gov> > > wrote: > > > > > > > On Fri, 2017-11-24 at 10:47 +0530, Aman Sharma wrote: > > > > > > > > > > > > > > > Hi All, > > > > > > > > > > Currently Working on Cent OS 7.3 and login as a root User and my Id > > > > > command output is : > > > > > > > > > > id > > > > > uid=0(root) gid=0(root) groups=0(root) > > > > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > > > > > > > I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r > > > > > or unconfined_u:unconfined_r. > > > > > > > > > > Also showing the output of following command : > > > > > > > > > > semanage user -l > > > > > > > > > > Labeling MLS/ MLS/ > > > > > SELinux User Prefix MCS Level MCS Range > > > > > SELinux Roles > > > > > > > > > > admin_u user s0 s0-s0:c0.c1023 > > > > > sysadm_r system_r > > > > > guest_u user s0 s0 > > > > > guest_r > > > > > root user s0 s0-s0:c0.c1023 > > > > > staff_r sysadm_r > > > > > specialuser_u user s0 s0 > > > > > sysadm_r system_r > > > > > staff_u user s0 s0-s0:c0.c1023 > > > > > staff_r sysadm_r system_r > > > > > sysadm_u user s0 s0-s0:c0.c1023 > > > > > sysadm_r > > > > > system_u user s0 s0-s0:c0.c1023 > > > > > system_r > > > > > unconfined_u user s0 s0-s0:c0.c1023 > > > > > system_r unconfined_r > > > > > user_u user s0 s0 > > > > > user_r > > > > > xguest_u user s0 s0 > > > > > xguest_r > > > > > > > > > > > > > > > semanage login -l > > > > > > > > > > Login Name SELinux User MLS/MCS Range > > > > > Service > > > > > > > > > > __default__ sysadm_u s0-s0:c0.c1023 * > > > > > ccmservice specialuser_u s0 * > > > > > cucm admin_u s0-s0:c0.c1023 * > > > > > drfkeys specialuser_u s0 * > > > > > drfuser specialuser_u s0 * > > > > > informix specialuser_u s0 * > > > > > pwrecovery specialuser_u s0 * > > > > > root sysadm_u s0-s0:c0.c1023 * > > > > > sftpuser specialuser_u s0 * > > > > > system_u sysadm_u s0-s0:c0.c1023 * > > > > > > > > > > > > > > > Can anybody Please help me. > > > > > > > > What is your sestatus -v output? How are you logging in (console, gdm, > > > > ssh, ...)? > > > > > > > > You don't appear to be running the default policy, or if you are, > > > > someone has heavily customized your user and login mappings. > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Thanks > > > Aman > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > -- > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > > Dominick Grift > > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 659 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-29 4:03 ` Aman Sharma 2017-11-29 8:22 ` Dominick Grift @ 2017-11-29 13:51 ` Stephen Smalley 2017-11-29 14:41 ` Aman Sharma 1 sibling, 1 reply; 43+ messages in thread From: Stephen Smalley @ 2017-11-29 13:51 UTC (permalink / raw) To: Aman Sharma; +Cc: SELinux On Wed, 2017-11-29 at 09:33 +0530, Aman Sharma wrote: > Hi Stephen, > > Below is the output of command : > > sestatus -v output > SELinux status: enabled > SELinuxfs mount: /sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: targeted > Current mode: enforcing > Mode from config file: permissive > Policy MLS status: enabled > Policy deny_unknown status: allowed > Max kernel policy version: 28 > > Process contexts: > Current context: system_u:system_r:unconfined_t:s0- > s0:c0.c1023 > Init context: system_u:system_r:init_t:s0 > /usr/sbin/sshd system_u:system_r:sshd_t:s0- > s0:c0.c1023 > > File contexts: > Controlling terminal: system_u:object_r:sshd_devpts_t:s0 > /etc/passwd system_u:object_r:passwd_file_t:s0 > /etc/shadow system_u:object_r:shadow_t:s0 > /bin/bash system_u:object_r:shell_exec_t:s0 > /bin/login system_u:object_r:login_exec_t:s0 > /bin/sh system_u:object_r:bin_t:s0 -> > system_u:object_r:shell_exec_t:s0 > /sbin/agetty system_u:object_r:getty_exec_t:s0 > /sbin/init system_u:object_r:bin_t:s0 -> > system_u:object_r:init_exec_t:s0 > /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0 > /lib/libc.so.6 system_u:object_r:lib_t:s0 -> > system_u:object_r:lib_t:s0 > /lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> > system_u:object_r:ld_so_t:s0 > > Also I am using ssh session for login. > > Please let me know how to change id command context to unconfined_u > or Sysadm_u. So from your earlier message, it is clear that you (or someone else) has heavily customized your semanage login and user mappings from the stock targeted policy. The question is why, and whether you want/need to retain any of those customizations. If not, then you could just delete all local customizations (via semanage or manually) and revert to a stock policy. If you do need to retain some of those customizations, then please show your current semanage login -l and semanage user -l output since you said you ran some further semanage commands after the last output you showed. ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-29 13:51 ` Stephen Smalley @ 2017-11-29 14:41 ` Aman Sharma 2017-11-29 14:47 ` Stephen Smalley 0 siblings, 1 reply; 43+ messages in thread From: Aman Sharma @ 2017-11-29 14:41 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 4507 bytes --] Hi Stephen, Thanks for the reply. Can you please let me know how to delete all local customizations (via semanage or manually) and revert to a default policy. Otherwise the output of semanage login -l and semanage user -l : *semanage user -l* * Labeling MLS/ MLS/ * *SELinux User Prefix MCS Level MCS Range SELinux Roles* *admin_u user s0 s0-s0:c0.c1023 sysadm_r system_r* *guest_u user s0 s0 guest_r* *root user s0 s0-s0:c0.c1023 staff_r sysadm_r* *specialuser_u user s0 s0 sysadm_r system_r* *staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r* *sysadm_u user s0 s0-s0:c0.c1023 sysadm_r* *system_u user s0 s0-s0:c0.c1023 system_r* *unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r* *user_u user s0 s0 user_r* *xguest_u user s0 s0 xguest_r* * semanage login -l* *Login Name SELinux User MLS/MCS Range Service* *__default__ sysadm_u s0-s0:c0.c1023 ** *ccmservice specialuser_u s0 ** *cucm admin_u s0-s0:c0.c1023 ** *drfkeys specialuser_u s0 ** *drfuser specialuser_u s0 ** *informix specialuser_u s0 ** *pwrecovery specialuser_u s0 ** *root sysadm_u s0-s0:c0.c1023 ** *sftpuser specialuser_u s0 ** *system_u sysadm_u s0-s0:c0.c1023 ** *Please let me know if any comments are there.* *Thanks* *Aman* On Wed, Nov 29, 2017 at 7:21 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Wed, 2017-11-29 at 09:33 +0530, Aman Sharma wrote: > > Hi Stephen, > > > > Below is the output of command : > > > > sestatus -v output > > SELinux status: enabled > > SELinuxfs mount: /sys/fs/selinux > > SELinux root directory: /etc/selinux > > Loaded policy name: targeted > > Current mode: enforcing > > Mode from config file: permissive > > Policy MLS status: enabled > > Policy deny_unknown status: allowed > > Max kernel policy version: 28 > > > > Process contexts: > > Current context: system_u:system_r:unconfined_t:s0- > > s0:c0.c1023 > > Init context: system_u:system_r:init_t:s0 > > /usr/sbin/sshd system_u:system_r:sshd_t:s0- > > s0:c0.c1023 > > > > File contexts: > > Controlling terminal: system_u:object_r:sshd_devpts_t:s0 > > /etc/passwd system_u:object_r:passwd_file_t:s0 > > /etc/shadow system_u:object_r:shadow_t:s0 > > /bin/bash system_u:object_r:shell_exec_t:s0 > > /bin/login system_u:object_r:login_exec_t:s0 > > /bin/sh system_u:object_r:bin_t:s0 -> > > system_u:object_r:shell_exec_t:s0 > > /sbin/agetty system_u:object_r:getty_exec_t:s0 > > /sbin/init system_u:object_r:bin_t:s0 -> > > system_u:object_r:init_exec_t:s0 > > /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0 > > /lib/libc.so.6 system_u:object_r:lib_t:s0 -> > > system_u:object_r:lib_t:s0 > > /lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> > > system_u:object_r:ld_so_t:s0 > > > > Also I am using ssh session for login. > > > > Please let me know how to change id command context to unconfined_u > > or Sysadm_u. > > So from your earlier message, it is clear that you (or someone else) > has heavily customized your semanage login and user mappings from the > stock targeted policy. The question is why, and whether you want/need > to retain any of those customizations. If not, then you could just > delete all local customizations (via semanage or manually) and revert > to a stock policy. > > If you do need to retain some of those customizations, then please show > your current semanage login -l and semanage user -l output since you > said you ran some further semanage commands after the last output you > showed. > > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 7436 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-29 14:41 ` Aman Sharma @ 2017-11-29 14:47 ` Stephen Smalley 2017-11-29 15:17 ` Aman Sharma 0 siblings, 1 reply; 43+ messages in thread From: Stephen Smalley @ 2017-11-29 14:47 UTC (permalink / raw) To: Aman Sharma; +Cc: SELinux On Wed, 2017-11-29 at 20:11 +0530, Aman Sharma wrote: > Hi Stephen, > > Thanks for the reply. > > Can you please let me know how to delete all local customizations > (via semanage or manually) and revert > to a default policy. First, save any local customizations in case you want to restore them later: semanage export > localchanges Then, delete them: semanage login -D semanage user -D Then logout and log back in. > > Otherwise the output of semanage login -l and semanage user -l : > > semanage user -l > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range > SELinux Roles > > admin_u user s0 s0-s0:c0.c1023 > sysadm_r system_r > guest_u user s0 s0 > guest_r > root user s0 s0-s0:c0.c1023 > staff_r sysadm_r > specialuser_u user s0 s0 > sysadm_r system_r > staff_u user s0 s0-s0:c0.c1023 > staff_r sysadm_r system_r > sysadm_u user s0 s0-s0:c0.c1023 > sysadm_r > system_u user s0 s0-s0:c0.c1023 > system_r > unconfined_u user s0 s0-s0:c0.c1023 > system_r unconfined_r > user_u user s0 s0 > user_r > xguest_u user s0 s0 > xguest_r > > > semanage login -l > > Login Name SELinux User MLS/MCS Range > Service > > __default__ sysadm_u s0-s0:c0.c1023 * > ccmservice specialuser_u s0 * > cucm admin_u s0-s0:c0.c1023 * > drfkeys specialuser_u s0 * > drfuser specialuser_u s0 * > informix specialuser_u s0 * > pwrecovery specialuser_u s0 * > root sysadm_u s0-s0:c0.c1023 * > sftpuser specialuser_u s0 * > system_u sysadm_u s0-s0:c0.c1023 * > > Please let me know if any comments are there. > > Thanks > Aman > > On Wed, Nov 29, 2017 at 7:21 PM, Stephen Smalley <sds@tycho.nsa.gov> > wrote: > > On Wed, 2017-11-29 at 09:33 +0530, Aman Sharma wrote: > > > Hi Stephen, > > > > > > Below is the output of command : > > > > > > sestatus -v output > > > SELinux status: enabled > > > SELinuxfs mount: /sys/fs/selinux > > > SELinux root directory: /etc/selinux > > > Loaded policy name: targeted > > > Current mode: enforcing > > > Mode from config file: permissive > > > Policy MLS status: enabled > > > Policy deny_unknown status: allowed > > > Max kernel policy version: 28 > > > > > > Process contexts: > > > Current context: > > system_u:system_r:unconfined_t:s0- > > > s0:c0.c1023 > > > Init context: system_u:system_r:init_t:s0 > > > /usr/sbin/sshd system_u:system_r:sshd_t:s0- > > > s0:c0.c1023 > > > > > > File contexts: > > > Controlling terminal: > > system_u:object_r:sshd_devpts_t:s0 > > > /etc/passwd > > system_u:object_r:passwd_file_t:s0 > > > /etc/shadow system_u:object_r:shadow_t:s0 > > > /bin/bash system_u:object_r:shell_exec_t:s0 > > > /bin/login system_u:object_r:login_exec_t:s0 > > > /bin/sh system_u:object_r:bin_t:s0 -> > > > system_u:object_r:shell_exec_t:s0 > > > /sbin/agetty system_u:object_r:getty_exec_t:s0 > > > /sbin/init system_u:object_r:bin_t:s0 -> > > > system_u:object_r:init_exec_t:s0 > > > /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0 > > > /lib/libc.so.6 system_u:object_r:lib_t:s0 -> > > > system_u:object_r:lib_t:s0 > > > /lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> > > > system_u:object_r:ld_so_t:s0 > > > > > > Also I am using ssh session for login. > > > > > > Please let me know how to change id command context to > > unconfined_u > > > or Sysadm_u. > > > > So from your earlier message, it is clear that you (or someone > > else) > > has heavily customized your semanage login and user mappings from > > the > > stock targeted policy. The question is why, and whether you > > want/need > > to retain any of those customizations. If not, then you could just > > delete all local customizations (via semanage or manually) and > > revert > > to a stock policy. > > > > If you do need to retain some of those customizations, then please > > show > > your current semanage login -l and semanage user -l output since > > you > > said you ran some further semanage commands after the last output > > you > > showed. > > > > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-29 14:47 ` Stephen Smalley @ 2017-11-29 15:17 ` Aman Sharma 2017-11-29 15:29 ` Simon Sekidde 2017-11-29 15:40 ` Fwd: " Stephen Smalley 0 siblings, 2 replies; 43+ messages in thread From: Aman Sharma @ 2017-11-29 15:17 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 6863 bytes --] Hi Stephen, I tried all the three command i.e. semanage export > localchanges semanage login -D semanage user -D Then I reboot the system and after reboot , still its showing the root User as Same id context i.e. *id* *uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* * id -Z* *system_u:system_r:unconfined_t:s0-s0:c0.c1023* Also check the below output : *semanage user -l* * Labeling MLS/ MLS/ * *SELinux User Prefix MCS Level MCS Range SELinux Roles* *guest_u user s0 s0 guest_r* *root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r* *staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r* *sysadm_u user s0 s0-s0:c0.c1023 sysadm_r* *system_u user s0 s0-s0:c0.c1023 system_r unconfined_r* *unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r* *user_u user s0 s0 user_r* *xguest_u user s0 s0 xguest_r* *[root@cucm ~]# semanage login -l* *Login Name SELinux User MLS/MCS Range Service* *__default__ unconfined_u s0-s0:c0.c1023 ** *root unconfined_u s0-s0:c0.c1023 ** *system_u system_u s0-s0:c0.c1023 ** *Please let me know your comments on this.* *Thanks* *Aman* On Wed, Nov 29, 2017 at 8:17 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Wed, 2017-11-29 at 20:11 +0530, Aman Sharma wrote: > > Hi Stephen, > > > > Thanks for the reply. > > > > Can you please let me know how to delete all local customizations > > (via semanage or manually) and revert > > to a default policy. > > First, save any local customizations in case you want to restore them > later: > semanage export > localchanges > > Then, delete them: > semanage login -D > semanage user -D > > Then logout and log back in. > > > > > Otherwise the output of semanage login -l and semanage user -l : > > > > semanage user -l > > > > Labeling MLS/ MLS/ > > SELinux User Prefix MCS Level MCS Range > > SELinux Roles > > > > admin_u user s0 s0-s0:c0.c1023 > > sysadm_r system_r > > guest_u user s0 s0 > > guest_r > > root user s0 s0-s0:c0.c1023 > > staff_r sysadm_r > > specialuser_u user s0 s0 > > sysadm_r system_r > > staff_u user s0 s0-s0:c0.c1023 > > staff_r sysadm_r system_r > > sysadm_u user s0 s0-s0:c0.c1023 > > sysadm_r > > system_u user s0 s0-s0:c0.c1023 > > system_r > > unconfined_u user s0 s0-s0:c0.c1023 > > system_r unconfined_r > > user_u user s0 s0 > > user_r > > xguest_u user s0 s0 > > xguest_r > > > > > > semanage login -l > > > > Login Name SELinux User MLS/MCS Range > > Service > > > > __default__ sysadm_u s0-s0:c0.c1023 * > > ccmservice specialuser_u s0 * > > cucm admin_u s0-s0:c0.c1023 * > > drfkeys specialuser_u s0 * > > drfuser specialuser_u s0 * > > informix specialuser_u s0 * > > pwrecovery specialuser_u s0 * > > root sysadm_u s0-s0:c0.c1023 * > > sftpuser specialuser_u s0 * > > system_u sysadm_u s0-s0:c0.c1023 * > > > > Please let me know if any comments are there. > > > > Thanks > > Aman > > > > On Wed, Nov 29, 2017 at 7:21 PM, Stephen Smalley <sds@tycho.nsa.gov> > > wrote: > > > On Wed, 2017-11-29 at 09:33 +0530, Aman Sharma wrote: > > > > Hi Stephen, > > > > > > > > Below is the output of command : > > > > > > > > sestatus -v output > > > > SELinux status: enabled > > > > SELinuxfs mount: /sys/fs/selinux > > > > SELinux root directory: /etc/selinux > > > > Loaded policy name: targeted > > > > Current mode: enforcing > > > > Mode from config file: permissive > > > > Policy MLS status: enabled > > > > Policy deny_unknown status: allowed > > > > Max kernel policy version: 28 > > > > > > > > Process contexts: > > > > Current context: > > > system_u:system_r:unconfined_t:s0- > > > > s0:c0.c1023 > > > > Init context: system_u:system_r:init_t:s0 > > > > /usr/sbin/sshd system_u:system_r:sshd_t:s0- > > > > s0:c0.c1023 > > > > > > > > File contexts: > > > > Controlling terminal: > > > system_u:object_r:sshd_devpts_t:s0 > > > > /etc/passwd > > > system_u:object_r:passwd_file_t:s0 > > > > /etc/shadow system_u:object_r:shadow_t:s0 > > > > /bin/bash system_u:object_r:shell_exec_t:s0 > > > > /bin/login system_u:object_r:login_exec_t:s0 > > > > /bin/sh system_u:object_r:bin_t:s0 -> > > > > system_u:object_r:shell_exec_t:s0 > > > > /sbin/agetty system_u:object_r:getty_exec_t:s0 > > > > /sbin/init system_u:object_r:bin_t:s0 -> > > > > system_u:object_r:init_exec_t:s0 > > > > /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0 > > > > /lib/libc.so.6 system_u:object_r:lib_t:s0 -> > > > > system_u:object_r:lib_t:s0 > > > > /lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> > > > > system_u:object_r:ld_so_t:s0 > > > > > > > > Also I am using ssh session for login. > > > > > > > > Please let me know how to change id command context to > > > unconfined_u > > > > or Sysadm_u. > > > > > > So from your earlier message, it is clear that you (or someone > > > else) > > > has heavily customized your semanage login and user mappings from > > > the > > > stock targeted policy. The question is why, and whether you > > > want/need > > > to retain any of those customizations. If not, then you could just > > > delete all local customizations (via semanage or manually) and > > > revert > > > to a stock policy. > > > > > > If you do need to retain some of those customizations, then please > > > show > > > your current semanage login -l and semanage user -l output since > > > you > > > said you ran some further semanage commands after the last output > > > you > > > showed. > > > > > > > > > > > > > > -- > > > > Thanks > > Aman > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 11161 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-11-29 15:17 ` Aman Sharma @ 2017-11-29 15:29 ` Simon Sekidde 2017-11-29 15:34 ` Aman Sharma 2017-11-29 15:40 ` Fwd: " Stephen Smalley 1 sibling, 1 reply; 43+ messages in thread From: Simon Sekidde @ 2017-11-29 15:29 UTC (permalink / raw) To: Aman Sharma; +Cc: Stephen Smalley, SELinux Aman, ----- Original Message ----- > From: "Aman Sharma" <amansh.sharma5@gmail.com> > To: "Stephen Smalley" <sds@tycho.nsa.gov> > Cc: "SELinux" <selinux@tycho.nsa.gov> > Sent: Wednesday, November 29, 2017 10:17:19 AM > Subject: Re: Fwd: Qwery regarding Selinux Change Id context > > Hi Stephen, > > I tried all the three command i.e. > semanage export > localchanges > > semanage login -D > semanage user -D > > Then I reboot the system and after reboot , still its showing the root User > as Same id context i.e. > > *id* > *uid=0(root) gid=0(root) groups=0(root) > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > * id -Z* > *system_u:system_r:unconfined_t:s0-s0:c0.c1023* > Are you using a 3rd party ssh client? > > Also check the below output : > *semanage user -l* > > * Labeling MLS/ MLS/ * > *SELinux User Prefix MCS Level MCS Range > SELinux Roles* > > *guest_u user s0 s0 > guest_r* > *root user s0 s0-s0:c0.c1023 > staff_r sysadm_r system_r unconfined_r* > *staff_u user s0 s0-s0:c0.c1023 > staff_r sysadm_r system_r unconfined_r* > *sysadm_u user s0 s0-s0:c0.c1023 > sysadm_r* > *system_u user s0 s0-s0:c0.c1023 > system_r unconfined_r* > *unconfined_u user s0 s0-s0:c0.c1023 > system_r unconfined_r* > *user_u user s0 s0 > user_r* > *xguest_u user s0 s0 > xguest_r* > *[root@cucm ~]# semanage login -l* > > *Login Name SELinux User MLS/MCS Range Service* > > *__default__ unconfined_u s0-s0:c0.c1023 ** > *root unconfined_u s0-s0:c0.c1023 ** > *system_u system_u s0-s0:c0.c1023 ** > > *Please let me know your comments on this.* > > *Thanks* > *Aman* > > On Wed, Nov 29, 2017 at 8:17 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > > On Wed, 2017-11-29 at 20:11 +0530, Aman Sharma wrote: > > > Hi Stephen, > > > > > > Thanks for the reply. > > > > > > Can you please let me know how to delete all local customizations > > > (via semanage or manually) and revert > > > to a default policy. > > > > First, save any local customizations in case you want to restore them > > later: > > semanage export > localchanges > > > > Then, delete them: > > semanage login -D > > semanage user -D > > > > Then logout and log back in. > > > > > > > > Otherwise the output of semanage login -l and semanage user -l : > > > > > > semanage user -l > > > > > > Labeling MLS/ MLS/ > > > SELinux User Prefix MCS Level MCS Range > > > SELinux Roles > > > > > > admin_u user s0 s0-s0:c0.c1023 > > > sysadm_r system_r > > > guest_u user s0 s0 > > > guest_r > > > root user s0 s0-s0:c0.c1023 > > > staff_r sysadm_r > > > specialuser_u user s0 s0 > > > sysadm_r system_r > > > staff_u user s0 s0-s0:c0.c1023 > > > staff_r sysadm_r system_r > > > sysadm_u user s0 s0-s0:c0.c1023 > > > sysadm_r > > > system_u user s0 s0-s0:c0.c1023 > > > system_r > > > unconfined_u user s0 s0-s0:c0.c1023 > > > system_r unconfined_r > > > user_u user s0 s0 > > > user_r > > > xguest_u user s0 s0 > > > xguest_r > > > > > > > > > semanage login -l > > > > > > Login Name SELinux User MLS/MCS Range > > > Service > > > > > > __default__ sysadm_u s0-s0:c0.c1023 * > > > ccmservice specialuser_u s0 * > > > cucm admin_u s0-s0:c0.c1023 * > > > drfkeys specialuser_u s0 * > > > drfuser specialuser_u s0 * > > > informix specialuser_u s0 * > > > pwrecovery specialuser_u s0 * > > > root sysadm_u s0-s0:c0.c1023 * > > > sftpuser specialuser_u s0 * > > > system_u sysadm_u s0-s0:c0.c1023 * > > > > > > Please let me know if any comments are there. > > > > > > Thanks > > > Aman > > > > > > On Wed, Nov 29, 2017 at 7:21 PM, Stephen Smalley <sds@tycho.nsa.gov> > > > wrote: > > > > On Wed, 2017-11-29 at 09:33 +0530, Aman Sharma wrote: > > > > > Hi Stephen, > > > > > > > > > > Below is the output of command : > > > > > > > > > > sestatus -v output > > > > > SELinux status: enabled > > > > > SELinuxfs mount: /sys/fs/selinux > > > > > SELinux root directory: /etc/selinux > > > > > Loaded policy name: targeted > > > > > Current mode: enforcing > > > > > Mode from config file: permissive > > > > > Policy MLS status: enabled > > > > > Policy deny_unknown status: allowed > > > > > Max kernel policy version: 28 > > > > > > > > > > Process contexts: > > > > > Current context: > > > > system_u:system_r:unconfined_t:s0- > > > > > s0:c0.c1023 > > > > > Init context: system_u:system_r:init_t:s0 > > > > > /usr/sbin/sshd system_u:system_r:sshd_t:s0- > > > > > s0:c0.c1023 > > > > > > > > > > File contexts: > > > > > Controlling terminal: > > > > system_u:object_r:sshd_devpts_t:s0 > > > > > /etc/passwd > > > > system_u:object_r:passwd_file_t:s0 > > > > > /etc/shadow system_u:object_r:shadow_t:s0 > > > > > /bin/bash system_u:object_r:shell_exec_t:s0 > > > > > /bin/login system_u:object_r:login_exec_t:s0 > > > > > /bin/sh system_u:object_r:bin_t:s0 -> > > > > > system_u:object_r:shell_exec_t:s0 > > > > > /sbin/agetty system_u:object_r:getty_exec_t:s0 > > > > > /sbin/init system_u:object_r:bin_t:s0 -> > > > > > system_u:object_r:init_exec_t:s0 > > > > > /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0 > > > > > /lib/libc.so.6 system_u:object_r:lib_t:s0 -> > > > > > system_u:object_r:lib_t:s0 > > > > > /lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> > > > > > system_u:object_r:ld_so_t:s0 > > > > > > > > > > Also I am using ssh session for login. > > > > > > > > > > Please let me know how to change id command context to > > > > unconfined_u > > > > > or Sysadm_u. > > > > > > > > So from your earlier message, it is clear that you (or someone > > > > else) > > > > has heavily customized your semanage login and user mappings from > > > > the > > > > stock targeted policy. The question is why, and whether you > > > > want/need > > > > to retain any of those customizations. If not, then you could just > > > > delete all local customizations (via semanage or manually) and > > > > revert > > > > to a stock policy. > > > > > > > > If you do need to retain some of those customizations, then please > > > > show > > > > your current semanage login -l and semanage user -l output since > > > > you > > > > said you ran some further semanage commands after the last output > > > > you > > > > showed. > > > > > > > > > > > > > > > > > > > > -- > > > > > > Thanks > > > Aman > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > -- Simon Sekidde gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-11-29 15:29 ` Simon Sekidde @ 2017-11-29 15:34 ` Aman Sharma 2017-11-29 15:36 ` Aman Sharma 0 siblings, 1 reply; 43+ messages in thread From: Aman Sharma @ 2017-11-29 15:34 UTC (permalink / raw) To: Simon Sekidde; +Cc: Stephen Smalley, SELinux [-- Attachment #1: Type: text/plain, Size: 8372 bytes --] No, I am not using 3rd party SSH client. This is normal ssh . On Wed, Nov 29, 2017 at 8:59 PM, Simon Sekidde <ssekidde@redhat.com> wrote: > Aman, > > ----- Original Message ----- > > From: "Aman Sharma" <amansh.sharma5@gmail.com> > > To: "Stephen Smalley" <sds@tycho.nsa.gov> > > Cc: "SELinux" <selinux@tycho.nsa.gov> > > Sent: Wednesday, November 29, 2017 10:17:19 AM > > Subject: Re: Fwd: Qwery regarding Selinux Change Id context > > > > Hi Stephen, > > > > I tried all the three command i.e. > > semanage export > localchanges > > > > semanage login -D > > semanage user -D > > > > Then I reboot the system and after reboot , still its showing the root > User > > as Same id context i.e. > > > > *id* > > *uid=0(root) gid=0(root) groups=0(root) > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > > > * id -Z* > > *system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > > > Are you using a 3rd party ssh client? > > > > > Also check the below output : > > *semanage user -l* > > > > * Labeling MLS/ MLS/ * > > *SELinux User Prefix MCS Level MCS Range > > SELinux Roles* > > > > *guest_u user s0 s0 > > guest_r* > > *root user s0 s0-s0:c0.c1023 > > staff_r sysadm_r system_r unconfined_r* > > *staff_u user s0 s0-s0:c0.c1023 > > staff_r sysadm_r system_r unconfined_r* > > *sysadm_u user s0 s0-s0:c0.c1023 > > sysadm_r* > > *system_u user s0 s0-s0:c0.c1023 > > system_r unconfined_r* > > *unconfined_u user s0 s0-s0:c0.c1023 > > system_r unconfined_r* > > *user_u user s0 s0 > > user_r* > > *xguest_u user s0 s0 > > xguest_r* > > *[root@cucm ~]# semanage login -l* > > > > *Login Name SELinux User MLS/MCS Range Service* > > > > *__default__ unconfined_u s0-s0:c0.c1023 ** > > *root unconfined_u s0-s0:c0.c1023 ** > > *system_u system_u s0-s0:c0.c1023 ** > > > > *Please let me know your comments on this.* > > > > *Thanks* > > *Aman* > > > > On Wed, Nov 29, 2017 at 8:17 PM, Stephen Smalley <sds@tycho.nsa.gov> > wrote: > > > > > On Wed, 2017-11-29 at 20:11 +0530, Aman Sharma wrote: > > > > Hi Stephen, > > > > > > > > Thanks for the reply. > > > > > > > > Can you please let me know how to delete all local customizations > > > > (via semanage or manually) and revert > > > > to a default policy. > > > > > > First, save any local customizations in case you want to restore them > > > later: > > > semanage export > localchanges > > > > > > Then, delete them: > > > semanage login -D > > > semanage user -D > > > > > > Then logout and log back in. > > > > > > > > > > > Otherwise the output of semanage login -l and semanage user -l : > > > > > > > > semanage user -l > > > > > > > > Labeling MLS/ MLS/ > > > > SELinux User Prefix MCS Level MCS Range > > > > SELinux Roles > > > > > > > > admin_u user s0 s0-s0:c0.c1023 > > > > sysadm_r system_r > > > > guest_u user s0 s0 > > > > guest_r > > > > root user s0 s0-s0:c0.c1023 > > > > staff_r sysadm_r > > > > specialuser_u user s0 s0 > > > > sysadm_r system_r > > > > staff_u user s0 s0-s0:c0.c1023 > > > > staff_r sysadm_r system_r > > > > sysadm_u user s0 s0-s0:c0.c1023 > > > > sysadm_r > > > > system_u user s0 s0-s0:c0.c1023 > > > > system_r > > > > unconfined_u user s0 s0-s0:c0.c1023 > > > > system_r unconfined_r > > > > user_u user s0 s0 > > > > user_r > > > > xguest_u user s0 s0 > > > > xguest_r > > > > > > > > > > > > semanage login -l > > > > > > > > Login Name SELinux User MLS/MCS Range > > > > Service > > > > > > > > __default__ sysadm_u s0-s0:c0.c1023 * > > > > ccmservice specialuser_u s0 * > > > > cucm admin_u s0-s0:c0.c1023 * > > > > drfkeys specialuser_u s0 * > > > > drfuser specialuser_u s0 * > > > > informix specialuser_u s0 * > > > > pwrecovery specialuser_u s0 * > > > > root sysadm_u s0-s0:c0.c1023 * > > > > sftpuser specialuser_u s0 * > > > > system_u sysadm_u s0-s0:c0.c1023 * > > > > > > > > Please let me know if any comments are there. > > > > > > > > Thanks > > > > Aman > > > > > > > > On Wed, Nov 29, 2017 at 7:21 PM, Stephen Smalley <sds@tycho.nsa.gov> > > > > wrote: > > > > > On Wed, 2017-11-29 at 09:33 +0530, Aman Sharma wrote: > > > > > > Hi Stephen, > > > > > > > > > > > > Below is the output of command : > > > > > > > > > > > > sestatus -v output > > > > > > SELinux status: enabled > > > > > > SELinuxfs mount: /sys/fs/selinux > > > > > > SELinux root directory: /etc/selinux > > > > > > Loaded policy name: targeted > > > > > > Current mode: enforcing > > > > > > Mode from config file: permissive > > > > > > Policy MLS status: enabled > > > > > > Policy deny_unknown status: allowed > > > > > > Max kernel policy version: 28 > > > > > > > > > > > > Process contexts: > > > > > > Current context: > > > > > system_u:system_r:unconfined_t:s0- > > > > > > s0:c0.c1023 > > > > > > Init context: system_u:system_r:init_t:s0 > > > > > > /usr/sbin/sshd system_u:system_r:sshd_t:s0- > > > > > > s0:c0.c1023 > > > > > > > > > > > > File contexts: > > > > > > Controlling terminal: > > > > > system_u:object_r:sshd_devpts_t:s0 > > > > > > /etc/passwd > > > > > system_u:object_r:passwd_file_t:s0 > > > > > > /etc/shadow system_u:object_r:shadow_t:s0 > > > > > > /bin/bash system_u:object_r:shell_exec_ > t:s0 > > > > > > /bin/login system_u:object_r:login_exec_ > t:s0 > > > > > > /bin/sh system_u:object_r:bin_t:s0 -> > > > > > > system_u:object_r:shell_exec_t:s0 > > > > > > /sbin/agetty system_u:object_r:getty_exec_ > t:s0 > > > > > > /sbin/init system_u:object_r:bin_t:s0 -> > > > > > > system_u:object_r:init_exec_t:s0 > > > > > > /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0 > > > > > > /lib/libc.so.6 system_u:object_r:lib_t:s0 -> > > > > > > system_u:object_r:lib_t:s0 > > > > > > /lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> > > > > > > system_u:object_r:ld_so_t:s0 > > > > > > > > > > > > Also I am using ssh session for login. > > > > > > > > > > > > Please let me know how to change id command context to > > > > > unconfined_u > > > > > > or Sysadm_u. > > > > > > > > > > So from your earlier message, it is clear that you (or someone > > > > > else) > > > > > has heavily customized your semanage login and user mappings from > > > > > the > > > > > stock targeted policy. The question is why, and whether you > > > > > want/need > > > > > to retain any of those customizations. If not, then you could just > > > > > delete all local customizations (via semanage or manually) and > > > > > revert > > > > > to a stock policy. > > > > > > > > > > If you do need to retain some of those customizations, then please > > > > > show > > > > > your current semanage login -l and semanage user -l output since > > > > > you > > > > > said you ran some further semanage commands after the last output > > > > > you > > > > > showed. > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Thanks > > > > Aman > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > > > > -- > > > > Thanks > > Aman > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > -- > Simon Sekidde > gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E > > > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 12908 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-11-29 15:34 ` Aman Sharma @ 2017-11-29 15:36 ` Aman Sharma 0 siblings, 0 replies; 43+ messages in thread From: Aman Sharma @ 2017-11-29 15:36 UTC (permalink / raw) To: Simon Sekidde; +Cc: Stephen Smalley, SELinux [-- Attachment #1: Type: text/plain, Size: 8912 bytes --] Actually I am using Cent OS version 7.3. i.e cat /etc/centos-release CentOS Linux release 7.3.1611 (Core) On Wed, Nov 29, 2017 at 9:04 PM, Aman Sharma <amansh.sharma5@gmail.com> wrote: > No, I am not using 3rd party SSH client. This is normal ssh . > > On Wed, Nov 29, 2017 at 8:59 PM, Simon Sekidde <ssekidde@redhat.com> > wrote: > >> Aman, >> >> ----- Original Message ----- >> > From: "Aman Sharma" <amansh.sharma5@gmail.com> >> > To: "Stephen Smalley" <sds@tycho.nsa.gov> >> > Cc: "SELinux" <selinux@tycho.nsa.gov> >> > Sent: Wednesday, November 29, 2017 10:17:19 AM >> > Subject: Re: Fwd: Qwery regarding Selinux Change Id context >> > >> > Hi Stephen, >> > >> > I tried all the three command i.e. >> > semanage export > localchanges >> > >> > semanage login -D >> > semanage user -D >> > >> > Then I reboot the system and after reboot , still its showing the root >> User >> > as Same id context i.e. >> > >> > *id* >> > *uid=0(root) gid=0(root) groups=0(root) >> > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* >> > >> > * id -Z* >> > *system_u:system_r:unconfined_t:s0-s0:c0.c1023* >> > >> >> Are you using a 3rd party ssh client? >> >> > >> > Also check the below output : >> > *semanage user -l* >> > >> > * Labeling MLS/ MLS/ * >> > *SELinux User Prefix MCS Level MCS Range >> > SELinux Roles* >> > >> > *guest_u user s0 s0 >> > guest_r* >> > *root user s0 s0-s0:c0.c1023 >> > staff_r sysadm_r system_r unconfined_r* >> > *staff_u user s0 s0-s0:c0.c1023 >> > staff_r sysadm_r system_r unconfined_r* >> > *sysadm_u user s0 s0-s0:c0.c1023 >> > sysadm_r* >> > *system_u user s0 s0-s0:c0.c1023 >> > system_r unconfined_r* >> > *unconfined_u user s0 s0-s0:c0.c1023 >> > system_r unconfined_r* >> > *user_u user s0 s0 >> > user_r* >> > *xguest_u user s0 s0 >> > xguest_r* >> > *[root@cucm ~]# semanage login -l* >> > >> > *Login Name SELinux User MLS/MCS Range Service* >> > >> > *__default__ unconfined_u s0-s0:c0.c1023 ** >> > *root unconfined_u s0-s0:c0.c1023 ** >> > *system_u system_u s0-s0:c0.c1023 ** >> > >> > *Please let me know your comments on this.* >> > >> > *Thanks* >> > *Aman* >> > >> > On Wed, Nov 29, 2017 at 8:17 PM, Stephen Smalley <sds@tycho.nsa.gov> >> wrote: >> > >> > > On Wed, 2017-11-29 at 20:11 +0530, Aman Sharma wrote: >> > > > Hi Stephen, >> > > > >> > > > Thanks for the reply. >> > > > >> > > > Can you please let me know how to delete all local customizations >> > > > (via semanage or manually) and revert >> > > > to a default policy. >> > > >> > > First, save any local customizations in case you want to restore them >> > > later: >> > > semanage export > localchanges >> > > >> > > Then, delete them: >> > > semanage login -D >> > > semanage user -D >> > > >> > > Then logout and log back in. >> > > >> > > > >> > > > Otherwise the output of semanage login -l and semanage user -l : >> > > > >> > > > semanage user -l >> > > > >> > > > Labeling MLS/ MLS/ >> > > > SELinux User Prefix MCS Level MCS Range >> > > > SELinux Roles >> > > > >> > > > admin_u user s0 s0-s0:c0.c1023 >> > > > sysadm_r system_r >> > > > guest_u user s0 s0 >> > > > guest_r >> > > > root user s0 s0-s0:c0.c1023 >> > > > staff_r sysadm_r >> > > > specialuser_u user s0 s0 >> > > > sysadm_r system_r >> > > > staff_u user s0 s0-s0:c0.c1023 >> > > > staff_r sysadm_r system_r >> > > > sysadm_u user s0 s0-s0:c0.c1023 >> > > > sysadm_r >> > > > system_u user s0 s0-s0:c0.c1023 >> > > > system_r >> > > > unconfined_u user s0 s0-s0:c0.c1023 >> > > > system_r unconfined_r >> > > > user_u user s0 s0 >> > > > user_r >> > > > xguest_u user s0 s0 >> > > > xguest_r >> > > > >> > > > >> > > > semanage login -l >> > > > >> > > > Login Name SELinux User MLS/MCS Range >> > > > Service >> > > > >> > > > __default__ sysadm_u s0-s0:c0.c1023 * >> > > > ccmservice specialuser_u s0 * >> > > > cucm admin_u s0-s0:c0.c1023 * >> > > > drfkeys specialuser_u s0 * >> > > > drfuser specialuser_u s0 * >> > > > informix specialuser_u s0 * >> > > > pwrecovery specialuser_u s0 * >> > > > root sysadm_u s0-s0:c0.c1023 * >> > > > sftpuser specialuser_u s0 * >> > > > system_u sysadm_u s0-s0:c0.c1023 * >> > > > >> > > > Please let me know if any comments are there. >> > > > >> > > > Thanks >> > > > Aman >> > > > >> > > > On Wed, Nov 29, 2017 at 7:21 PM, Stephen Smalley <sds@tycho.nsa.gov >> > >> > > > wrote: >> > > > > On Wed, 2017-11-29 at 09:33 +0530, Aman Sharma wrote: >> > > > > > Hi Stephen, >> > > > > > >> > > > > > Below is the output of command : >> > > > > > >> > > > > > sestatus -v output >> > > > > > SELinux status: enabled >> > > > > > SELinuxfs mount: /sys/fs/selinux >> > > > > > SELinux root directory: /etc/selinux >> > > > > > Loaded policy name: targeted >> > > > > > Current mode: enforcing >> > > > > > Mode from config file: permissive >> > > > > > Policy MLS status: enabled >> > > > > > Policy deny_unknown status: allowed >> > > > > > Max kernel policy version: 28 >> > > > > > >> > > > > > Process contexts: >> > > > > > Current context: >> > > > > system_u:system_r:unconfined_t:s0- >> > > > > > s0:c0.c1023 >> > > > > > Init context: system_u:system_r:init_t:s0 >> > > > > > /usr/sbin/sshd system_u:system_r:sshd_t:s0- >> > > > > > s0:c0.c1023 >> > > > > > >> > > > > > File contexts: >> > > > > > Controlling terminal: >> > > > > system_u:object_r:sshd_devpts_t:s0 >> > > > > > /etc/passwd >> > > > > system_u:object_r:passwd_file_t:s0 >> > > > > > /etc/shadow system_u:object_r:shadow_t:s0 >> > > > > > /bin/bash system_u:object_r:shell_exec_ >> t:s0 >> > > > > > /bin/login system_u:object_r:login_exec_t >> :s0 >> > > > > > /bin/sh system_u:object_r:bin_t:s0 -> >> > > > > > system_u:object_r:shell_exec_t:s0 >> > > > > > /sbin/agetty system_u:object_r:getty_exec_t >> :s0 >> > > > > > /sbin/init system_u:object_r:bin_t:s0 -> >> > > > > > system_u:object_r:init_exec_t:s0 >> > > > > > /usr/sbin/sshd system_u:object_r:sshd_exec_t: >> s0 >> > > > > > /lib/libc.so.6 system_u:object_r:lib_t:s0 -> >> > > > > > system_u:object_r:lib_t:s0 >> > > > > > /lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> >> > > > > > system_u:object_r:ld_so_t:s0 >> > > > > > >> > > > > > Also I am using ssh session for login. >> > > > > > >> > > > > > Please let me know how to change id command context to >> > > > > unconfined_u >> > > > > > or Sysadm_u. >> > > > > >> > > > > So from your earlier message, it is clear that you (or someone >> > > > > else) >> > > > > has heavily customized your semanage login and user mappings from >> > > > > the >> > > > > stock targeted policy. The question is why, and whether you >> > > > > want/need >> > > > > to retain any of those customizations. If not, then you could >> just >> > > > > delete all local customizations (via semanage or manually) and >> > > > > revert >> > > > > to a stock policy. >> > > > > >> > > > > If you do need to retain some of those customizations, then please >> > > > > show >> > > > > your current semanage login -l and semanage user -l output since >> > > > > you >> > > > > said you ran some further semanage commands after the last output >> > > > > you >> > > > > showed. >> > > > > >> > > > > >> > > > >> > > > >> > > > >> > > > -- >> > > > >> > > > Thanks >> > > > Aman >> > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com >> > > >> > >> > >> > >> > -- >> > >> > Thanks >> > Aman >> > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com >> > >> >> -- >> Simon Sekidde >> gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E >> >> >> > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 13958 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-29 15:17 ` Aman Sharma 2017-11-29 15:29 ` Simon Sekidde @ 2017-11-29 15:40 ` Stephen Smalley 2017-11-29 15:56 ` Aman Sharma 1 sibling, 1 reply; 43+ messages in thread From: Stephen Smalley @ 2017-11-29 15:40 UTC (permalink / raw) To: Aman Sharma; +Cc: SELinux On Wed, 2017-11-29 at 20:47 +0530, Aman Sharma wrote: > Hi Stephen, > > I tried all the three command i.e. > semanage export > localchanges > > semanage login -D > semanage user -D > > Then I reboot the system and after reboot , still its showing the > root User as Same id context i.e. > > id > uid=0(root) gid=0(root) groups=0(root) > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > id -Z > system_u:system_r:unconfined_t:s0-s0:c0.c1023 That's interesting. So what else does semanage export show now as local changes? > Also check the below output : > semanage user -l > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range > SELinux Roles > > guest_u user s0 s0 > guest_r > root user s0 s0-s0:c0.c1023 > staff_r sysadm_r system_r unconfined_r > staff_u user s0 s0-s0:c0.c1023 > staff_r sysadm_r system_r unconfined_r > sysadm_u user s0 s0-s0:c0.c1023 > sysadm_r > system_u user s0 s0-s0:c0.c1023 > system_r unconfined_r > unconfined_u user s0 s0-s0:c0.c1023 > system_r unconfined_r > user_u user s0 s0 > user_r > xguest_u user s0 s0 > xguest_r > [root@cucm ~]# semanage login -l > > Login Name SELinux User MLS/MCS Range > Service > > __default__ unconfined_u s0-s0:c0.c1023 * > root unconfined_u s0-s0:c0.c1023 * > system_u system_u s0-s0:c0.c1023 * > > Please let me know your comments on this. > > Thanks > Aman ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-29 15:40 ` Fwd: " Stephen Smalley @ 2017-11-29 15:56 ` Aman Sharma 2017-11-29 16:02 ` Stephen Smalley 0 siblings, 1 reply; 43+ messages in thread From: Aman Sharma @ 2017-11-29 15:56 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 2672 bytes --] Hi Stephen, The output of semanage export is : cat localchanges boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D boolean -m -1 domain_kernel_load_modules boolean -m -1 selinuxuser_ping boolean -m -1 ssh_sysadm_login boolean -m -1 tomcat_can_network_non_http_port port -a -t tomcat_shutdown_port_t -p tcp 8005 port -a -t ils_port_t -p tcp 8006 port -a -t clm_port_t -p tcp 8500 port -a -t clm_port_t -p udp 8500 port -a -t snmp_port_t -p udp 61441 fcontext -a -f a -t tomcat_t '/home/tomcat(/.*)?' fcontext -a -f a -t db_t '/home/informix(/.*)?' fcontext -a -f a -t ipsec_exec_t '/root/.security/ipsec(/.*)?' fcontext -a -f a -t tomcat_exec_t '/root/.security/tomcat/tomcat_diagnostics.sh' module -d unconfined On Wed, Nov 29, 2017 at 9:10 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Wed, 2017-11-29 at 20:47 +0530, Aman Sharma wrote: > > Hi Stephen, > > > > I tried all the three command i.e. > > semanage export > localchanges > > > > semanage login -D > > semanage user -D > > > > Then I reboot the system and after reboot , still its showing the > > root User as Same id context i.e. > > > > id > > uid=0(root) gid=0(root) groups=0(root) > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > id -Z > > system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > That's interesting. So what else does semanage export show now as > local changes? > > > Also check the below output : > > semanage user -l > > > > Labeling MLS/ MLS/ > > SELinux User Prefix MCS Level MCS Range > > SELinux Roles > > > > guest_u user s0 s0 > > guest_r > > root user s0 s0-s0:c0.c1023 > > staff_r sysadm_r system_r unconfined_r > > staff_u user s0 s0-s0:c0.c1023 > > staff_r sysadm_r system_r unconfined_r > > sysadm_u user s0 s0-s0:c0.c1023 > > sysadm_r > > system_u user s0 s0-s0:c0.c1023 > > system_r unconfined_r > > unconfined_u user s0 s0-s0:c0.c1023 > > system_r unconfined_r > > user_u user s0 s0 > > user_r > > xguest_u user s0 s0 > > xguest_r > > [root@cucm ~]# semanage login -l > > > > Login Name SELinux User MLS/MCS Range > > Service > > > > __default__ unconfined_u s0-s0:c0.c1023 * > > root unconfined_u s0-s0:c0.c1023 * > > system_u system_u s0-s0:c0.c1023 * > > > > Please let me know your comments on this. > > > > Thanks > > Aman > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 4483 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-29 15:56 ` Aman Sharma @ 2017-11-29 16:02 ` Stephen Smalley 2017-11-29 16:09 ` Aman Sharma 0 siblings, 1 reply; 43+ messages in thread From: Stephen Smalley @ 2017-11-29 16:02 UTC (permalink / raw) To: Aman Sharma; +Cc: SELinux On Wed, 2017-11-29 at 21:26 +0530, Aman Sharma wrote: > Hi Stephen, > > The output of semanage export is : > > cat localchanges > boolean -D > login -D > interface -D > user -D > port -D > node -D > fcontext -D > module -D > boolean -m -1 domain_kernel_load_modules > boolean -m -1 selinuxuser_ping > boolean -m -1 ssh_sysadm_login > boolean -m -1 tomcat_can_network_non_http_port > port -a -t tomcat_shutdown_port_t -p tcp 8005 > port -a -t ils_port_t -p tcp 8006 > port -a -t clm_port_t -p tcp 8500 > port -a -t clm_port_t -p udp 8500 > port -a -t snmp_port_t -p udp 61441 > fcontext -a -f a -t tomcat_t '/home/tomcat(/.*)?' > fcontext -a -f a -t db_t '/home/informix(/.*)?' > fcontext -a -f a -t ipsec_exec_t '/root/.security/ipsec(/.*)?' > fcontext -a -f a -t tomcat_exec_t > '/root/.security/tomcat/tomcat_diagnostics.sh' > module -d unconfined Hmmm...someone disabled the unconfined module on your system? So if you want to go back to using unconfined, you ought to re-enable that, ala semodule -e unconfined. It looks like someone locked down that system and was trying to effectively apply a "strict" policy, but it was left in a broken state. > > > On Wed, Nov 29, 2017 at 9:10 PM, Stephen Smalley <sds@tycho.nsa.gov> > wrote: > > On Wed, 2017-11-29 at 20:47 +0530, Aman Sharma wrote: > > > Hi Stephen, > > > > > > I tried all the three command i.e. > > > semanage export > localchanges > > > > > > semanage login -D > > > semanage user -D > > > > > > Then I reboot the system and after reboot , still its showing the > > > root User as Same id context i.e. > > > > > > id > > > uid=0(root) gid=0(root) groups=0(root) > > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > > > id -Z > > > system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > That's interesting. So what else does semanage export show now as > > local changes? > > > > > Also check the below output : > > > semanage user -l > > > > > > Labeling MLS/ MLS/ > > > > > SELinux User Prefix MCS Level MCS Range > > > > > SELinux Roles > > > > > > guest_u user s0 s0 > > > > > guest_r > > > root user s0 s0-s0:c0.c1023 > > > > > staff_r sysadm_r system_r unconfined_r > > > staff_u user s0 s0-s0:c0.c1023 > > > > > staff_r sysadm_r system_r unconfined_r > > > sysadm_u user s0 s0-s0:c0.c1023 > > > > > sysadm_r > > > system_u user s0 s0-s0:c0.c1023 > > > > > system_r unconfined_r > > > unconfined_u user s0 s0-s0:c0.c1023 > > > > > system_r unconfined_r > > > user_u user s0 s0 > > > > > user_r > > > xguest_u user s0 s0 > > > > > xguest_r > > > [root@cucm ~]# semanage login -l > > > > > > Login Name SELinux User MLS/MCS Range > > > Service > > > > > > __default__ unconfined_u s0-s0:c0.c1023 * > > > root unconfined_u s0-s0:c0.c1023 * > > > system_u system_u s0-s0:c0.c1023 * > > > > > > Please let me know your comments on this. > > > > > > Thanks > > > Aman > > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-29 16:02 ` Stephen Smalley @ 2017-11-29 16:09 ` Aman Sharma 2017-11-29 16:20 ` Stephen Smalley 0 siblings, 1 reply; 43+ messages in thread From: Aman Sharma @ 2017-11-29 16:09 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 3838 bytes --] Hi Stephen, After enabling the unconfined module and after reboot also, Still showing the same id context. Is there any way to make the id context to normal state again ? Thanks Aman On Wed, Nov 29, 2017 at 9:32 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Wed, 2017-11-29 at 21:26 +0530, Aman Sharma wrote: > > Hi Stephen, > > > > The output of semanage export is : > > > > cat localchanges > > boolean -D > > login -D > > interface -D > > user -D > > port -D > > node -D > > fcontext -D > > module -D > > boolean -m -1 domain_kernel_load_modules > > boolean -m -1 selinuxuser_ping > > boolean -m -1 ssh_sysadm_login > > boolean -m -1 tomcat_can_network_non_http_port > > port -a -t tomcat_shutdown_port_t -p tcp 8005 > > port -a -t ils_port_t -p tcp 8006 > > port -a -t clm_port_t -p tcp 8500 > > port -a -t clm_port_t -p udp 8500 > > port -a -t snmp_port_t -p udp 61441 > > fcontext -a -f a -t tomcat_t '/home/tomcat(/.*)?' > > fcontext -a -f a -t db_t '/home/informix(/.*)?' > > fcontext -a -f a -t ipsec_exec_t '/root/.security/ipsec(/.*)?' > > fcontext -a -f a -t tomcat_exec_t > > '/root/.security/tomcat/tomcat_diagnostics.sh' > > module -d unconfined > > Hmmm...someone disabled the unconfined module on your system? > So if you want to go back to using unconfined, you ought to re-enable > that, ala semodule -e unconfined. It looks like someone locked down > that system and was trying to effectively apply a "strict" policy, but > it was left in a broken state. > > > > > > > On Wed, Nov 29, 2017 at 9:10 PM, Stephen Smalley <sds@tycho.nsa.gov> > > wrote: > > > On Wed, 2017-11-29 at 20:47 +0530, Aman Sharma wrote: > > > > Hi Stephen, > > > > > > > > I tried all the three command i.e. > > > > semanage export > localchanges > > > > > > > > semanage login -D > > > > semanage user -D > > > > > > > > Then I reboot the system and after reboot , still its showing the > > > > root User as Same id context i.e. > > > > > > > > id > > > > uid=0(root) gid=0(root) groups=0(root) > > > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > > > > > id -Z > > > > system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > > > That's interesting. So what else does semanage export show now as > > > local changes? > > > > > > > Also check the below output : > > > > semanage user -l > > > > > > > > Labeling MLS/ MLS/ > > > > > > > SELinux User Prefix MCS Level MCS Range > > > > > > > SELinux Roles > > > > > > > > guest_u user s0 s0 > > > > > > > guest_r > > > > root user s0 s0-s0:c0.c1023 > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > staff_u user s0 s0-s0:c0.c1023 > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > sysadm_u user s0 s0-s0:c0.c1023 > > > > > > > sysadm_r > > > > system_u user s0 s0-s0:c0.c1023 > > > > > > > system_r unconfined_r > > > > unconfined_u user s0 s0-s0:c0.c1023 > > > > > > > system_r unconfined_r > > > > user_u user s0 s0 > > > > > > > user_r > > > > xguest_u user s0 s0 > > > > > > > xguest_r > > > > [root@cucm ~]# semanage login -l > > > > > > > > Login Name SELinux User MLS/MCS Range > > > > Service > > > > > > > > __default__ unconfined_u s0-s0:c0.c1023 * > > > > root unconfined_u s0-s0:c0.c1023 * > > > > system_u system_u s0-s0:c0.c1023 * > > > > > > > > Please let me know your comments on this. > > > > > > > > Thanks > > > > Aman > > > > > > > > > > > -- > > > > Thanks > > Aman > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 6295 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-29 16:09 ` Aman Sharma @ 2017-11-29 16:20 ` Stephen Smalley 2017-11-29 16:31 ` Aman Sharma 0 siblings, 1 reply; 43+ messages in thread From: Stephen Smalley @ 2017-11-29 16:20 UTC (permalink / raw) To: Aman Sharma; +Cc: SELinux On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote: > Hi Stephen, > > After enabling the unconfined module and after reboot also, Still > showing the same id context. > > Is there any way to make the id context to normal state again ? Hmmm...try resetting all booleans too? semanage boolean -D Or you could be drastic and completely reset your policy: mv /etc/selinux/targeted /etc/selinux/targeted.old yum reinstall selinux-policy-targeted ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-29 16:20 ` Stephen Smalley @ 2017-11-29 16:31 ` Aman Sharma 2017-11-29 17:34 ` Stephen Smalley 0 siblings, 1 reply; 43+ messages in thread From: Aman Sharma @ 2017-11-29 16:31 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 690 bytes --] After resetting boolean also, showing the same id context. On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote: > > Hi Stephen, > > > > After enabling the unconfined module and after reboot also, Still > > showing the same id context. > > > > Is there any way to make the id context to normal state again ? > > Hmmm...try resetting all booleans too? semanage boolean -D > > Or you could be drastic and completely reset your policy: > mv /etc/selinux/targeted /etc/selinux/targeted.old > yum reinstall selinux-policy-targeted > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 1329 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-29 16:31 ` Aman Sharma @ 2017-11-29 17:34 ` Stephen Smalley 2017-11-30 5:40 ` Aman Sharma 0 siblings, 1 reply; 43+ messages in thread From: Stephen Smalley @ 2017-11-29 17:34 UTC (permalink / raw) To: Aman Sharma; +Cc: SELinux On Wed, 2017-11-29 at 22:01 +0530, Aman Sharma wrote: > After resetting boolean also, showing the same id context. And did you try fully resetting your policy as I suggested: mv /etc/selinux/targeted /etc/selinux/targeted.old yum reinstall selinux-policy-targeted reboot > > > On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley <sds@tycho.nsa.gov> > wrote: > > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote: > > > Hi Stephen, > > > > > > After enabling the unconfined module and after reboot also, Still > > > showing the same id context. > > > > > > Is there any way to make the id context to normal state again ? > > > > Hmmm...try resetting all booleans too? semanage boolean -D > > > > Or you could be drastic and completely reset your policy: > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > yum reinstall selinux-policy-targeted > > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-29 17:34 ` Stephen Smalley @ 2017-11-30 5:40 ` Aman Sharma 2017-11-30 15:43 ` Aman Sharma ` (2 more replies) 0 siblings, 3 replies; 43+ messages in thread From: Aman Sharma @ 2017-11-30 5:40 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 1600 bytes --] Hi Stephen, After reseting Selinux targeted folder also (the steps you mentioned in the earlier mail), Still its showing the same Id context i.e. *id* *uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* *[root@cucm2 ~]# id -Z* *system_u:system_r:unconfined_t:s0-s0:c0.c1023* *And semanage login -l is showing blank output. * *Do you have any idea about this.* *Thanks* *Aman* On Wed, Nov 29, 2017 at 11:04 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Wed, 2017-11-29 at 22:01 +0530, Aman Sharma wrote: > > After resetting boolean also, showing the same id context. > > And did you try fully resetting your policy as I suggested: > mv /etc/selinux/targeted /etc/selinux/targeted.old > yum reinstall selinux-policy-targeted > reboot > > > > > > > On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley <sds@tycho.nsa.gov> > > wrote: > > > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote: > > > > Hi Stephen, > > > > > > > > After enabling the unconfined module and after reboot also, Still > > > > showing the same id context. > > > > > > > > Is there any way to make the id context to normal state again ? > > > > > > Hmmm...try resetting all booleans too? semanage boolean -D > > > > > > Or you could be drastic and completely reset your policy: > > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > > yum reinstall selinux-policy-targeted > > > > > > > > > > > -- > > > > Thanks > > Aman > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 2809 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-30 5:40 ` Aman Sharma @ 2017-11-30 15:43 ` Aman Sharma 2017-11-30 20:19 ` Dominick Grift 2017-12-01 19:26 ` Fwd: " Stephen Smalley 2 siblings, 0 replies; 43+ messages in thread From: Aman Sharma @ 2017-11-30 15:43 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 1938 bytes --] Hi Stephen, Do you have any other way to change the context from id command ? Thanks Aman On Thu, Nov 30, 2017 at 11:10 AM, Aman Sharma <amansh.sharma5@gmail.com> wrote: > Hi Stephen, > > After reseting Selinux targeted folder also (the steps you mentioned in > the earlier mail), Still its showing the same Id context i.e. > > *id* > *uid=0(root) gid=0(root) groups=0(root) > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* > *[root@cucm2 ~]# id -Z* > *system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > *And semanage login -l is showing blank output. * > > *Do you have any idea about this.* > > *Thanks* > *Aman* > > > On Wed, Nov 29, 2017 at 11:04 PM, Stephen Smalley <sds@tycho.nsa.gov> > wrote: > >> On Wed, 2017-11-29 at 22:01 +0530, Aman Sharma wrote: >> > After resetting boolean also, showing the same id context. >> >> And did you try fully resetting your policy as I suggested: >> mv /etc/selinux/targeted /etc/selinux/targeted.old >> yum reinstall selinux-policy-targeted >> reboot >> >> > >> > >> > On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley <sds@tycho.nsa.gov> >> > wrote: >> > > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote: >> > > > Hi Stephen, >> > > > >> > > > After enabling the unconfined module and after reboot also, Still >> > > > showing the same id context. >> > > > >> > > > Is there any way to make the id context to normal state again ? >> > > >> > > Hmmm...try resetting all booleans too? semanage boolean -D >> > > >> > > Or you could be drastic and completely reset your policy: >> > > mv /etc/selinux/targeted /etc/selinux/targeted.old >> > > yum reinstall selinux-policy-targeted >> > > >> > >> > >> > >> > -- >> > >> > Thanks >> > Aman >> > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com >> > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 3882 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-30 5:40 ` Aman Sharma 2017-11-30 15:43 ` Aman Sharma @ 2017-11-30 20:19 ` Dominick Grift 2017-12-01 4:26 ` Aman Sharma 2017-12-01 19:26 ` Fwd: " Stephen Smalley 2 siblings, 1 reply; 43+ messages in thread From: Dominick Grift @ 2017-11-30 20:19 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 2158 bytes --] On Thu, Nov 30, 2017 at 11:10:43AM +0530, Aman Sharma wrote: > Hi Stephen, > > After reseting Selinux targeted folder also (the steps you mentioned in the > earlier mail), Still its showing the same Id context i.e. > > *id* > *uid=0(root) gid=0(root) groups=0(root) > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* > *[root@cucm2 ~]# id -Z* > *system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > *And semanage login -l is showing blank output. * > > *Do you have any idea about this.* > > *Thanks* > *Aman* Try the same procedure again but this time also do before reinstalling: mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old > > > On Wed, Nov 29, 2017 at 11:04 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > > On Wed, 2017-11-29 at 22:01 +0530, Aman Sharma wrote: > > > After resetting boolean also, showing the same id context. > > > > And did you try fully resetting your policy as I suggested: > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > yum reinstall selinux-policy-targeted > > reboot > > > > > > > > > > > On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley <sds@tycho.nsa.gov> > > > wrote: > > > > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote: > > > > > Hi Stephen, > > > > > > > > > > After enabling the unconfined module and after reboot also, Still > > > > > showing the same id context. > > > > > > > > > > Is there any way to make the id context to normal state again ? > > > > > > > > Hmmm...try resetting all booleans too? semanage boolean -D > > > > > > > > Or you could be drastic and completely reset your policy: > > > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > > > yum reinstall selinux-policy-targeted > > > > > > > > > > > > > > > > -- > > > > > > Thanks > > > Aman > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 659 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-30 20:19 ` Dominick Grift @ 2017-12-01 4:26 ` Aman Sharma 2017-12-01 19:16 ` Simon Sekidde 0 siblings, 1 reply; 43+ messages in thread From: Aman Sharma @ 2017-12-01 4:26 UTC (permalink / raw) To: SELinux [-- Attachment #1: Type: text/plain, Size: 2652 bytes --] Hi , mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old This targeted folder is not there. After searching I got the below result : find / -type d -name "*targeted" -print /usr/share/selinux/targeted /etc/selinux/targeted Pleas let me know your comments. On Fri, Dec 1, 2017 at 1:49 AM, Dominick Grift <dac.override@gmail.com> wrote: > On Thu, Nov 30, 2017 at 11:10:43AM +0530, Aman Sharma wrote: > > Hi Stephen, > > > > After reseting Selinux targeted folder also (the steps you mentioned in > the > > earlier mail), Still its showing the same Id context i.e. > > > > *id* > > *uid=0(root) gid=0(root) groups=0(root) > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > *[root@cucm2 ~]# id -Z* > > *system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > > > *And semanage login -l is showing blank output. * > > > > *Do you have any idea about this.* > > > > *Thanks* > > *Aman* > > Try the same procedure again but this time also do before reinstalling: > > mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old > > > > > > > On Wed, Nov 29, 2017 at 11:04 PM, Stephen Smalley <sds@tycho.nsa.gov> > wrote: > > > > > On Wed, 2017-11-29 at 22:01 +0530, Aman Sharma wrote: > > > > After resetting boolean also, showing the same id context. > > > > > > And did you try fully resetting your policy as I suggested: > > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > > yum reinstall selinux-policy-targeted > > > reboot > > > > > > > > > > > > > > > On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley <sds@tycho.nsa.gov> > > > > wrote: > > > > > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote: > > > > > > Hi Stephen, > > > > > > > > > > > > After enabling the unconfined module and after reboot also, Still > > > > > > showing the same id context. > > > > > > > > > > > > Is there any way to make the id context to normal state again ? > > > > > > > > > > Hmmm...try resetting all booleans too? semanage boolean -D > > > > > > > > > > Or you could be drastic and completely reset your policy: > > > > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > > > > yum reinstall selinux-policy-targeted > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Thanks > > > > Aman > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > > > > -- > > > > Thanks > > Aman > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 4984 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-12-01 4:26 ` Aman Sharma @ 2017-12-01 19:16 ` Simon Sekidde 2017-12-01 19:28 ` Stephen Smalley 0 siblings, 1 reply; 43+ messages in thread From: Simon Sekidde @ 2017-12-01 19:16 UTC (permalink / raw) To: Aman Sharma; +Cc: SELinux ----- Original Message ----- > From: "Aman Sharma" <amansh.sharma5@gmail.com> > To: "SELinux" <selinux@tycho.nsa.gov> > Sent: Thursday, November 30, 2017 11:26:21 PM > Subject: Re: Fwd: Qwery regarding Selinux Change Id context > > Hi , > > mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old > > This targeted folder is not there. > > After searching I got the below result : > > find / -type d -name "*targeted" -print > > /usr/share/selinux/targeted > /etc/selinux/targeted > > Pleas let me know your comments. > Run mv /etc/selinux/targeted /etc/selinux/targeted.old yum reinstall selinux-policy-targeted Also what does this output show ps -aelfZ | grep -i ssh > > On Fri, Dec 1, 2017 at 1:49 AM, Dominick Grift <dac.override@gmail.com> > wrote: > > > On Thu, Nov 30, 2017 at 11:10:43AM +0530, Aman Sharma wrote: > > > Hi Stephen, > > > > > > After reseting Selinux targeted folder also (the steps you mentioned in > > the > > > earlier mail), Still its showing the same Id context i.e. > > > > > > *id* > > > *uid=0(root) gid=0(root) groups=0(root) > > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > > *[root@cucm2 ~]# id -Z* > > > *system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > > > > > *And semanage login -l is showing blank output. * > > > > > > *Do you have any idea about this.* > > > > > > *Thanks* > > > *Aman* > > > > Try the same procedure again but this time also do before reinstalling: > > > > mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old > > > > > > > > > > > On Wed, Nov 29, 2017 at 11:04 PM, Stephen Smalley <sds@tycho.nsa.gov> > > wrote: > > > > > > > On Wed, 2017-11-29 at 22:01 +0530, Aman Sharma wrote: > > > > > After resetting boolean also, showing the same id context. > > > > > > > > And did you try fully resetting your policy as I suggested: > > > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > > > yum reinstall selinux-policy-targeted > > > > reboot > > > > > > > > > > > > > > > > > > > On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley <sds@tycho.nsa.gov> > > > > > wrote: > > > > > > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote: > > > > > > > Hi Stephen, > > > > > > > > > > > > > > After enabling the unconfined module and after reboot also, Still > > > > > > > showing the same id context. > > > > > > > > > > > > > > Is there any way to make the id context to normal state again ? > > > > > > > > > > > > Hmmm...try resetting all booleans too? semanage boolean -D > > > > > > > > > > > > Or you could be drastic and completely reset your policy: > > > > > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > > > > > yum reinstall selinux-policy-targeted > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Thanks > > > > > Aman > > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > > > > > > > > > -- > > > > > > Thanks > > > Aman > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > -- > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > > Dominick Grift > > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > -- Simon Sekidde gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-12-01 19:16 ` Simon Sekidde @ 2017-12-01 19:28 ` Stephen Smalley 2017-12-01 19:35 ` Simon Sekidde 0 siblings, 1 reply; 43+ messages in thread From: Stephen Smalley @ 2017-12-01 19:28 UTC (permalink / raw) To: Simon Sekidde, Aman Sharma; +Cc: SELinux On Fri, 2017-12-01 at 14:16 -0500, Simon Sekidde wrote: > > ----- Original Message ----- > > From: "Aman Sharma" <amansh.sharma5@gmail.com> > > To: "SELinux" <selinux@tycho.nsa.gov> > > Sent: Thursday, November 30, 2017 11:26:21 PM > > Subject: Re: Fwd: Qwery regarding Selinux Change Id context > > > > Hi , > > > > mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old > > > > This targeted folder is not there. > > > > After searching I got the below result : > > > > find / -type d -name "*targeted" -print > > > > /usr/share/selinux/targeted > > /etc/selinux/targeted > > > > Pleas let me know your comments. > > > > Run > > mv /etc/selinux/targeted /etc/selinux/targeted.old > yum reinstall selinux-policy-targeted He already tried that and it allegedly didn't help. It also seems to leave you without a /etc/selinux/targeted/active/seusers file for some reason, such that semanage login -l shows nothing. But you can recover by copying /etc/selinux/targeted/seusers to /etc/selinux/targeted/active/seusers. That's a bug. > > Also what does this output show > > ps -aelfZ | grep -i ssh > > > > > On Fri, Dec 1, 2017 at 1:49 AM, Dominick Grift <dac.override@gmail. > > com> > > wrote: > > > > > On Thu, Nov 30, 2017 at 11:10:43AM +0530, Aman Sharma wrote: > > > > Hi Stephen, > > > > > > > > After reseting Selinux targeted folder also (the steps you > > > > mentioned in > > > > > > the > > > > earlier mail), Still its showing the same Id context i.e. > > > > > > > > *id* > > > > *uid=0(root) gid=0(root) groups=0(root) > > > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > > > *[root@cucm2 ~]# id -Z* > > > > *system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > > > > > > > *And semanage login -l is showing blank output. * > > > > > > > > *Do you have any idea about this.* > > > > > > > > *Thanks* > > > > *Aman* > > > > > > Try the same procedure again but this time also do before > > > reinstalling: > > > > > > mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old > > > > > > > > > > > > > > > On Wed, Nov 29, 2017 at 11:04 PM, Stephen Smalley <sds@tycho.ns > > > > a.gov> > > > > > > wrote: > > > > > > > > > On Wed, 2017-11-29 at 22:01 +0530, Aman Sharma wrote: > > > > > > After resetting boolean also, showing the same id context. > > > > > > > > > > And did you try fully resetting your policy as I suggested: > > > > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > > > > yum reinstall selinux-policy-targeted > > > > > reboot > > > > > > > > > > > > > > > > > > > > > > > On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley <sds@tycho > > > > > > .nsa.gov> > > > > > > wrote: > > > > > > > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote: > > > > > > > > Hi Stephen, > > > > > > > > > > > > > > > > After enabling the unconfined module and after reboot > > > > > > > > also, Still > > > > > > > > showing the same id context. > > > > > > > > > > > > > > > > Is there any way to make the id context to normal state > > > > > > > > again ? > > > > > > > > > > > > > > Hmmm...try resetting all booleans too? semanage boolean > > > > > > > -D > > > > > > > > > > > > > > Or you could be drastic and completely reset your policy: > > > > > > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > > > > > > yum reinstall selinux-policy-targeted > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Thanks > > > > > > Aman > > > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > > > > > > > > > -- > > > > > > > > Thanks > > > > Aman > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > -- > > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B > > > 6B02 > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7 > > > B6B02 > > > Dominick Grift > > > > > > > > > > > -- > > > > Thanks > > Aman > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-12-01 19:28 ` Stephen Smalley @ 2017-12-01 19:35 ` Simon Sekidde 2017-12-02 3:59 ` Aman Sharma 0 siblings, 1 reply; 43+ messages in thread From: Simon Sekidde @ 2017-12-01 19:35 UTC (permalink / raw) To: Stephen Smalley; +Cc: Aman Sharma, SELinux ----- Original Message ----- > From: "Stephen Smalley" <sds@tycho.nsa.gov> > To: "Simon Sekidde" <ssekidde@redhat.com>, "Aman Sharma" <amansh.sharma5@gmail.com> > Cc: "SELinux" <selinux@tycho.nsa.gov> > Sent: Friday, December 1, 2017 2:28:17 PM > Subject: Re: Qwery regarding Selinux Change Id context > > On Fri, 2017-12-01 at 14:16 -0500, Simon Sekidde wrote: > > > > ----- Original Message ----- > > > From: "Aman Sharma" <amansh.sharma5@gmail.com> > > > To: "SELinux" <selinux@tycho.nsa.gov> > > > Sent: Thursday, November 30, 2017 11:26:21 PM > > > Subject: Re: Fwd: Qwery regarding Selinux Change Id context > > > > > > Hi , > > > > > > mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old > > > > > > This targeted folder is not there. > > > > > > After searching I got the below result : > > > > > > find / -type d -name "*targeted" -print > > > > > > /usr/share/selinux/targeted > > > /etc/selinux/targeted > > > > > > Pleas let me know your comments. > > > > > > > Run > > > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > yum reinstall selinux-policy-targeted > > He already tried that and it allegedly didn't help. It also seems to > leave you without a /etc/selinux/targeted/active/seusers file for some > reason, such that semanage login -l shows nothing. But you can recover > by copying /etc/selinux/targeted/seusers to > /etc/selinux/targeted/active/seusers. That's a bug. > Interesting. Thanks for spotting this. > > > > Also what does this output show > > > > ps -aelfZ | grep -i ssh > > > > > > > > On Fri, Dec 1, 2017 at 1:49 AM, Dominick Grift <dac.override@gmail. > > > com> > > > wrote: > > > > > > > On Thu, Nov 30, 2017 at 11:10:43AM +0530, Aman Sharma wrote: > > > > > Hi Stephen, > > > > > > > > > > After reseting Selinux targeted folder also (the steps you > > > > > mentioned in > > > > > > > > the > > > > > earlier mail), Still its showing the same Id context i.e. > > > > > > > > > > *id* > > > > > *uid=0(root) gid=0(root) groups=0(root) > > > > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > > > > *[root@cucm2 ~]# id -Z* > > > > > *system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > > > > > > > > > *And semanage login -l is showing blank output. * > > > > > > > > > > *Do you have any idea about this.* > > > > > > > > > > *Thanks* > > > > > *Aman* > > > > > > > > Try the same procedure again but this time also do before > > > > reinstalling: > > > > > > > > mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old > > > > > > > > > > > > > > > > > > > On Wed, Nov 29, 2017 at 11:04 PM, Stephen Smalley <sds@tycho.ns > > > > > a.gov> > > > > > > > > wrote: > > > > > > > > > > > On Wed, 2017-11-29 at 22:01 +0530, Aman Sharma wrote: > > > > > > > After resetting boolean also, showing the same id context. > > > > > > > > > > > > And did you try fully resetting your policy as I suggested: > > > > > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > > > > > yum reinstall selinux-policy-targeted > > > > > > reboot > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley <sds@tycho > > > > > > > .nsa.gov> > > > > > > > wrote: > > > > > > > > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote: > > > > > > > > > Hi Stephen, > > > > > > > > > > > > > > > > > > After enabling the unconfined module and after reboot > > > > > > > > > also, Still > > > > > > > > > showing the same id context. > > > > > > > > > > > > > > > > > > Is there any way to make the id context to normal state > > > > > > > > > again ? > > > > > > > > > > > > > > > > Hmmm...try resetting all booleans too? semanage boolean > > > > > > > > -D > > > > > > > > > > > > > > > > Or you could be drastic and completely reset your policy: > > > > > > > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > > > > > > > yum reinstall selinux-policy-targeted > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > Thanks > > > > > > > Aman > > > > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Thanks > > > > > Aman > > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > -- > > > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B > > > > 6B02 > > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7 > > > > B6B02 > > > > Dominick Grift > > > > > > > > > > > > > > > > -- > > > > > > Thanks > > > Aman > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > -- Simon Sekidde gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-12-01 19:35 ` Simon Sekidde @ 2017-12-02 3:59 ` Aman Sharma 2017-12-04 15:40 ` Stephen Smalley 0 siblings, 1 reply; 43+ messages in thread From: Aman Sharma @ 2017-12-02 3:59 UTC (permalink / raw) To: Simon Sekidde; +Cc: Stephen Smalley, SELinux [-- Attachment #1: Type: text/plain, Size: 6678 bytes --] Hi All, Thanks for the information. But after resetting the semanage User/login, and moving the targeted folder to old one and then install the default target. then also its still showing the Id context as context=*system_u:system_r:unconfined_t:s0-s0:c0.c1023.* *What I observed is after changing the permission using semanage command also, its still showing the system_u:system_r. * *Check the semanage login/User output :* *semanage login -l* *Login Name SELinux User MLS/MCS Range Service* *__default__ unconfined_u s0-s0:c0.c1023 ** *root unconfined_u s0-s0:c0.c1023 ** *system_u system_u s0-s0:c0.c1023 ** *semanage user -l* * Labeling MLS/ MLS/ * *SELinux User Prefix MCS Level MCS Range SELinux Roles* *guest_u user s0 s0 guest_r* *root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r* *staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r* *sysadm_u user s0 s0-s0:c0.c1023 sysadm_r* *system_u user s0 s0-s0:c0.c1023 system_r unconfined_r* *unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r* *user_u user s0 s0 user_r* *xguest_u user s0 s0 xguest_r* Looks like its related to some other issue. What you think about this. Thanks Aman On Sat, Dec 2, 2017 at 1:05 AM, Simon Sekidde <ssekidde@redhat.com> wrote: > > > ----- Original Message ----- > > From: "Stephen Smalley" <sds@tycho.nsa.gov> > > To: "Simon Sekidde" <ssekidde@redhat.com>, "Aman Sharma" < > amansh.sharma5@gmail.com> > > Cc: "SELinux" <selinux@tycho.nsa.gov> > > Sent: Friday, December 1, 2017 2:28:17 PM > > Subject: Re: Qwery regarding Selinux Change Id context > > > > On Fri, 2017-12-01 at 14:16 -0500, Simon Sekidde wrote: > > > > > > ----- Original Message ----- > > > > From: "Aman Sharma" <amansh.sharma5@gmail.com> > > > > To: "SELinux" <selinux@tycho.nsa.gov> > > > > Sent: Thursday, November 30, 2017 11:26:21 PM > > > > Subject: Re: Fwd: Qwery regarding Selinux Change Id context > > > > > > > > Hi , > > > > > > > > mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old > > > > > > > > This targeted folder is not there. > > > > > > > > After searching I got the below result : > > > > > > > > find / -type d -name "*targeted" -print > > > > > > > > /usr/share/selinux/targeted > > > > /etc/selinux/targeted > > > > > > > > Pleas let me know your comments. > > > > > > > > > > Run > > > > > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > > yum reinstall selinux-policy-targeted > > > > He already tried that and it allegedly didn't help. It also seems to > > leave you without a /etc/selinux/targeted/active/seusers file for some > > reason, such that semanage login -l shows nothing. But you can recover > > by copying /etc/selinux/targeted/seusers to > > /etc/selinux/targeted/active/seusers. That's a bug. > > > > Interesting. Thanks for spotting this. > > > > > > > Also what does this output show > > > > > > ps -aelfZ | grep -i ssh > > > > > > > > > > > On Fri, Dec 1, 2017 at 1:49 AM, Dominick Grift <dac.override@gmail. > > > > com> > > > > wrote: > > > > > > > > > On Thu, Nov 30, 2017 at 11:10:43AM +0530, Aman Sharma wrote: > > > > > > Hi Stephen, > > > > > > > > > > > > After reseting Selinux targeted folder also (the steps you > > > > > > mentioned in > > > > > > > > > > the > > > > > > earlier mail), Still its showing the same Id context i.e. > > > > > > > > > > > > *id* > > > > > > *uid=0(root) gid=0(root) groups=0(root) > > > > > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > > > > > *[root@cucm2 ~]# id -Z* > > > > > > *system_u:system_r:unconfined_t:s0-s0:c0.c1023* > > > > > > > > > > > > *And semanage login -l is showing blank output. * > > > > > > > > > > > > *Do you have any idea about this.* > > > > > > > > > > > > *Thanks* > > > > > > *Aman* > > > > > > > > > > Try the same procedure again but this time also do before > > > > > reinstalling: > > > > > > > > > > mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old > > > > > > > > > > > > > > > > > > > > > > > On Wed, Nov 29, 2017 at 11:04 PM, Stephen Smalley <sds@tycho.ns > > > > > > a.gov> > > > > > > > > > > wrote: > > > > > > > > > > > > > On Wed, 2017-11-29 at 22:01 +0530, Aman Sharma wrote: > > > > > > > > After resetting boolean also, showing the same id context. > > > > > > > > > > > > > > And did you try fully resetting your policy as I suggested: > > > > > > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > > > > > > yum reinstall selinux-policy-targeted > > > > > > > reboot > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley <sds@tycho > > > > > > > > .nsa.gov> > > > > > > > > wrote: > > > > > > > > > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote: > > > > > > > > > > Hi Stephen, > > > > > > > > > > > > > > > > > > > > After enabling the unconfined module and after reboot > > > > > > > > > > also, Still > > > > > > > > > > showing the same id context. > > > > > > > > > > > > > > > > > > > > Is there any way to make the id context to normal state > > > > > > > > > > again ? > > > > > > > > > > > > > > > > > > Hmmm...try resetting all booleans too? semanage boolean > > > > > > > > > -D > > > > > > > > > > > > > > > > > > Or you could be drastic and completely reset your policy: > > > > > > > > > mv /etc/selinux/targeted /etc/selinux/targeted.old > > > > > > > > > yum reinstall selinux-policy-targeted > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > Thanks > > > > > > > > Aman > > > > > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Thanks > > > > > > Aman > > > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > > > -- > > > > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B > > > > > 6B02 > > > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7 > > > > > B6B02 > > > > > Dominick Grift > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Thanks > > > > Aman > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > > > > > > > -- > Simon Sekidde > gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E > > > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 11941 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-12-02 3:59 ` Aman Sharma @ 2017-12-04 15:40 ` Stephen Smalley 2017-12-04 16:01 ` Aman Sharma 0 siblings, 1 reply; 43+ messages in thread From: Stephen Smalley @ 2017-12-04 15:40 UTC (permalink / raw) To: Aman Sharma, Simon Sekidde; +Cc: SELinux On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote: > Hi All, > > Thanks for the information. > > But after resetting the semanage User/login, and moving the targeted > folder to old one and then install the default target. then also its > still showing the > Id context as context=system_u:system_r:unconfined_t:s0-s0:c0.c1023. > > What I observed is after changing the permission using semanage > command also, its still showing the system_u:system_r. > > Check the semanage login/User output : > > semanage login -l > > Login Name SELinux User MLS/MCS Range > Service > > __default__ unconfined_u s0-s0:c0.c1023 * > root unconfined_u s0-s0:c0.c1023 * > system_u system_u s0-s0:c0.c1023 * > > > semanage user -l > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range > SELinux Roles > > guest_u user s0 s0 > guest_r > root user s0 s0-s0:c0.c1023 > staff_r sysadm_r system_r unconfined_r > staff_u user s0 s0-s0:c0.c1023 > staff_r sysadm_r system_r unconfined_r > sysadm_u user s0 s0-s0:c0.c1023 > sysadm_r > system_u user s0 s0-s0:c0.c1023 > system_r unconfined_r > unconfined_u user s0 s0-s0:c0.c1023 > system_r unconfined_r > user_u user s0 s0 > user_r > xguest_u user s0 s0 > xguest_r > > > Looks like its related to some other issue. What you think about > this. Do you have any relevant error messages in /var/log/secure or journalctl -rb? Look for anything that refers to selinux or context. I'm guessing that pam_selinux is unable to determine a valid context for your login for some reason, and this is causing it to fall back to this one. Or something like that. You could try to emulate this process via selinuxdefcon, although I'm not sure how closely it matches pam_selinux anymore. Sample usage: 1. See what context sshd is running in. ps -eZ | grep sshd It should be: system_u:system_r:sshd_t:s0-s0:c0.c1023 2. Run selinuxdefcon to compute the default context for root when logging in from sshd: # Second argument should be whatever was shown by ps -eZ | grep sshd above. selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123 It should be: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-12-04 15:40 ` Stephen Smalley @ 2017-12-04 16:01 ` Aman Sharma 2017-12-04 16:06 ` Aman Sharma 2017-12-04 16:09 ` Stephen Smalley 0 siblings, 2 replies; 43+ messages in thread From: Aman Sharma @ 2017-12-04 16:01 UTC (permalink / raw) To: Stephen Smalley; +Cc: Simon Sekidde, SELinux [-- Attachment #1: Type: text/plain, Size: 3860 bytes --] Hi Stephen, I got the below logs from the file .Can you please if these logs are fine or not : journalctl | grep selinux Dec 05 02:55:46 localhost.localdomain kernel: EVM: security.selinux Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0 auid=0 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 addr=10.97.7.209 terminal=ssh res=success' Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0 auid=0 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 addr=10.97.7.209 terminal=ssh res=success' Please let me know if any comments are there. On Mon, Dec 4, 2017 at 9:10 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote: > > Hi All, > > > > Thanks for the information. > > > > But after resetting the semanage User/login, and moving the targeted > > folder to old one and then install the default target. then also its > > still showing the > > Id context as context=system_u:system_r:unconfined_t:s0-s0:c0.c1023. > > > > What I observed is after changing the permission using semanage > > command also, its still showing the system_u:system_r. > > > > Check the semanage login/User output : > > > > semanage login -l > > > > Login Name SELinux User MLS/MCS Range > > Service > > > > __default__ unconfined_u s0-s0:c0.c1023 * > > root unconfined_u s0-s0:c0.c1023 * > > system_u system_u s0-s0:c0.c1023 * > > > > > > semanage user -l > > > > Labeling MLS/ MLS/ > > SELinux User Prefix MCS Level MCS Range > > SELinux Roles > > > > guest_u user s0 s0 > > guest_r > > root user s0 s0-s0:c0.c1023 > > staff_r sysadm_r system_r unconfined_r > > staff_u user s0 s0-s0:c0.c1023 > > staff_r sysadm_r system_r unconfined_r > > sysadm_u user s0 s0-s0:c0.c1023 > > sysadm_r > > system_u user s0 s0-s0:c0.c1023 > > system_r unconfined_r > > unconfined_u user s0 s0-s0:c0.c1023 > > system_r unconfined_r > > user_u user s0 s0 > > user_r > > xguest_u user s0 s0 > > xguest_r > > > > > > Looks like its related to some other issue. What you think about > > this. > > Do you have any relevant error messages in /var/log/secure or > journalctl -rb? Look for anything that refers to selinux or context. > > I'm guessing that pam_selinux is unable to determine a valid context > for your login for some reason, and this is causing it to fall back to > this one. Or something like that. > > You could try to emulate this process via selinuxdefcon, although I'm > not sure how closely it matches pam_selinux anymore. Sample usage: > > 1. See what context sshd is running in. > > ps -eZ | grep sshd > > It should be: > system_u:system_r:sshd_t:s0-s0:c0.c1023 > > 2. Run selinuxdefcon to compute the default context for root when > logging in from sshd: > > # Second argument should be whatever was shown by ps -eZ | grep sshd > above. > selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123 > > It should be: > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 5620 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-12-04 16:01 ` Aman Sharma @ 2017-12-04 16:06 ` Aman Sharma 2017-12-04 16:09 ` Stephen Smalley 1 sibling, 0 replies; 43+ messages in thread From: Aman Sharma @ 2017-12-04 16:06 UTC (permalink / raw) To: Stephen Smalley; +Cc: Simon Sekidde, SELinux [-- Attachment #1: Type: text/plain, Size: 5049 bytes --] Hi Stephen, Below is my login pam file : #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth substack system-auth auth include postlogin account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so # pam_selinux.so restore should only be followed by sessions to be executed in the user context session required pam_selinux.so restore session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth session include postlogin -session optional pam_ck_connector.so Can you Please check if this is fine. On Mon, Dec 4, 2017 at 9:31 PM, Aman Sharma <amansh.sharma5@gmail.com> wrote: > Hi Stephen, > > I got the below logs from the file .Can you please if these logs are fine > or not : > > journalctl | grep selinux > Dec 05 02:55:46 localhost.localdomain kernel: EVM: security.selinux > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0 auid=0 ses=2 > subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_ > namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 addr=10.97.7.209 > terminal=ssh res=success' > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0 auid=0 ses=3 > subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_ > namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 addr=10.97.7.209 > terminal=ssh res=success' > > Please let me know if any comments are there. > > On Mon, Dec 4, 2017 at 9:10 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > >> On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote: >> > Hi All, >> > >> > Thanks for the information. >> > >> > But after resetting the semanage User/login, and moving the targeted >> > folder to old one and then install the default target. then also its >> > still showing the >> > Id context as context=system_u:system_r:unconfined_t:s0-s0:c0.c1023. >> > >> > What I observed is after changing the permission using semanage >> > command also, its still showing the system_u:system_r. >> > >> > Check the semanage login/User output : >> > >> > semanage login -l >> > >> > Login Name SELinux User MLS/MCS Range >> > Service >> > >> > __default__ unconfined_u s0-s0:c0.c1023 * >> > root unconfined_u s0-s0:c0.c1023 * >> > system_u system_u s0-s0:c0.c1023 * >> > >> > >> > semanage user -l >> > >> > Labeling MLS/ MLS/ >> > SELinux User Prefix MCS Level MCS Range >> > SELinux Roles >> > >> > guest_u user s0 s0 >> > guest_r >> > root user s0 s0-s0:c0.c1023 >> > staff_r sysadm_r system_r unconfined_r >> > staff_u user s0 s0-s0:c0.c1023 >> > staff_r sysadm_r system_r unconfined_r >> > sysadm_u user s0 s0-s0:c0.c1023 >> > sysadm_r >> > system_u user s0 s0-s0:c0.c1023 >> > system_r unconfined_r >> > unconfined_u user s0 s0-s0:c0.c1023 >> > system_r unconfined_r >> > user_u user s0 s0 >> > user_r >> > xguest_u user s0 s0 >> > xguest_r >> > >> > >> > Looks like its related to some other issue. What you think about >> > this. >> >> Do you have any relevant error messages in /var/log/secure or >> journalctl -rb? Look for anything that refers to selinux or context. >> >> I'm guessing that pam_selinux is unable to determine a valid context >> for your login for some reason, and this is causing it to fall back to >> this one. Or something like that. >> >> You could try to emulate this process via selinuxdefcon, although I'm >> not sure how closely it matches pam_selinux anymore. Sample usage: >> >> 1. See what context sshd is running in. >> >> ps -eZ | grep sshd >> >> It should be: >> system_u:system_r:sshd_t:s0-s0:c0.c1023 >> >> 2. Run selinuxdefcon to compute the default context for root when >> logging in from sshd: >> >> # Second argument should be whatever was shown by ps -eZ | grep sshd >> above. >> selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123 >> >> It should be: >> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> >> >> > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 7787 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-12-04 16:01 ` Aman Sharma 2017-12-04 16:06 ` Aman Sharma @ 2017-12-04 16:09 ` Stephen Smalley 2017-12-04 16:34 ` Aman Sharma 1 sibling, 1 reply; 43+ messages in thread From: Stephen Smalley @ 2017-12-04 16:09 UTC (permalink / raw) To: Aman Sharma; +Cc: Simon Sekidde, SELinux On Mon, 2017-12-04 at 21:31 +0530, Aman Sharma wrote: > Hi Stephen, > > I got the below logs from the file .Can you please if these logs are > fine or not : > > journalctl | grep selinux > Dec 05 02:55:46 localhost.localdomain kernel: EVM: security.selinux > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0 auid=0 > ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=PAM:session_open > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyin > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > addr=10.97.7.209 terminal=ssh res=success' > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0 auid=0 > ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=PAM:session_open > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyin > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > addr=10.97.7.209 terminal=ssh res=success' > > Please let me know if any comments are there. Those are normal. Check journalctl and /var/log/secure for any errors from sshd. Also try the selinuxdefcon command I mentioned. > > On Mon, Dec 4, 2017 at 9:10 PM, Stephen Smalley <sds@tycho.nsa.gov> > wrote: > > On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote: > > > Hi All, > > > > > > Thanks for the information. > > > > > > But after resetting the semanage User/login, and moving the > > targeted > > > folder to old one and then install the default target. then also > > its > > > still showing the > > > Id context as context=system_u:system_r:unconfined_t:s0- > > s0:c0.c1023. > > > > > > What I observed is after changing the permission using semanage > > > command also, its still showing the system_u:system_r. > > > > > > Check the semanage login/User output : > > > > > > semanage login -l > > > > > > Login Name SELinux User MLS/MCS Range > > > Service > > > > > > __default__ unconfined_u s0-s0:c0.c1023 * > > > root unconfined_u s0-s0:c0.c1023 * > > > system_u system_u s0-s0:c0.c1023 * > > > > > > > > > semanage user -l > > > > > > Labeling MLS/ MLS/ > > > > > SELinux User Prefix MCS Level MCS Range > > > > > SELinux Roles > > > > > > guest_u user s0 s0 > > > > > guest_r > > > root user s0 s0-s0:c0.c1023 > > > > > staff_r sysadm_r system_r unconfined_r > > > staff_u user s0 s0-s0:c0.c1023 > > > > > staff_r sysadm_r system_r unconfined_r > > > sysadm_u user s0 s0-s0:c0.c1023 > > > > > sysadm_r > > > system_u user s0 s0-s0:c0.c1023 > > > > > system_r unconfined_r > > > unconfined_u user s0 s0-s0:c0.c1023 > > > > > system_r unconfined_r > > > user_u user s0 s0 > > > > > user_r > > > xguest_u user s0 s0 > > > > > xguest_r > > > > > > > > > Looks like its related to some other issue. What you think about > > > this. > > > > Do you have any relevant error messages in /var/log/secure or > > journalctl -rb? Look for anything that refers to selinux or > > context. > > > > I'm guessing that pam_selinux is unable to determine a valid > > context > > for your login for some reason, and this is causing it to fall back > > to > > this one. Or something like that. > > > > You could try to emulate this process via selinuxdefcon, although > > I'm > > not sure how closely it matches pam_selinux anymore. Sample usage: > > > > 1. See what context sshd is running in. > > > > ps -eZ | grep sshd > > > > It should be: > > system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > 2. Run selinuxdefcon to compute the default context for root when > > logging in from sshd: > > > > # Second argument should be whatever was shown by ps -eZ | grep > > sshd > > above. > > selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123 > > > > It should be: > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > > > > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-12-04 16:09 ` Stephen Smalley @ 2017-12-04 16:34 ` Aman Sharma 2017-12-04 16:38 ` Stephen Smalley 0 siblings, 1 reply; 43+ messages in thread From: Aman Sharma @ 2017-12-04 16:34 UTC (permalink / raw) To: Stephen Smalley; +Cc: Simon Sekidde, SELinux [-- Attachment #1: Type: text/plain, Size: 4955 bytes --] Hi Stephen, Thanks alot for the help. I got the issue. Its due to the problem in /etc/pam.d/sshd file. After fixing this, now is working fine. Thanks alot once again. On Mon, Dec 4, 2017 at 9:39 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Mon, 2017-12-04 at 21:31 +0530, Aman Sharma wrote: > > Hi Stephen, > > > > I got the below logs from the file .Can you please if these logs are > > fine or not : > > > > journalctl | grep selinux > > Dec 05 02:55:46 localhost.localdomain kernel: EVM: security.selinux > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > > type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0 auid=0 > > ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > msg='op=PAM:session_open > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyin > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > > addr=10.97.7.209 terminal=ssh res=success' > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > > type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0 auid=0 > > ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > msg='op=PAM:session_open > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyin > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > > addr=10.97.7.209 terminal=ssh res=success' > > > > Please let me know if any comments are there. > > Those are normal. Check journalctl and /var/log/secure for any errors > from sshd. > Also try the selinuxdefcon command I mentioned. > > > > > On Mon, Dec 4, 2017 at 9:10 PM, Stephen Smalley <sds@tycho.nsa.gov> > > wrote: > > > On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote: > > > > Hi All, > > > > > > > > Thanks for the information. > > > > > > > > But after resetting the semanage User/login, and moving the > > > targeted > > > > folder to old one and then install the default target. then also > > > its > > > > still showing the > > > > Id context as context=system_u:system_r:unconfined_t:s0- > > > s0:c0.c1023. > > > > > > > > What I observed is after changing the permission using semanage > > > > command also, its still showing the system_u:system_r. > > > > > > > > Check the semanage login/User output : > > > > > > > > semanage login -l > > > > > > > > Login Name SELinux User MLS/MCS Range > > > > Service > > > > > > > > __default__ unconfined_u s0-s0:c0.c1023 * > > > > root unconfined_u s0-s0:c0.c1023 * > > > > system_u system_u s0-s0:c0.c1023 * > > > > > > > > > > > > semanage user -l > > > > > > > > Labeling MLS/ MLS/ > > > > > > > SELinux User Prefix MCS Level MCS Range > > > > > > > SELinux Roles > > > > > > > > guest_u user s0 s0 > > > > > > > guest_r > > > > root user s0 s0-s0:c0.c1023 > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > staff_u user s0 s0-s0:c0.c1023 > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > sysadm_u user s0 s0-s0:c0.c1023 > > > > > > > sysadm_r > > > > system_u user s0 s0-s0:c0.c1023 > > > > > > > system_r unconfined_r > > > > unconfined_u user s0 s0-s0:c0.c1023 > > > > > > > system_r unconfined_r > > > > user_u user s0 s0 > > > > > > > user_r > > > > xguest_u user s0 s0 > > > > > > > xguest_r > > > > > > > > > > > > Looks like its related to some other issue. What you think about > > > > this. > > > > > > Do you have any relevant error messages in /var/log/secure or > > > journalctl -rb? Look for anything that refers to selinux or > > > context. > > > > > > I'm guessing that pam_selinux is unable to determine a valid > > > context > > > for your login for some reason, and this is causing it to fall back > > > to > > > this one. Or something like that. > > > > > > You could try to emulate this process via selinuxdefcon, although > > > I'm > > > not sure how closely it matches pam_selinux anymore. Sample usage: > > > > > > 1. See what context sshd is running in. > > > > > > ps -eZ | grep sshd > > > > > > It should be: > > > system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > > > 2. Run selinuxdefcon to compute the default context for root when > > > logging in from sshd: > > > > > > # Second argument should be whatever was shown by ps -eZ | grep > > > sshd > > > above. > > > selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123 > > > > > > It should be: > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > -- > > > > Thanks > > Aman > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 7641 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-12-04 16:34 ` Aman Sharma @ 2017-12-04 16:38 ` Stephen Smalley 2017-12-05 8:32 ` Aman Sharma 0 siblings, 1 reply; 43+ messages in thread From: Stephen Smalley @ 2017-12-04 16:38 UTC (permalink / raw) To: Aman Sharma; +Cc: SELinux On Mon, 2017-12-04 at 22:04 +0530, Aman Sharma wrote: > Hi Stephen, > > Thanks alot for the help. > > I got the issue. Its due to the problem in /etc/pam.d/sshd file. > > After fixing this, now is working fine. Thanks alot once again. Ok, can you explain what exactly what wrong in your /etc/pam.d/sshd file, so that if someone else encounters this behavior in the future, they can find a solution in the list archives? > > On Mon, Dec 4, 2017 at 9:39 PM, Stephen Smalley <sds@tycho.nsa.gov> > wrote: > > On Mon, 2017-12-04 at 21:31 +0530, Aman Sharma wrote: > > > Hi Stephen, > > > > > > I got the below logs from the file .Can you please if these logs > > are > > > fine or not : > > > > > > journalctl | grep selinux > > > Dec 05 02:55:46 localhost.localdomain kernel: EVM: > > security.selinux > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > > > type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0 > > auid=0 > > > ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > msg='op=PAM:session_open > > > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_key > > in > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > > > addr=10.97.7.209 terminal=ssh res=success' > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > > > type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0 > > auid=0 > > > ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > msg='op=PAM:session_open > > > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_key > > in > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > > > addr=10.97.7.209 terminal=ssh res=success' > > > > > > Please let me know if any comments are there. > > > > Those are normal. Check journalctl and /var/log/secure for any > > errors > > from sshd. > > Also try the selinuxdefcon command I mentioned. > > > > > > > > On Mon, Dec 4, 2017 at 9:10 PM, Stephen Smalley <sds@tycho.nsa.go > > v> > > > wrote: > > > > On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote: > > > > > Hi All, > > > > > > > > > > Thanks for the information. > > > > > > > > > > But after resetting the semanage User/login, and moving the > > > > targeted > > > > > folder to old one and then install the default target. then > > also > > > > its > > > > > still showing the > > > > > Id context as context=system_u:system_r:unconfined_t:s0- > > > > s0:c0.c1023. > > > > > > > > > > What I observed is after changing the permission using > > semanage > > > > > command also, its still showing the system_u:system_r. > > > > > > > > > > Check the semanage login/User output : > > > > > > > > > > semanage login -l > > > > > > > > > > Login Name SELinux User MLS/MCS Range > > > > > > > Service > > > > > > > > > > __default__ unconfined_u s0-s0:c0.c1023 > > * > > > > > root unconfined_u s0-s0:c0.c1023 > > * > > > > > system_u system_u s0-s0:c0.c1023 > > * > > > > > > > > > > > > > > > semanage user -l > > > > > > > > > > Labeling MLS/ MLS/ > > > > > > > > > > > SELinux User Prefix MCS Level MCS Range > > > > > > > > > > > SELinux Roles > > > > > > > > > > guest_u user s0 s0 > > > > > > > > > > > guest_r > > > > > root user s0 s0-s0:c0.c1023 > > > > > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > > staff_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > > sysadm_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > sysadm_r > > > > > system_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > system_r unconfined_r > > > > > unconfined_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > system_r unconfined_r > > > > > user_u user s0 s0 > > > > > > > > > > > user_r > > > > > xguest_u user s0 s0 > > > > > > > > > > > xguest_r > > > > > > > > > > > > > > > Looks like its related to some other issue. What you think > > about > > > > > this. > > > > > > > > Do you have any relevant error messages in /var/log/secure or > > > > journalctl -rb? Look for anything that refers to selinux or > > > > context. > > > > > > > > I'm guessing that pam_selinux is unable to determine a valid > > > > context > > > > for your login for some reason, and this is causing it to fall > > back > > > > to > > > > this one. Or something like that. > > > > > > > > You could try to emulate this process via selinuxdefcon, > > although > > > > I'm > > > > not sure how closely it matches pam_selinux anymore. Sample > > usage: > > > > > > > > 1. See what context sshd is running in. > > > > > > > > ps -eZ | grep sshd > > > > > > > > It should be: > > > > system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > > > > > 2. Run selinuxdefcon to compute the default context for root > > when > > > > logging in from sshd: > > > > > > > > # Second argument should be whatever was shown by ps -eZ | grep > > > > sshd > > > > above. > > > > selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123 > > > > > > > > It should be: > > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Thanks > > > Aman > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-12-04 16:38 ` Stephen Smalley @ 2017-12-05 8:32 ` Aman Sharma 2017-12-05 8:40 ` Dominick Grift 0 siblings, 1 reply; 43+ messages in thread From: Aman Sharma @ 2017-12-05 8:32 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 7796 bytes --] Hi Stephen, Below is the changes which I made in Login and ssh file : cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth # Used with polkit to reauthorize users in remote sessions account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth # Used with polkit to reauthorize users in remote sessions cat /etc/pam.d/login #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so # pam_selinux.so restore should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth -session optional pam_ck_connector.so Please Let me know if any comments are there. On Mon, Dec 4, 2017 at 10:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Mon, 2017-12-04 at 22:04 +0530, Aman Sharma wrote: > > Hi Stephen, > > > > Thanks alot for the help. > > > > I got the issue. Its due to the problem in /etc/pam.d/sshd file. > > > > After fixing this, now is working fine. Thanks alot once again. > > Ok, can you explain what exactly what wrong in your /etc/pam.d/sshd > file, so that if someone else encounters this behavior in the future, > they can find a solution in the list archives? > > > > > On Mon, Dec 4, 2017 at 9:39 PM, Stephen Smalley <sds@tycho.nsa.gov> > > wrote: > > > On Mon, 2017-12-04 at 21:31 +0530, Aman Sharma wrote: > > > > Hi Stephen, > > > > > > > > I got the below logs from the file .Can you please if these logs > > > are > > > > fine or not : > > > > > > > > journalctl | grep selinux > > > > Dec 05 02:55:46 localhost.localdomain kernel: EVM: > > > security.selinux > > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > > > > type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0 > > > auid=0 > > > > ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > msg='op=PAM:session_open > > > > > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_key > > > in > > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > > > > addr=10.97.7.209 terminal=ssh res=success' > > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > > > > type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0 > > > auid=0 > > > > ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > msg='op=PAM:session_open > > > > > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_key > > > in > > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > > > > addr=10.97.7.209 terminal=ssh res=success' > > > > > > > > Please let me know if any comments are there. > > > > > > Those are normal. Check journalctl and /var/log/secure for any > > > errors > > > from sshd. > > > Also try the selinuxdefcon command I mentioned. > > > > > > > > > > > On Mon, Dec 4, 2017 at 9:10 PM, Stephen Smalley <sds@tycho.nsa.go > > > v> > > > > wrote: > > > > > On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote: > > > > > > Hi All, > > > > > > > > > > > > Thanks for the information. > > > > > > > > > > > > But after resetting the semanage User/login, and moving the > > > > > targeted > > > > > > folder to old one and then install the default target. then > > > also > > > > > its > > > > > > still showing the > > > > > > Id context as context=system_u:system_r:unconfined_t:s0- > > > > > s0:c0.c1023. > > > > > > > > > > > > What I observed is after changing the permission using > > > semanage > > > > > > command also, its still showing the system_u:system_r. > > > > > > > > > > > > Check the semanage login/User output : > > > > > > > > > > > > semanage login -l > > > > > > > > > > > > Login Name SELinux User MLS/MCS Range > > > > > > > > > Service > > > > > > > > > > > > __default__ unconfined_u s0-s0:c0.c1023 > > > * > > > > > > root unconfined_u s0-s0:c0.c1023 > > > * > > > > > > system_u system_u s0-s0:c0.c1023 > > > * > > > > > > > > > > > > > > > > > > semanage user -l > > > > > > > > > > > > Labeling MLS/ MLS/ > > > > > > > > > > > > > > SELinux User Prefix MCS Level MCS Range > > > > > > > > > > > > > > SELinux Roles > > > > > > > > > > > > guest_u user s0 s0 > > > > > > > > > > > > > > guest_r > > > > > > root user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > > > staff_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > > > sysadm_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > sysadm_r > > > > > > system_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > system_r unconfined_r > > > > > > unconfined_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > system_r unconfined_r > > > > > > user_u user s0 s0 > > > > > > > > > > > > > > user_r > > > > > > xguest_u user s0 s0 > > > > > > > > > > > > > > xguest_r > > > > > > > > > > > > > > > > > > Looks like its related to some other issue. What you think > > > about > > > > > > this. > > > > > > > > > > Do you have any relevant error messages in /var/log/secure or > > > > > journalctl -rb? Look for anything that refers to selinux or > > > > > context. > > > > > > > > > > I'm guessing that pam_selinux is unable to determine a valid > > > > > context > > > > > for your login for some reason, and this is causing it to fall > > > back > > > > > to > > > > > this one. Or something like that. > > > > > > > > > > You could try to emulate this process via selinuxdefcon, > > > although > > > > > I'm > > > > > not sure how closely it matches pam_selinux anymore. Sample > > > usage: > > > > > > > > > > 1. See what context sshd is running in. > > > > > > > > > > ps -eZ | grep sshd > > > > > > > > > > It should be: > > > > > system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > > > > > > > 2. Run selinuxdefcon to compute the default context for root > > > when > > > > > logging in from sshd: > > > > > > > > > > # Second argument should be whatever was shown by ps -eZ | grep > > > > > sshd > > > > > above. > > > > > selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123 > > > > > > > > > > It should be: > > > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Thanks > > > > Aman > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > > > > -- > > > > Thanks > > Aman > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 12406 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-12-05 8:32 ` Aman Sharma @ 2017-12-05 8:40 ` Dominick Grift 2017-12-05 9:04 ` Aman Sharma 0 siblings, 1 reply; 43+ messages in thread From: Dominick Grift @ 2017-12-05 8:40 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 8918 bytes --] On Tue, Dec 05, 2017 at 02:02:37PM +0530, Aman Sharma wrote: > Hi Stephen, > > Below is the changes which I made in Login and ssh file : > > cat /etc/pam.d/sshd > #%PAM-1.0 > auth required pam_sepermit.so side note: this is a "bug" https://src.fedoraproject.org/rpms/openssh/c/e044c5cf76618b023a4315f41fe126c80c06b833?branch=master > auth include password-auth > # Used with polkit to reauthorize users in remote sessions > account required pam_nologin.so > account include password-auth > password include password-auth > # pam_selinux.so close should be the first session rule > session required pam_selinux.so close > session required pam_loginuid.so > # pam_selinux.so open should only be followed by sessions to be executed in > the user context > session required pam_selinux.so open env_params > session required pam_namespace.so > session optional pam_keyinit.so force revoke > session include password-auth > # Used with polkit to reauthorize users in remote sessions > > > cat /etc/pam.d/login > #%PAM-1.0 > auth [user_unknown=ignore success=ok ignore=ignore default=bad] > pam_securetty.so > auth include system-auth > account required pam_nologin.so > account include system-auth > password include system-auth > # pam_selinux.so close should be the first session rule > session required pam_selinux.so close > session required pam_loginuid.so > session optional pam_console.so > # pam_selinux.so restore should only be followed by sessions to be executed > in the user context > session required pam_selinux.so open > session required pam_namespace.so > session optional pam_keyinit.so force revoke > session include system-auth > -session optional pam_ck_connector.so > > Please Let me know if any comments are there. > > On Mon, Dec 4, 2017 at 10:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > > On Mon, 2017-12-04 at 22:04 +0530, Aman Sharma wrote: > > > Hi Stephen, > > > > > > Thanks alot for the help. > > > > > > I got the issue. Its due to the problem in /etc/pam.d/sshd file. > > > > > > After fixing this, now is working fine. Thanks alot once again. > > > > Ok, can you explain what exactly what wrong in your /etc/pam.d/sshd > > file, so that if someone else encounters this behavior in the future, > > they can find a solution in the list archives? > > > > > > > > On Mon, Dec 4, 2017 at 9:39 PM, Stephen Smalley <sds@tycho.nsa.gov> > > > wrote: > > > > On Mon, 2017-12-04 at 21:31 +0530, Aman Sharma wrote: > > > > > Hi Stephen, > > > > > > > > > > I got the below logs from the file .Can you please if these logs > > > > are > > > > > fine or not : > > > > > > > > > > journalctl | grep selinux > > > > > Dec 05 02:55:46 localhost.localdomain kernel: EVM: > > > > security.selinux > > > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > > > > > type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0 > > > > auid=0 > > > > > ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > > msg='op=PAM:session_open > > > > > > > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_key > > > > in > > > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > > > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > > > > > addr=10.97.7.209 terminal=ssh res=success' > > > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > > > > > type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0 > > > > auid=0 > > > > > ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > > msg='op=PAM:session_open > > > > > > > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_key > > > > in > > > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > > > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > > > > > addr=10.97.7.209 terminal=ssh res=success' > > > > > > > > > > Please let me know if any comments are there. > > > > > > > > Those are normal. Check journalctl and /var/log/secure for any > > > > errors > > > > from sshd. > > > > Also try the selinuxdefcon command I mentioned. > > > > > > > > > > > > > > On Mon, Dec 4, 2017 at 9:10 PM, Stephen Smalley <sds@tycho.nsa.go > > > > v> > > > > > wrote: > > > > > > On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote: > > > > > > > Hi All, > > > > > > > > > > > > > > Thanks for the information. > > > > > > > > > > > > > > But after resetting the semanage User/login, and moving the > > > > > > targeted > > > > > > > folder to old one and then install the default target. then > > > > also > > > > > > its > > > > > > > still showing the > > > > > > > Id context as context=system_u:system_r:unconfined_t:s0- > > > > > > s0:c0.c1023. > > > > > > > > > > > > > > What I observed is after changing the permission using > > > > semanage > > > > > > > command also, its still showing the system_u:system_r. > > > > > > > > > > > > > > Check the semanage login/User output : > > > > > > > > > > > > > > semanage login -l > > > > > > > > > > > > > > Login Name SELinux User MLS/MCS Range > > > > > > > > > > > Service > > > > > > > > > > > > > > __default__ unconfined_u s0-s0:c0.c1023 > > > > * > > > > > > > root unconfined_u s0-s0:c0.c1023 > > > > * > > > > > > > system_u system_u s0-s0:c0.c1023 > > > > * > > > > > > > > > > > > > > > > > > > > > semanage user -l > > > > > > > > > > > > > > Labeling MLS/ MLS/ > > > > > > > > > > > > > > > > > SELinux User Prefix MCS Level MCS Range > > > > > > > > > > > > > > > > > SELinux Roles > > > > > > > > > > > > > > guest_u user s0 s0 > > > > > > > > > > > > > > > > > guest_r > > > > > > > root user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > > > > staff_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > > > > sysadm_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > sysadm_r > > > > > > > system_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > system_r unconfined_r > > > > > > > unconfined_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > system_r unconfined_r > > > > > > > user_u user s0 s0 > > > > > > > > > > > > > > > > > user_r > > > > > > > xguest_u user s0 s0 > > > > > > > > > > > > > > > > > xguest_r > > > > > > > > > > > > > > > > > > > > > Looks like its related to some other issue. What you think > > > > about > > > > > > > this. > > > > > > > > > > > > Do you have any relevant error messages in /var/log/secure or > > > > > > journalctl -rb? Look for anything that refers to selinux or > > > > > > context. > > > > > > > > > > > > I'm guessing that pam_selinux is unable to determine a valid > > > > > > context > > > > > > for your login for some reason, and this is causing it to fall > > > > back > > > > > > to > > > > > > this one. Or something like that. > > > > > > > > > > > > You could try to emulate this process via selinuxdefcon, > > > > although > > > > > > I'm > > > > > > not sure how closely it matches pam_selinux anymore. Sample > > > > usage: > > > > > > > > > > > > 1. See what context sshd is running in. > > > > > > > > > > > > ps -eZ | grep sshd > > > > > > > > > > > > It should be: > > > > > > system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > > > > > > > > > 2. Run selinuxdefcon to compute the default context for root > > > > when > > > > > > logging in from sshd: > > > > > > > > > > > > # Second argument should be whatever was shown by ps -eZ | grep > > > > > > sshd > > > > > > above. > > > > > > selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123 > > > > > > > > > > > > It should be: > > > > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Thanks > > > > > Aman > > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > > > > > > > > > -- > > > > > > Thanks > > > Aman > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 659 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-12-05 8:40 ` Dominick Grift @ 2017-12-05 9:04 ` Aman Sharma 2017-12-05 9:13 ` Dominick Grift 0 siblings, 1 reply; 43+ messages in thread From: Aman Sharma @ 2017-12-05 9:04 UTC (permalink / raw) To: SELinux [-- Attachment #1: Type: text/plain, Size: 9375 bytes --] Is this a bug in cent OS 7.3 ? On Tue, Dec 5, 2017 at 2:10 PM, Dominick Grift <dac.override@gmail.com> wrote: > On Tue, Dec 05, 2017 at 02:02:37PM +0530, Aman Sharma wrote: > > Hi Stephen, > > > > Below is the changes which I made in Login and ssh file : > > > > cat /etc/pam.d/sshd > > #%PAM-1.0 > > auth required pam_sepermit.so > > side note: this is a "bug" > https://src.fedoraproject.org/rpms/openssh/c/ > e044c5cf76618b023a4315f41fe126c80c06b833?branch=master > > > auth include password-auth > > # Used with polkit to reauthorize users in remote sessions > > account required pam_nologin.so > > account include password-auth > > password include password-auth > > # pam_selinux.so close should be the first session rule > > session required pam_selinux.so close > > session required pam_loginuid.so > > # pam_selinux.so open should only be followed by sessions to be executed > in > > the user context > > session required pam_selinux.so open env_params > > session required pam_namespace.so > > session optional pam_keyinit.so force revoke > > session include password-auth > > # Used with polkit to reauthorize users in remote sessions > > > > > > cat /etc/pam.d/login > > #%PAM-1.0 > > auth [user_unknown=ignore success=ok ignore=ignore default=bad] > > pam_securetty.so > > auth include system-auth > > account required pam_nologin.so > > account include system-auth > > password include system-auth > > # pam_selinux.so close should be the first session rule > > session required pam_selinux.so close > > session required pam_loginuid.so > > session optional pam_console.so > > # pam_selinux.so restore should only be followed by sessions to be > executed > > in the user context > > session required pam_selinux.so open > > session required pam_namespace.so > > session optional pam_keyinit.so force revoke > > session include system-auth > > -session optional pam_ck_connector.so > > > > Please Let me know if any comments are there. > > > > On Mon, Dec 4, 2017 at 10:08 PM, Stephen Smalley <sds@tycho.nsa.gov> > wrote: > > > > > On Mon, 2017-12-04 at 22:04 +0530, Aman Sharma wrote: > > > > Hi Stephen, > > > > > > > > Thanks alot for the help. > > > > > > > > I got the issue. Its due to the problem in /etc/pam.d/sshd file. > > > > > > > > After fixing this, now is working fine. Thanks alot once again. > > > > > > Ok, can you explain what exactly what wrong in your /etc/pam.d/sshd > > > file, so that if someone else encounters this behavior in the future, > > > they can find a solution in the list archives? > > > > > > > > > > > On Mon, Dec 4, 2017 at 9:39 PM, Stephen Smalley <sds@tycho.nsa.gov> > > > > wrote: > > > > > On Mon, 2017-12-04 at 21:31 +0530, Aman Sharma wrote: > > > > > > Hi Stephen, > > > > > > > > > > > > I got the below logs from the file .Can you please if these logs > > > > > are > > > > > > fine or not : > > > > > > > > > > > > journalctl | grep selinux > > > > > > Dec 05 02:55:46 localhost.localdomain kernel: EVM: > > > > > security.selinux > > > > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > > > > > > type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0 > > > > > auid=0 > > > > > > ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > > > msg='op=PAM:session_open > > > > > > > > > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_ > namespace,pam_key > > > > > in > > > > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > > > > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > > > > > > addr=10.97.7.209 terminal=ssh res=success' > > > > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > > > > > > type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0 > > > > > auid=0 > > > > > > ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > > > msg='op=PAM:session_open > > > > > > > > > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_ > namespace,pam_key > > > > > in > > > > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > > > > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > > > > > > addr=10.97.7.209 terminal=ssh res=success' > > > > > > > > > > > > Please let me know if any comments are there. > > > > > > > > > > Those are normal. Check journalctl and /var/log/secure for any > > > > > errors > > > > > from sshd. > > > > > Also try the selinuxdefcon command I mentioned. > > > > > > > > > > > > > > > > > On Mon, Dec 4, 2017 at 9:10 PM, Stephen Smalley <sds@tycho.nsa.go > > > > > v> > > > > > > wrote: > > > > > > > On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote: > > > > > > > > Hi All, > > > > > > > > > > > > > > > > Thanks for the information. > > > > > > > > > > > > > > > > But after resetting the semanage User/login, and moving the > > > > > > > targeted > > > > > > > > folder to old one and then install the default target. then > > > > > also > > > > > > > its > > > > > > > > still showing the > > > > > > > > Id context as context=system_u:system_r:unconfined_t:s0- > > > > > > > s0:c0.c1023. > > > > > > > > > > > > > > > > What I observed is after changing the permission using > > > > > semanage > > > > > > > > command also, its still showing the system_u:system_r. > > > > > > > > > > > > > > > > Check the semanage login/User output : > > > > > > > > > > > > > > > > semanage login -l > > > > > > > > > > > > > > > > Login Name SELinux User MLS/MCS Range > > > > > > > > > > > > > Service > > > > > > > > > > > > > > > > __default__ unconfined_u s0-s0:c0.c1023 > > > > > * > > > > > > > > root unconfined_u s0-s0:c0.c1023 > > > > > * > > > > > > > > system_u system_u s0-s0:c0.c1023 > > > > > * > > > > > > > > > > > > > > > > > > > > > > > > semanage user -l > > > > > > > > > > > > > > > > Labeling MLS/ MLS/ > > > > > > > > > > > > > > > > > > > > SELinux User Prefix MCS Level MCS Range > > > > > > > > > > > > > > > > > > > > SELinux Roles > > > > > > > > > > > > > > > > guest_u user s0 s0 > > > > > > > > > > > > > > > > > > > > guest_r > > > > > > > > root user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > > > > > staff_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > > > > > sysadm_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > sysadm_r > > > > > > > > system_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > system_r unconfined_r > > > > > > > > unconfined_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > system_r unconfined_r > > > > > > > > user_u user s0 s0 > > > > > > > > > > > > > > > > > > > > user_r > > > > > > > > xguest_u user s0 s0 > > > > > > > > > > > > > > > > > > > > xguest_r > > > > > > > > > > > > > > > > > > > > > > > > Looks like its related to some other issue. What you think > > > > > about > > > > > > > > this. > > > > > > > > > > > > > > Do you have any relevant error messages in /var/log/secure or > > > > > > > journalctl -rb? Look for anything that refers to selinux or > > > > > > > context. > > > > > > > > > > > > > > I'm guessing that pam_selinux is unable to determine a valid > > > > > > > context > > > > > > > for your login for some reason, and this is causing it to fall > > > > > back > > > > > > > to > > > > > > > this one. Or something like that. > > > > > > > > > > > > > > You could try to emulate this process via selinuxdefcon, > > > > > although > > > > > > > I'm > > > > > > > not sure how closely it matches pam_selinux anymore. Sample > > > > > usage: > > > > > > > > > > > > > > 1. See what context sshd is running in. > > > > > > > > > > > > > > ps -eZ | grep sshd > > > > > > > > > > > > > > It should be: > > > > > > > system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > > > > > > > > > > > 2. Run selinuxdefcon to compute the default context for root > > > > > when > > > > > > > logging in from sshd: > > > > > > > > > > > > > > # Second argument should be whatever was shown by ps -eZ | grep > > > > > > > sshd > > > > > > > above. > > > > > > > selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123 > > > > > > > > > > > > > > It should be: > > > > > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Thanks > > > > > > Aman > > > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Thanks > > > > Aman > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > > > > -- > > > > Thanks > > Aman > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com [-- Attachment #2: Type: text/html, Size: 15097 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Qwery regarding Selinux Change Id context 2017-12-05 9:04 ` Aman Sharma @ 2017-12-05 9:13 ` Dominick Grift 0 siblings, 0 replies; 43+ messages in thread From: Dominick Grift @ 2017-12-05 9:13 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 10583 bytes --] On Tue, Dec 05, 2017 at 02:34:26PM +0530, Aman Sharma wrote: > Is this a bug in cent OS 7.3 ? I suppose.. but it will only affect you if you actually leverage pam_sepermit (ie. if you edit /etc/security/sepermit.conf) > > On Tue, Dec 5, 2017 at 2:10 PM, Dominick Grift <dac.override@gmail.com> > wrote: > > > On Tue, Dec 05, 2017 at 02:02:37PM +0530, Aman Sharma wrote: > > > Hi Stephen, > > > > > > Below is the changes which I made in Login and ssh file : > > > > > > cat /etc/pam.d/sshd > > > #%PAM-1.0 > > > auth required pam_sepermit.so > > > > side note: this is a "bug" > > https://src.fedoraproject.org/rpms/openssh/c/ > > e044c5cf76618b023a4315f41fe126c80c06b833?branch=master > > > > > auth include password-auth > > > # Used with polkit to reauthorize users in remote sessions > > > account required pam_nologin.so > > > account include password-auth > > > password include password-auth > > > # pam_selinux.so close should be the first session rule > > > session required pam_selinux.so close > > > session required pam_loginuid.so > > > # pam_selinux.so open should only be followed by sessions to be executed > > in > > > the user context > > > session required pam_selinux.so open env_params > > > session required pam_namespace.so > > > session optional pam_keyinit.so force revoke > > > session include password-auth > > > # Used with polkit to reauthorize users in remote sessions > > > > > > > > > cat /etc/pam.d/login > > > #%PAM-1.0 > > > auth [user_unknown=ignore success=ok ignore=ignore default=bad] > > > pam_securetty.so > > > auth include system-auth > > > account required pam_nologin.so > > > account include system-auth > > > password include system-auth > > > # pam_selinux.so close should be the first session rule > > > session required pam_selinux.so close > > > session required pam_loginuid.so > > > session optional pam_console.so > > > # pam_selinux.so restore should only be followed by sessions to be > > executed > > > in the user context > > > session required pam_selinux.so open > > > session required pam_namespace.so > > > session optional pam_keyinit.so force revoke > > > session include system-auth > > > -session optional pam_ck_connector.so > > > > > > Please Let me know if any comments are there. > > > > > > On Mon, Dec 4, 2017 at 10:08 PM, Stephen Smalley <sds@tycho.nsa.gov> > > wrote: > > > > > > > On Mon, 2017-12-04 at 22:04 +0530, Aman Sharma wrote: > > > > > Hi Stephen, > > > > > > > > > > Thanks alot for the help. > > > > > > > > > > I got the issue. Its due to the problem in /etc/pam.d/sshd file. > > > > > > > > > > After fixing this, now is working fine. Thanks alot once again. > > > > > > > > Ok, can you explain what exactly what wrong in your /etc/pam.d/sshd > > > > file, so that if someone else encounters this behavior in the future, > > > > they can find a solution in the list archives? > > > > > > > > > > > > > > On Mon, Dec 4, 2017 at 9:39 PM, Stephen Smalley <sds@tycho.nsa.gov> > > > > > wrote: > > > > > > On Mon, 2017-12-04 at 21:31 +0530, Aman Sharma wrote: > > > > > > > Hi Stephen, > > > > > > > > > > > > > > I got the below logs from the file .Can you please if these logs > > > > > > are > > > > > > > fine or not : > > > > > > > > > > > > > > journalctl | grep selinux > > > > > > > Dec 05 02:55:46 localhost.localdomain kernel: EVM: > > > > > > security.selinux > > > > > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > > > > > > > type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0 > > > > > > auid=0 > > > > > > > ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > > > > msg='op=PAM:session_open > > > > > > > > > > > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_ > > namespace,pam_key > > > > > > in > > > > > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > > > > > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > > > > > > > addr=10.97.7.209 terminal=ssh res=success' > > > > > > > Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain > > > > > > > type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0 > > > > > > auid=0 > > > > > > > ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > > > > msg='op=PAM:session_open > > > > > > > > > > > > > grantors=pam_selinux,pam_loginuid,pam_selinux,pam_ > > namespace,pam_key > > > > > > in > > > > > > > it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog > > > > > > > acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 > > > > > > > addr=10.97.7.209 terminal=ssh res=success' > > > > > > > > > > > > > > Please let me know if any comments are there. > > > > > > > > > > > > Those are normal. Check journalctl and /var/log/secure for any > > > > > > errors > > > > > > from sshd. > > > > > > Also try the selinuxdefcon command I mentioned. > > > > > > > > > > > > > > > > > > > > On Mon, Dec 4, 2017 at 9:10 PM, Stephen Smalley <sds@tycho.nsa.go > > > > > > v> > > > > > > > wrote: > > > > > > > > On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote: > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > > > Thanks for the information. > > > > > > > > > > > > > > > > > > But after resetting the semanage User/login, and moving the > > > > > > > > targeted > > > > > > > > > folder to old one and then install the default target. then > > > > > > also > > > > > > > > its > > > > > > > > > still showing the > > > > > > > > > Id context as context=system_u:system_r:unconfined_t:s0- > > > > > > > > s0:c0.c1023. > > > > > > > > > > > > > > > > > > What I observed is after changing the permission using > > > > > > semanage > > > > > > > > > command also, its still showing the system_u:system_r. > > > > > > > > > > > > > > > > > > Check the semanage login/User output : > > > > > > > > > > > > > > > > > > semanage login -l > > > > > > > > > > > > > > > > > > Login Name SELinux User MLS/MCS Range > > > > > > > > > > > > > > > Service > > > > > > > > > > > > > > > > > > __default__ unconfined_u s0-s0:c0.c1023 > > > > > > * > > > > > > > > > root unconfined_u s0-s0:c0.c1023 > > > > > > * > > > > > > > > > system_u system_u s0-s0:c0.c1023 > > > > > > * > > > > > > > > > > > > > > > > > > > > > > > > > > > semanage user -l > > > > > > > > > > > > > > > > > > Labeling MLS/ MLS/ > > > > > > > > > > > > > > > > > > > > > > > SELinux User Prefix MCS Level MCS Range > > > > > > > > > > > > > > > > > > > > > > > SELinux Roles > > > > > > > > > > > > > > > > > > guest_u user s0 s0 > > > > > > > > > > > > > > > > > > > > > > > guest_r > > > > > > > > > root user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > > > > > > staff_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > > > > > > sysadm_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > sysadm_r > > > > > > > > > system_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > system_r unconfined_r > > > > > > > > > unconfined_u user s0 s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > system_r unconfined_r > > > > > > > > > user_u user s0 s0 > > > > > > > > > > > > > > > > > > > > > > > user_r > > > > > > > > > xguest_u user s0 s0 > > > > > > > > > > > > > > > > > > > > > > > xguest_r > > > > > > > > > > > > > > > > > > > > > > > > > > > Looks like its related to some other issue. What you think > > > > > > about > > > > > > > > > this. > > > > > > > > > > > > > > > > Do you have any relevant error messages in /var/log/secure or > > > > > > > > journalctl -rb? Look for anything that refers to selinux or > > > > > > > > context. > > > > > > > > > > > > > > > > I'm guessing that pam_selinux is unable to determine a valid > > > > > > > > context > > > > > > > > for your login for some reason, and this is causing it to fall > > > > > > back > > > > > > > > to > > > > > > > > this one. Or something like that. > > > > > > > > > > > > > > > > You could try to emulate this process via selinuxdefcon, > > > > > > although > > > > > > > > I'm > > > > > > > > not sure how closely it matches pam_selinux anymore. Sample > > > > > > usage: > > > > > > > > > > > > > > > > 1. See what context sshd is running in. > > > > > > > > > > > > > > > > ps -eZ | grep sshd > > > > > > > > > > > > > > > > It should be: > > > > > > > > system_u:system_r:sshd_t:s0-s0:c0.c1023 > > > > > > > > > > > > > > > > 2. Run selinuxdefcon to compute the default context for root > > > > > > when > > > > > > > > logging in from sshd: > > > > > > > > > > > > > > > > # Second argument should be whatever was shown by ps -eZ | grep > > > > > > > > sshd > > > > > > > > above. > > > > > > > > selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123 > > > > > > > > > > > > > > > > It should be: > > > > > > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > Thanks > > > > > > > Aman > > > > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Thanks > > > > > Aman > > > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > > > > > > > > > > > > > -- > > > > > > Thanks > > > Aman > > > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com > > > > -- > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > > Dominick Grift > > > > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.sharma5@gmail.com -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 659 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: Fwd: Qwery regarding Selinux Change Id context 2017-11-30 5:40 ` Aman Sharma 2017-11-30 15:43 ` Aman Sharma 2017-11-30 20:19 ` Dominick Grift @ 2017-12-01 19:26 ` Stephen Smalley 2 siblings, 0 replies; 43+ messages in thread From: Stephen Smalley @ 2017-12-01 19:26 UTC (permalink / raw) To: Aman Sharma; +Cc: SELinux On Thu, 2017-11-30 at 11:10 +0530, Aman Sharma wrote: > Hi Stephen, > > After reseting Selinux targeted folder also (the steps you mentioned > in the earlier mail), Still its showing the same Id context i.e. > > id > uid=0(root) gid=0(root) groups=0(root) > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > [root@cucm2 ~]# id -Z > system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > And semanage login -l is showing blank output. > > Do you have any idea about this. The second part seems to be a bug in the policy package. To fix, try this: cp /etc/selinux/targeted/seusers /etc/selinux/targeted/active ^ permalink raw reply [flat|nested] 43+ messages in thread
end of thread, other threads:[~2017-12-05 9:14 UTC | newest] Thread overview: 43+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <CAPMH7-9gpgonG5tMJ-yp6Ny5pSZfH5ypEFNffcWc_ypRzERDYw@mail.gmail.com> [not found] ` <CAPMH7-_i8y2J217Pp86Evgd8rBB6a4zGRah=nB=gcWb0i+a+Rg@mail.gmail.com> 2017-11-24 5:17 ` Fwd: Qwery regarding Selinux Change Id context Aman Sharma 2017-11-24 6:52 ` Ravi Kumar 2017-11-24 7:09 ` Aman Sharma 2017-11-25 17:25 ` Simon Sekidde 2017-11-27 5:56 ` Aman Sharma 2017-11-27 15:59 ` Fwd: " Stephen Smalley 2017-11-29 4:03 ` Aman Sharma 2017-11-29 8:22 ` Dominick Grift 2017-11-29 8:51 ` Aman Sharma 2017-11-29 9:11 ` Dominick Grift 2017-11-29 13:51 ` Stephen Smalley 2017-11-29 14:41 ` Aman Sharma 2017-11-29 14:47 ` Stephen Smalley 2017-11-29 15:17 ` Aman Sharma 2017-11-29 15:29 ` Simon Sekidde 2017-11-29 15:34 ` Aman Sharma 2017-11-29 15:36 ` Aman Sharma 2017-11-29 15:40 ` Fwd: " Stephen Smalley 2017-11-29 15:56 ` Aman Sharma 2017-11-29 16:02 ` Stephen Smalley 2017-11-29 16:09 ` Aman Sharma 2017-11-29 16:20 ` Stephen Smalley 2017-11-29 16:31 ` Aman Sharma 2017-11-29 17:34 ` Stephen Smalley 2017-11-30 5:40 ` Aman Sharma 2017-11-30 15:43 ` Aman Sharma 2017-11-30 20:19 ` Dominick Grift 2017-12-01 4:26 ` Aman Sharma 2017-12-01 19:16 ` Simon Sekidde 2017-12-01 19:28 ` Stephen Smalley 2017-12-01 19:35 ` Simon Sekidde 2017-12-02 3:59 ` Aman Sharma 2017-12-04 15:40 ` Stephen Smalley 2017-12-04 16:01 ` Aman Sharma 2017-12-04 16:06 ` Aman Sharma 2017-12-04 16:09 ` Stephen Smalley 2017-12-04 16:34 ` Aman Sharma 2017-12-04 16:38 ` Stephen Smalley 2017-12-05 8:32 ` Aman Sharma 2017-12-05 8:40 ` Dominick Grift 2017-12-05 9:04 ` Aman Sharma 2017-12-05 9:13 ` Dominick Grift 2017-12-01 19:26 ` Fwd: " Stephen Smalley
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.