SELinux – Allow system_u and new SELinux user to log in via SSH

centos6selinux

I am new to SELinux and I am still trying to figure out how everything works but my goal is to create a Linux account associated with either system_u or a new SELinux user and try to ssh to my machine using that account. However, when I try to ssh to the machine in Enforcing mode using such an account I get the following message

Unable to get valid context for user

, even though I can still log in fine as root or a guest_u account

The following messages are logged to the /var/log/secure file when trying to ssh as the system_u user

Apr 23 23:38:01 localhost sshd[1674]: Accepted password for systemUser from 192.168.56.1 port 55856 ssh2

Apr 23 23:38:01 localhost sshd[1674]: pam_selinux(sshd:session): Security context system_u:system_r:prelink_mask_t:s0-s0:c0.c1023 is not allowed for system_u:system_r:prelink_mask_t:s0-s0:c0.c1023

Apr 23 23:38:01 localhost sshd[1674]: pam_selinux(sshd:session): Unable to get valid context for systemUser

Apr 23 23:38:01 localhost sshd[1674]: pam_unix(sshd:session): session opened for user systemUser by (uid=0)

Apr 23 23:38:01 localhost sshd[1674]: error: PAM: pam_open_session(): Authentication failure

Apr 23 23:38:01 localhost sshd[1674]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument

Apr 23 23:38:01 localhost sshd[1678]: Received disconnect from 192.168.56.1: 11: disconnected by user

Any ideas on how I could modify the policy that creates this behavior?

I am using CentOS 6.8

Best Answer

I hit this same issue and resolved it by restarting sshd. Might work for your scenario ¯\_(ツ)_/¯ ...

Related Solutions

FreeIPA – Granting Sudo Access to SELinux Confined User

You are aware that you can move into the sysadm_r role as staff_u right?

For example, the following below would work.

myuser  ALL=(ALL)   TYPE=sysadm_t ROLE=sysadm_r PASSWD: ALL

This will allow you to do (almost) what you can do as root as unconfined.

Oh and one final tip. Using su is a bit tricky with RBAC (it does a lot of stuff which gets it into all sorts of places). Instead you can use the runuser command which does the same thing without a lot of su overheads.

I actually restrict su use in sudoers like so;

%wheel   ALL=(ALL)   TYPE=sysadm_t ROLE=sysadm_r NOPASSWD: ALL, ! /bin/su

Because by default the SELinux policy doesn't allow the sudo transition to manage the necessary signals. Really people should probably just use sudo -i anyway.

I normally hardlink runuser to ru as a two-letter replacement for people who prefer to run sudo su - out of a bad habit (like me!).

How to configure SELinux to allow specific services to communicate with Avahi

Running this service as init_t is probably not a great idea.

The reason you get this behaviour is because tvheadend is probably labelled bin_t, and no transition rule exists to move a file of this type out of the init_t context.

You can search this to know for sure..

$ sesearch -s init_t --type -c process | grep bin_t

This command returns no results. No transitions out of init_t for a bin_t process.

You should also avoid running this type in initrc_t too since its not appropriate for the service. As a general matter of fact -- the best solution would be to properly write a confined policy for you're service, however this is beyond the scope of this answer.

Instead, you need to get your process out of init_t to another type. Because no policy exists for this application it is probably best to move this into unconfined_t, for which a type transition does exist.

$ sesearch -s init_t --type -c process -t unconfined_exec_t
Found 1 semantic te rules:
   type_transition init_t unconfined_exec_t : process unconfined_t;

We can also check that the rule that is being hit in policy will not get hit in unconfined_t (which it shouldn't).

$ sesearch -s avahi_t -p send_msg -c dbus -t unconfined_t --allow
Found 2 semantic av rules:
   allow avahi_t unconfined_t : dbus send_msg ; 
   allow system_bus_type unconfined_t : dbus send_msg ;

To do this, simply relabel your tvheadend program to unconfined_exec_t.

semanage fcontext -a -t unconfined_exec_t -f f /usr/bin/tvheadend

Then restore.

restorecon /usr/bin/tvheadend

Now, re-running your service should work. If you re-run ps -AZ | grep tvheadend you should see your process running in unconfined_t.

Ideally a new policy should be used for this program, but if no policy exists its best to run it without policy at all in the unconfined_t domain. initrc_t and init_t are not really meant to be used to run services (although some do incorrectly go in there), initrc_t was originally conceived to run SYSV shell scripts and init_t is meant for running systemd/init itself.

Best Answer

Related Solutions

FreeIPA – Granting Sudo Access to SELinux Confined User

How to configure SELinux to allow specific services to communicate with Avahi

Related Topic