Discussion:
Qwery regarding Selinux Change Id context
Aman Sharma
2017-11-24 05:17:56 UTC
Permalink
Hi All,

Currently Working on Cent OS 7.3 and login as a root User and my Id command
output is :

*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*

I want to change *System_u:system_r:unconfined_t to sysadm_u:sysadm_r or *
*unconfined_u:**unconfined_r**. *

*Also showing the output of following command :*

*semanage user -l*

* Labeling MLS/ MLS/ *
*SELinux User Prefix MCS Level MCS Range
SELinux Roles*

*admin_u user s0 s0-s0:c0.c1023
sysadm_r system_r*
*guest_u user s0 s0
guest_r*
*root user s0 s0-s0:c0.c1023
staff_r sysadm_r*
*specialuser_u user s0 s0
sysadm_r system_r*
*staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r*
*sysadm_u user s0 s0-s0:c0.c1023
sysadm_r*
*system_u user s0 s0-s0:c0.c1023
system_r*
*unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*user_u user s0 s0
user_r*
*xguest_u user s0 s0
xguest_r*


* semanage login -l*

*Login Name SELinux User MLS/MCS Range Service*

*__default__ sysadm_u s0-s0:c0.c1023 **
*ccmservice specialuser_u s0 **
*cucm admin_u s0-s0:c0.c1023 **
*drfkeys specialuser_u s0 **
*drfuser specialuser_u s0 **
*informix specialuser_u s0 **
*pwrecovery specialuser_u s0 **
*root sysadm_u s0-s0:c0.c1023 **
*sftpuser specialuser_u s0 **
*system_u sysadm_u s0-s0:c0.c1023 **


*Can anybody Please help me.*
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Ravi Kumar
2017-11-24 06:52:04 UTC
Permalink
Based on the config each type of login ( ssh ,shell ) will have it own
role . if this is just for testing you can try setting the bool value if
you are logging via ssh.

setsebool -P ssh_sysadm_login 1



Regards,
Ravi
Post by Aman Sharma
Hi All,
Currently Working on Cent OS 7.3 and login as a root User and my Id
*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
I want to change *System_u:system_r:unconfined_t to sysadm_u:sysadm_r or *
*unconfined_u:**unconfined_r**. *
*Also showing the output of following command :*
*semanage user -l*
* Labeling MLS/ MLS/ *
*SELinux User Prefix MCS Level MCS Range
SELinux Roles*
*admin_u user s0 s0-s0:c0.c1023
sysadm_r system_r*
*guest_u user s0 s0
guest_r*
*root user s0 s0-s0:c0.c1023
staff_r sysadm_r*
*specialuser_u user s0 s0
sysadm_r system_r*
*staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r*
*sysadm_u user s0 s0-s0:c0.c1023
sysadm_r*
*system_u user s0 s0-s0:c0.c1023
system_r*
*unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*user_u user s0 s0
user_r*
*xguest_u user s0 s0
xguest_r*
* semanage login -l*
*Login Name SELinux User MLS/MCS Range Service*
*__default__ sysadm_u s0-s0:c0.c1023 **
*ccmservice specialuser_u s0 **
*cucm admin_u s0-s0:c0.c1023 **
*drfkeys specialuser_u s0 **
*drfuser specialuser_u s0 **
*informix specialuser_u s0 **
*pwrecovery specialuser_u s0 **
*root sysadm_u s0-s0:c0.c1023 **
*sftpuser specialuser_u s0 **
*system_u sysadm_u s0-s0:c0.c1023 **
*Can anybody Please help me.*
--
Thanks
Aman
Aman Sharma
2017-11-24 07:09:05 UTC
Permalink
Hi Ravi,

Thanks for your reply but SSH and Sysadm_login is already enabled.

Actually I need to change the root context from*System_u:system_r:unconfined_t
to sysadm_u:sysadm_r or **unconfined_u:**unconfined_r**.*

*I found one command (**runcon
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 /bin/bash**) but that
command will not work after reboot . Is there any parmanent solution for
this.*
Post by Ravi Kumar
Based on the config each type of login ( ssh ,shell ) will have it own
role . if this is just for testing you can try setting the bool value if
you are logging via ssh.
setsebool -P ssh_sysadm_login 1
Regards,
Ravi
Post by Aman Sharma
Hi All,
Currently Working on Cent OS 7.3 and login as a root User and my Id
*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
I want to change *System_u:system_r:unconfined_t to sysadm_u:sysadm_r
or **unconfined_u:**unconfined_r**. *
*Also showing the output of following command :*
*semanage user -l*
* Labeling MLS/ MLS/ *
*SELinux User Prefix MCS Level MCS Range
SELinux Roles*
*admin_u user s0 s0-s0:c0.c1023
sysadm_r system_r*
*guest_u user s0 s0
guest_r*
*root user s0 s0-s0:c0.c1023
staff_r sysadm_r*
*specialuser_u user s0 s0
sysadm_r system_r*
*staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r*
*sysadm_u user s0 s0-s0:c0.c1023
sysadm_r*
*system_u user s0 s0-s0:c0.c1023
system_r*
*unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*user_u user s0 s0
user_r*
*xguest_u user s0 s0
xguest_r*
* semanage login -l*
*Login Name SELinux User MLS/MCS Range Service*
*__default__ sysadm_u s0-s0:c0.c1023 **
*ccmservice specialuser_u s0 **
*cucm admin_u s0-s0:c0.c1023 **
*drfkeys specialuser_u s0 **
*drfuser specialuser_u s0 **
*informix specialuser_u s0 **
*pwrecovery specialuser_u s0 **
*root sysadm_u s0-s0:c0.c1023 **
*sftpuser specialuser_u s0 **
*system_u sysadm_u s0-s0:c0.c1023 **
*Can anybody Please help me.*
--
Thanks
Aman
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Simon Sekidde
2017-11-25 17:25:19 UTC
Permalink
----- Original Message -----
Sent: Friday, November 24, 2017 2:09:05 AM
Subject: Re: Qwery regarding Selinux Change Id context
Hi Ravi,
Thanks for your reply but SSH and Sysadm_login is already enabled.
Actually I need to change the root context
from*System_u:system_r:unconfined_t
to sysadm_u:sysadm_r or **unconfined_u:**unconfined_r**.*
*I found one command (**runcon
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 /bin/bash**) but that
command will not work after reboot . Is there any parmanent solution for
this.*
It should be unconfined by default if you are running policy in targeted mode

# cat /etc/selinux/targeted/seusers
root:unconfined_u:s0-s0:c0.c1023
system_u:system_u:s0-s0:c0.c1023
__default__:unconfined_u:s0-s0:c0.c1023

try something like `semanage login -m -s unconfined_u root; restorecon -RF /root`
Post by Ravi Kumar
Based on the config each type of login ( ssh ,shell ) will have it own
role . if this is just for testing you can try setting the bool value if
you are logging via ssh.
setsebool -P ssh_sysadm_login 1
Regards,
Ravi
Post by Aman Sharma
Hi All,
Currently Working on Cent OS 7.3 and login as a root User and my Id
*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
I want to change *System_u:system_r:unconfined_t to sysadm_u:sysadm_r
or **unconfined_u:**unconfined_r**. *
*Also showing the output of following command :*
*semanage user -l*
* Labeling MLS/ MLS/ *
*SELinux User Prefix MCS Level MCS Range
SELinux Roles*
*admin_u user s0 s0-s0:c0.c1023
sysadm_r system_r*
*guest_u user s0 s0
guest_r*
*root user s0 s0-s0:c0.c1023
staff_r sysadm_r*
*specialuser_u user s0 s0
sysadm_r system_r*
*staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r*
*sysadm_u user s0 s0-s0:c0.c1023
sysadm_r*
*system_u user s0 s0-s0:c0.c1023
system_r*
*unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*user_u user s0 s0
user_r*
*xguest_u user s0 s0
xguest_r*
* semanage login -l*
*Login Name SELinux User MLS/MCS Range Service*
*__default__ sysadm_u s0-s0:c0.c1023 **
*ccmservice specialuser_u s0 **
*cucm admin_u s0-s0:c0.c1023 **
*drfkeys specialuser_u s0 **
*drfuser specialuser_u s0 **
*informix specialuser_u s0 **
*pwrecovery specialuser_u s0 **
*root sysadm_u s0-s0:c0.c1023 **
*sftpuser specialuser_u s0 **
*system_u sysadm_u s0-s0:c0.c1023 **
*Can anybody Please help me.*
--
Thanks
Aman
--
Thanks
Aman
--
Simon Sekidde
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
Aman Sharma
2017-11-27 05:56:19 UTC
Permalink
Hi Simon,

After applying the commands which you mentioned previously is working fine
but its still showing the ID command output as same i.e.



**id*> >> *uid=0(root) gid=0(root) groups=0(root)> >>
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023**

Do you know how to reset this System_u to Unconfined_u i.e. to the default
behavior.

Thanks for the help.

Aman
Post by Simon Sekidde
----- Original Message -----
Sent: Friday, November 24, 2017 2:09:05 AM
Subject: Re: Qwery regarding Selinux Change Id context
Hi Ravi,
Thanks for your reply but SSH and Sysadm_login is already enabled.
Actually I need to change the root context
from*System_u:system_r:unconfined_t
to sysadm_u:sysadm_r or **unconfined_u:**unconfined_r**.*
*I found one command (**runcon
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 /bin/bash**) but
that
command will not work after reboot . Is there any parmanent solution for
this.*
It should be unconfined by default if you are running policy in targeted mode
# cat /etc/selinux/targeted/seusers
root:unconfined_u:s0-s0:c0.c1023
system_u:system_u:s0-s0:c0.c1023
__default__:unconfined_u:s0-s0:c0.c1023
try something like `semanage login -m -s unconfined_u root; restorecon -RF /root`
Post by Ravi Kumar
Based on the config each type of login ( ssh ,shell ) will have it
own
Post by Ravi Kumar
role . if this is just for testing you can try setting the bool
value if
Post by Ravi Kumar
you are logging via ssh.
setsebool -P ssh_sysadm_login 1
Regards,
Ravi
On Fri, Nov 24, 2017 at 10:47 AM, Aman Sharma <
Post by Aman Sharma
Hi All,
Currently Working on Cent OS 7.3 and login as a root User and my Id
*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
I want to change *System_u:system_r:unconfined_t to sysadm_u:sysadm_r
or **unconfined_u:**unconfined_r**. *
*Also showing the output of following command :*
*semanage user -l*
* Labeling MLS/ MLS/ *
*SELinux User Prefix MCS Level MCS Range
SELinux Roles*
*admin_u user s0 s0-s0:c0.c1023
sysadm_r system_r*
*guest_u user s0 s0
guest_r*
*root user s0 s0-s0:c0.c1023
staff_r sysadm_r*
*specialuser_u user s0 s0
sysadm_r system_r*
*staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r*
*sysadm_u user s0 s0-s0:c0.c1023
sysadm_r*
*system_u user s0 s0-s0:c0.c1023
system_r*
*unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*user_u user s0 s0
user_r*
*xguest_u user s0 s0
xguest_r*
* semanage login -l*
*Login Name SELinux User MLS/MCS Range
Service*
Post by Ravi Kumar
Post by Aman Sharma
*__default__ sysadm_u s0-s0:c0.c1023 **
*ccmservice specialuser_u s0 **
*cucm admin_u s0-s0:c0.c1023 **
*drfkeys specialuser_u s0 **
*drfuser specialuser_u s0 **
*informix specialuser_u s0 **
*pwrecovery specialuser_u s0 **
*root sysadm_u s0-s0:c0.c1023 **
*sftpuser specialuser_u s0 **
*system_u sysadm_u s0-s0:c0.c1023 **
*Can anybody Please help me.*
--
Thanks
Aman
--
Thanks
Aman
--
Simon Sekidde
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Stephen Smalley
2017-11-27 15:59:39 UTC
Permalink
Post by Aman Sharma
Hi All,
Currently Working on Cent OS 7.3 and login as a root User and my Id
id
uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r
or unconfined_u:unconfined_r. 
semanage user -l
                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                     
SELinux Roles
admin_u         user       s0         s0-s0:c0.c1023               
 sysadm_r system_r
guest_u         user       s0         s0                           
 guest_r
root            user       s0         s0-s0:c0.c1023               
 staff_r sysadm_r
specialuser_u   user       s0         s0                           
 sysadm_r system_r
staff_u         user       s0         s0-s0:c0.c1023               
 staff_r sysadm_r system_r
sysadm_u        user       s0         s0-s0:c0.c1023               
 sysadm_r
system_u        user       s0         s0-s0:c0.c1023               
 system_r
unconfined_u    user       s0         s0-s0:c0.c1023               
 system_r unconfined_r
user_u          user       s0         s0                           
 user_r
xguest_u        user       s0         s0                           
 xguest_r
 semanage login -l
Login Name           SELinux User         MLS/MCS Range       
Service
__default__          sysadm_u             s0-s0:c0.c1023       *
ccmservice           specialuser_u        s0                   *
cucm                 admin_u              s0-s0:c0.c1023       *
drfkeys              specialuser_u        s0                   *
drfuser              specialuser_u        s0                   *
informix             specialuser_u        s0                   *
pwrecovery           specialuser_u        s0                   *
root                 sysadm_u             s0-s0:c0.c1023       *
sftpuser             specialuser_u        s0                   *
system_u             sysadm_u             s0-s0:c0.c1023       *
Can anybody Please help me.
What is your sestatus -v output? How are you logging in (console, gdm,
ssh, ...)?

You don't appear to be running the default policy, or if you are,
someone has heavily customized your user and login mappings.
Aman Sharma
2017-11-29 04:03:31 UTC
Permalink
Hi Stephen,

Below is the output of command :

* sestatus -v output*
*SELinux status: enabled*
*SELinuxfs mount: /sys/fs/selinux*
*SELinux root directory: /etc/selinux*
*Loaded policy name: targeted*
*Current mode: enforcing*
*Mode from config file: permissive*
*Policy MLS status: enabled*
*Policy deny_unknown status: allowed*
*Max kernel policy version: 28*

*Process contexts:*
*Current context:
system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*Init context: system_u:system_r:init_t:s0*
*/usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023*

*File contexts:*
*Controlling terminal: system_u:object_r:sshd_devpts_t:s0*
*/etc/passwd system_u:object_r:passwd_file_t:s0*
*/etc/shadow system_u:object_r:shadow_t:s0*
*/bin/bash system_u:object_r:shell_exec_t:s0*
*/bin/login system_u:object_r:login_exec_t:s0*
*/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0*
*/sbin/agetty system_u:object_r:getty_exec_t:s0*
*/sbin/init system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0*
*/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0*
*/lib/libc.so.6 system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0*
*/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 ->
system_u:object_r:ld_so_t:s0*

*Also I am using ssh session for login.*

*Please let me know how to change id command context to unconfined_u or
Sysadm_u.*

Thanks in advance
Aman
Post by Stephen Smalley
Post by Aman Sharma
Hi All,
Currently Working on Cent OS 7.3 and login as a root User and my Id
id
uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r
or unconfined_u:unconfined_r.
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
admin_u user s0 s0-s0:c0.c1023
sysadm_r system_r
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r
specialuser_u user s0 s0
sysadm_r system_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
semanage login -l
Login Name SELinux User MLS/MCS Range
Service
__default__ sysadm_u s0-s0:c0.c1023 *
ccmservice specialuser_u s0 *
cucm admin_u s0-s0:c0.c1023 *
drfkeys specialuser_u s0 *
drfuser specialuser_u s0 *
informix specialuser_u s0 *
pwrecovery specialuser_u s0 *
root sysadm_u s0-s0:c0.c1023 *
sftpuser specialuser_u s0 *
system_u sysadm_u s0-s0:c0.c1023 *
Can anybody Please help me.
What is your sestatus -v output? How are you logging in (console, gdm,
ssh, ...)?
You don't appear to be running the default policy, or if you are,
someone has heavily customized your user and login mappings.
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Dominick Grift
2017-11-29 08:22:15 UTC
Permalink
Post by Aman Sharma
Hi Stephen,
* sestatus -v output*
*SELinux status: enabled*
*SELinuxfs mount: /sys/fs/selinux*
*SELinux root directory: /etc/selinux*
*Loaded policy name: targeted*
*Current mode: enforcing*
*Mode from config file: permissive*
*Policy MLS status: enabled*
*Policy deny_unknown status: allowed*
*Max kernel policy version: 28*
*Process contexts:*
system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*Init context: system_u:system_r:init_t:s0*
*/usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023*
*File contexts:*
*Controlling terminal: system_u:object_r:sshd_devpts_t:s0*
*/etc/passwd system_u:object_r:passwd_file_t:s0*
*/etc/shadow system_u:object_r:shadow_t:s0*
*/bin/bash system_u:object_r:shell_exec_t:s0*
*/bin/login system_u:object_r:login_exec_t:s0*
*/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0*
*/sbin/agetty system_u:object_r:getty_exec_t:s0*
*/sbin/init system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0*
*/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0*
*/lib/libc.so.6 system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0*
*/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 ->
system_u:object_r:ld_so_t:s0*
*Also I am using ssh session for login.*
*Please let me know how to change id command context to unconfined_u or
Sysadm_u.*
Thanks in advance
Aman
not sure and shot in dark, but:

root is assoc. with sysadm_u. sysadm_u is only authorized to use sysadm_r.
if you have the boolean ssh_priv_login set to off then sysadm_u:sysadm_r:sysadm_t:s0 is inaccessible
pam_selinux attempts to use any other contexts that are accessible, and it appears that system_u:system_r:unconfined_t was it.

Do you have the ssh_priv_login boolean set to off? `getsebool -a | grep ssh`
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
Hi All,
Currently Working on Cent OS 7.3 and login as a root User and my Id
id
uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r
or unconfined_u:unconfined_r.
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
admin_u user s0 s0-s0:c0.c1023
sysadm_r system_r
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r
specialuser_u user s0 s0
sysadm_r system_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
semanage login -l
Login Name SELinux User MLS/MCS Range
Service
__default__ sysadm_u s0-s0:c0.c1023 *
ccmservice specialuser_u s0 *
cucm admin_u s0-s0:c0.c1023 *
drfkeys specialuser_u s0 *
drfuser specialuser_u s0 *
informix specialuser_u s0 *
pwrecovery specialuser_u s0 *
root sysadm_u s0-s0:c0.c1023 *
sftpuser specialuser_u s0 *
system_u sysadm_u s0-s0:c0.c1023 *
Can anybody Please help me.
What is your sestatus -v output? How are you logging in (console, gdm,
ssh, ...)?
You don't appear to be running the default policy, or if you are,
someone has heavily customized your user and login mappings.
--
Thanks
Aman
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Aman Sharma
2017-11-29 08:51:46 UTC
Permalink
Hi ,

Check the output for the same.

* getsebool -a | grep ssh*
fenced_can_ssh --> off
selinuxuser_use_ssh_chroot --> on
ssh_chroot_rw_homedirs --> off
ssh_keysign --> off
ssh_sysadm_login --> on
Post by Aman Sharma
Post by Aman Sharma
Hi Stephen,
* sestatus -v output*
*SELinux status: enabled*
*SELinuxfs mount: /sys/fs/selinux*
*SELinux root directory: /etc/selinux*
*Loaded policy name: targeted*
*Current mode: enforcing*
*Mode from config file: permissive*
*Policy MLS status: enabled*
*Policy deny_unknown status: allowed*
*Max kernel policy version: 28*
*Process contexts:*
system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*Init context: system_u:system_r:init_t:s0*
*/usr/sbin/sshd system_u:system_r:sshd_t:s0-
s0:c0.c1023*
Post by Aman Sharma
*File contexts:*
*Controlling terminal: system_u:object_r:sshd_devpts_t:s0*
*/etc/passwd system_u:object_r:passwd_file_t:s0*
*/etc/shadow system_u:object_r:shadow_t:s0*
*/bin/bash system_u:object_r:shell_exec_t:s0*
*/bin/login system_u:object_r:login_exec_t:s0*
*/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0*
*/sbin/agetty system_u:object_r:getty_exec_t:s0*
*/sbin/init system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0*
*/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0*
*/lib/libc.so.6 system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0*
*/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 ->
system_u:object_r:ld_so_t:s0*
*Also I am using ssh session for login.*
*Please let me know how to change id command context to unconfined_u or
Sysadm_u.*
Thanks in advance
Aman
root is assoc. with sysadm_u. sysadm_u is only authorized to use sysadm_r.
if you have the boolean ssh_priv_login set to off then
sysadm_u:sysadm_r:sysadm_t:s0 is inaccessible
pam_selinux attempts to use any other contexts that are accessible, and it
appears that system_u:system_r:unconfined_t was it.
Do you have the ssh_priv_login boolean set to off? `getsebool -a | grep ssh`
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
Hi All,
Currently Working on Cent OS 7.3 and login as a root User and my Id
id
uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r
or unconfined_u:unconfined_r.
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
admin_u user s0 s0-s0:c0.c1023
sysadm_r system_r
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r
specialuser_u user s0 s0
sysadm_r system_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
semanage login -l
Login Name SELinux User MLS/MCS Range
Service
__default__ sysadm_u s0-s0:c0.c1023 *
ccmservice specialuser_u s0 *
cucm admin_u s0-s0:c0.c1023 *
drfkeys specialuser_u s0 *
drfuser specialuser_u s0 *
informix specialuser_u s0 *
pwrecovery specialuser_u s0 *
root sysadm_u s0-s0:c0.c1023 *
sftpuser specialuser_u s0 *
system_u sysadm_u s0-s0:c0.c1023 *
Can anybody Please help me.
What is your sestatus -v output? How are you logging in (console, gdm,
ssh, ...)?
You don't appear to be running the default policy, or if you are,
someone has heavily customized your user and login mappings.
--
Thanks
Aman
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Dominick Grift
2017-11-29 09:11:03 UTC
Permalink
Post by Aman Sharma
Hi ,
Check the output for the same.
* getsebool -a | grep ssh*
fenced_can_ssh --> off
selinuxuser_use_ssh_chroot --> on
ssh_chroot_rw_homedirs --> off
ssh_keysign --> off
ssh_sysadm_login --> on
Thanks. That means I was wrong.
Post by Aman Sharma
Post by Aman Sharma
Post by Aman Sharma
Hi Stephen,
* sestatus -v output*
*SELinux status: enabled*
*SELinuxfs mount: /sys/fs/selinux*
*SELinux root directory: /etc/selinux*
*Loaded policy name: targeted*
*Current mode: enforcing*
*Mode from config file: permissive*
*Policy MLS status: enabled*
*Policy deny_unknown status: allowed*
*Max kernel policy version: 28*
*Process contexts:*
system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*Init context: system_u:system_r:init_t:s0*
*/usr/sbin/sshd system_u:system_r:sshd_t:s0-
s0:c0.c1023*
Post by Aman Sharma
*File contexts:*
*Controlling terminal: system_u:object_r:sshd_devpts_t:s0*
*/etc/passwd system_u:object_r:passwd_file_t:s0*
*/etc/shadow system_u:object_r:shadow_t:s0*
*/bin/bash system_u:object_r:shell_exec_t:s0*
*/bin/login system_u:object_r:login_exec_t:s0*
*/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0*
*/sbin/agetty system_u:object_r:getty_exec_t:s0*
*/sbin/init system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0*
*/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0*
*/lib/libc.so.6 system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0*
*/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 ->
system_u:object_r:ld_so_t:s0*
*Also I am using ssh session for login.*
*Please let me know how to change id command context to unconfined_u or
Sysadm_u.*
Thanks in advance
Aman
root is assoc. with sysadm_u. sysadm_u is only authorized to use sysadm_r.
if you have the boolean ssh_priv_login set to off then
sysadm_u:sysadm_r:sysadm_t:s0 is inaccessible
pam_selinux attempts to use any other contexts that are accessible, and it
appears that system_u:system_r:unconfined_t was it.
Do you have the ssh_priv_login boolean set to off? `getsebool -a | grep ssh`
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
Hi All,
Currently Working on Cent OS 7.3 and login as a root User and my Id
id
uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r
or unconfined_u:unconfined_r.
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
admin_u user s0 s0-s0:c0.c1023
sysadm_r system_r
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r
specialuser_u user s0 s0
sysadm_r system_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
semanage login -l
Login Name SELinux User MLS/MCS Range
Service
__default__ sysadm_u s0-s0:c0.c1023 *
ccmservice specialuser_u s0 *
cucm admin_u s0-s0:c0.c1023 *
drfkeys specialuser_u s0 *
drfuser specialuser_u s0 *
informix specialuser_u s0 *
pwrecovery specialuser_u s0 *
root sysadm_u s0-s0:c0.c1023 *
sftpuser specialuser_u s0 *
system_u sysadm_u s0-s0:c0.c1023 *
Can anybody Please help me.
What is your sestatus -v output? How are you logging in (console, gdm,
ssh, ...)?
You don't appear to be running the default policy, or if you are,
someone has heavily customized your user and login mappings.
--
Thanks
Aman
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
--
Thanks
Aman
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Stephen Smalley
2017-11-29 13:51:45 UTC
Permalink
Post by Aman Sharma
Hi Stephen,
 sestatus -v output
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Current context:                system_u:system_r:unconfined_t:s0-
s0:c0.c1023
Init context:                   system_u:system_r:init_t:s0
/usr/sbin/sshd                  system_u:system_r:sshd_t:s0-
s0:c0.c1023
Controlling terminal:           system_u:object_r:sshd_devpts_t:s0
/etc/passwd                     system_u:object_r:passwd_file_t:s0
/etc/shadow                     system_u:object_r:shadow_t:s0
/bin/bash                       system_u:object_r:shell_exec_t:s0
/bin/login                      system_u:object_r:login_exec_t:s0
/bin/sh                         system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/sbin/agetty                    system_u:object_r:getty_exec_t:s0
/sbin/init                      system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t:s0
/lib/libc.so.6                  system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0
/lib/ld-linux.so.2              system_u:object_r:lib_t:s0 ->
system_u:object_r:ld_so_t:s0
Also I am using ssh session for login.
Please let me know how to change id command context to unconfined_u
or Sysadm_u.
So from your earlier message, it is clear that you (or someone else)
has heavily customized your semanage login and user mappings from the
stock targeted policy. The question is why, and whether you want/need
to retain any of those customizations. If not, then you could just
delete all local customizations (via semanage or manually) and revert
to a stock policy.

If you do need to retain some of those customizations, then please show
your current semanage login -l and semanage user -l output since you
said you ran some further semanage commands after the last output you
showed.
Aman Sharma
2017-11-29 14:41:55 UTC
Permalink
Hi Stephen,

Thanks for the reply.

Can you please let me know how to delete all local customizations (via
semanage or manually) and revert
to a default policy.

Otherwise the output of semanage login -l and semanage user -l :

*semanage user -l*

* Labeling MLS/ MLS/ *
*SELinux User Prefix MCS Level MCS Range
SELinux Roles*

*admin_u user s0 s0-s0:c0.c1023
sysadm_r system_r*
*guest_u user s0 s0
guest_r*
*root user s0 s0-s0:c0.c1023
staff_r sysadm_r*
*specialuser_u user s0 s0
sysadm_r system_r*
*staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r*
*sysadm_u user s0 s0-s0:c0.c1023
sysadm_r*
*system_u user s0 s0-s0:c0.c1023
system_r*
*unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*user_u user s0 s0
user_r*
*xguest_u user s0 s0
xguest_r*


* semanage login -l*

*Login Name SELinux User MLS/MCS Range Service*

*__default__ sysadm_u s0-s0:c0.c1023 **
*ccmservice specialuser_u s0 **
*cucm admin_u s0-s0:c0.c1023 **
*drfkeys specialuser_u s0 **
*drfuser specialuser_u s0 **
*informix specialuser_u s0 **
*pwrecovery specialuser_u s0 **
*root sysadm_u s0-s0:c0.c1023 **
*sftpuser specialuser_u s0 **
*system_u sysadm_u s0-s0:c0.c1023 **

*Please let me know if any comments are there.*

*Thanks*
*Aman*
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
sestatus -v output
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
Current context: system_u:system_r:unconfined_t:s0-
s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/usr/sbin/sshd system_u:system_r:sshd_t:s0-
s0:c0.c1023
Controlling terminal: system_u:object_r:sshd_devpts_t:s0
/etc/passwd system_u:object_r:passwd_file_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
/lib/libc.so.6 system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 ->
system_u:object_r:ld_so_t:s0
Also I am using ssh session for login.
Please let me know how to change id command context to unconfined_u
or Sysadm_u.
So from your earlier message, it is clear that you (or someone else)
has heavily customized your semanage login and user mappings from the
stock targeted policy. The question is why, and whether you want/need
to retain any of those customizations. If not, then you could just
delete all local customizations (via semanage or manually) and revert
to a stock policy.
If you do need to retain some of those customizations, then please show
your current semanage login -l and semanage user -l output since you
said you ran some further semanage commands after the last output you
showed.
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Stephen Smalley
2017-11-29 14:47:13 UTC
Permalink
Post by Aman Sharma
Hi Stephen,
Thanks for the reply.
Can you please let me know how to delete all local customizations
(via semanage or manually) and revert
to a default policy. 
First, save any local customizations in case you want to restore them
later:
semanage export > localchanges

Then, delete them:
semanage login -D
semanage user -D

Then logout and log back in.
Post by Aman Sharma
semanage user -l
                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                     
SELinux Roles
admin_u         user       s0         s0-s0:c0.c1023               
 sysadm_r system_r
guest_u         user       s0         s0                           
 guest_r
root            user       s0         s0-s0:c0.c1023               
 staff_r sysadm_r
specialuser_u   user       s0         s0                           
 sysadm_r system_r
staff_u         user       s0         s0-s0:c0.c1023               
 staff_r sysadm_r system_r
sysadm_u        user       s0         s0-s0:c0.c1023               
 sysadm_r
system_u        user       s0         s0-s0:c0.c1023               
 system_r
unconfined_u    user       s0         s0-s0:c0.c1023               
 system_r unconfined_r
user_u          user       s0         s0                           
 user_r
xguest_u        user       s0         s0                           
 xguest_r
 semanage login -l
Login Name           SELinux User         MLS/MCS Range       
Service
__default__          sysadm_u             s0-s0:c0.c1023       *
ccmservice           specialuser_u        s0                   *
cucm                 admin_u              s0-s0:c0.c1023       *
drfkeys              specialuser_u        s0                   *
drfuser              specialuser_u        s0                   *
informix             specialuser_u        s0                   *
pwrecovery           specialuser_u        s0                   *
root                 sysadm_u             s0-s0:c0.c1023       *
sftpuser             specialuser_u        s0                   *
system_u             sysadm_u             s0-s0:c0.c1023       *
Please let me know if any comments are there.
Thanks
Aman
Post by Aman Sharma
Post by Aman Sharma
Hi Stephen,
 sestatus -v output
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Current context:               
system_u:system_r:unconfined_t:s0-
Post by Aman Sharma
s0:c0.c1023
Init context:                   system_u:system_r:init_t:s0
/usr/sbin/sshd                  system_u:system_r:sshd_t:s0-
s0:c0.c1023
Controlling terminal:         
 system_u:object_r:sshd_devpts_t:s0
Post by Aman Sharma
/etc/passwd                   
 system_u:object_r:passwd_file_t:s0
Post by Aman Sharma
/etc/shadow                     system_u:object_r:shadow_t:s0
/bin/bash                       system_u:object_r:shell_exec_t:s0
/bin/login                      system_u:object_r:login_exec_t:s0
/bin/sh                         system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/sbin/agetty                    system_u:object_r:getty_exec_t:s0
/sbin/init                      system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t:s0
/lib/libc.so.6                  system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0
/lib/ld-linux.so.2              system_u:object_r:lib_t:s0 ->
system_u:object_r:ld_so_t:s0
Also I am using ssh session for login.
Please let me know how to change id command context to
unconfined_u
Post by Aman Sharma
or Sysadm_u.
So from your earlier message, it is clear that you (or someone else)
has heavily customized your semanage login and user mappings from the
stock targeted policy.  The question is why, and whether you
want/need
to retain any of those customizations.  If not, then you could just
delete all local customizations (via semanage or manually) and revert
to a stock policy.
If you do need to retain some of those customizations, then please show
your current semanage login -l and semanage user -l output since you
said you ran some further semanage commands after the last output you
showed.
-- 
Thanks
Aman
Aman Sharma
2017-11-29 15:17:19 UTC
Permalink
Hi Stephen,

I tried all the three command i.e.
semanage export > localchanges

semanage login -D
semanage user -D

Then I reboot the system and after reboot , still its showing the root User
as Same id context i.e.

*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*

* id -Z*
*system_u:system_r:unconfined_t:s0-s0:c0.c1023*


Also check the below output :
*semanage user -l*

* Labeling MLS/ MLS/ *
*SELinux User Prefix MCS Level MCS Range
SELinux Roles*

*guest_u user s0 s0
guest_r*
*root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r*
*staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r*
*sysadm_u user s0 s0-s0:c0.c1023
sysadm_r*
*system_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*user_u user s0 s0
user_r*
*xguest_u user s0 s0
xguest_r*
*[***@cucm ~]# semanage login -l*

*Login Name SELinux User MLS/MCS Range Service*

*__default__ unconfined_u s0-s0:c0.c1023 **
*root unconfined_u s0-s0:c0.c1023 **
*system_u system_u s0-s0:c0.c1023 **

*Please let me know your comments on this.*

*Thanks*
*Aman*
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
Thanks for the reply.
Can you please let me know how to delete all local customizations
(via semanage or manually) and revert
to a default policy.
First, save any local customizations in case you want to restore them
semanage export > localchanges
semanage login -D
semanage user -D
Then logout and log back in.
Post by Aman Sharma
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
admin_u user s0 s0-s0:c0.c1023
sysadm_r system_r
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r
specialuser_u user s0 s0
sysadm_r system_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
semanage login -l
Login Name SELinux User MLS/MCS Range
Service
__default__ sysadm_u s0-s0:c0.c1023 *
ccmservice specialuser_u s0 *
cucm admin_u s0-s0:c0.c1023 *
drfkeys specialuser_u s0 *
drfuser specialuser_u s0 *
informix specialuser_u s0 *
pwrecovery specialuser_u s0 *
root sysadm_u s0-s0:c0.c1023 *
sftpuser specialuser_u s0 *
system_u sysadm_u s0-s0:c0.c1023 *
Please let me know if any comments are there.
Thanks
Aman
Post by Aman Sharma
Post by Aman Sharma
Hi Stephen,
sestatus -v output
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
system_u:system_r:unconfined_t:s0-
Post by Aman Sharma
s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/usr/sbin/sshd system_u:system_r:sshd_t:s0-
s0:c0.c1023
system_u:object_r:sshd_devpts_t:s0
Post by Aman Sharma
/etc/passwd
system_u:object_r:passwd_file_t:s0
Post by Aman Sharma
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
/lib/libc.so.6 system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 ->
system_u:object_r:ld_so_t:s0
Also I am using ssh session for login.
Please let me know how to change id command context to
unconfined_u
Post by Aman Sharma
or Sysadm_u.
So from your earlier message, it is clear that you (or someone else)
has heavily customized your semanage login and user mappings from the
stock targeted policy. The question is why, and whether you want/need
to retain any of those customizations. If not, then you could just
delete all local customizations (via semanage or manually) and revert
to a stock policy.
If you do need to retain some of those customizations, then please show
your current semanage login -l and semanage user -l output since you
said you ran some further semanage commands after the last output you
showed.
--
Thanks
Aman
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Simon Sekidde
2017-11-29 15:29:45 UTC
Permalink
Aman,

----- Original Message -----
Sent: Wednesday, November 29, 2017 10:17:19 AM
Subject: Re: Fwd: Qwery regarding Selinux Change Id context
Hi Stephen,
I tried all the three command i.e.
semanage export > localchanges
semanage login -D
semanage user -D
Then I reboot the system and after reboot , still its showing the root User
as Same id context i.e.
*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
* id -Z*
*system_u:system_r:unconfined_t:s0-s0:c0.c1023*
Are you using a 3rd party ssh client?
*semanage user -l*
* Labeling MLS/ MLS/ *
*SELinux User Prefix MCS Level MCS Range
SELinux Roles*
*guest_u user s0 s0
guest_r*
*root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r*
*staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r*
*sysadm_u user s0 s0-s0:c0.c1023
sysadm_r*
*system_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*user_u user s0 s0
user_r*
*xguest_u user s0 s0
xguest_r*
*Login Name SELinux User MLS/MCS Range Service*
*__default__ unconfined_u s0-s0:c0.c1023 **
*root unconfined_u s0-s0:c0.c1023 **
*system_u system_u s0-s0:c0.c1023 **
*Please let me know your comments on this.*
*Thanks*
*Aman*
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
Thanks for the reply.
Can you please let me know how to delete all local customizations
(via semanage or manually) and revert
to a default policy.
First, save any local customizations in case you want to restore them
semanage export > localchanges
semanage login -D
semanage user -D
Then logout and log back in.
Post by Aman Sharma
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
admin_u user s0 s0-s0:c0.c1023
sysadm_r system_r
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r
specialuser_u user s0 s0
sysadm_r system_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
semanage login -l
Login Name SELinux User MLS/MCS Range
Service
__default__ sysadm_u s0-s0:c0.c1023 *
ccmservice specialuser_u s0 *
cucm admin_u s0-s0:c0.c1023 *
drfkeys specialuser_u s0 *
drfuser specialuser_u s0 *
informix specialuser_u s0 *
pwrecovery specialuser_u s0 *
root sysadm_u s0-s0:c0.c1023 *
sftpuser specialuser_u s0 *
system_u sysadm_u s0-s0:c0.c1023 *
Please let me know if any comments are there.
Thanks
Aman
Post by Aman Sharma
Post by Aman Sharma
Hi Stephen,
sestatus -v output
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
system_u:system_r:unconfined_t:s0-
Post by Aman Sharma
s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/usr/sbin/sshd system_u:system_r:sshd_t:s0-
s0:c0.c1023
system_u:object_r:sshd_devpts_t:s0
Post by Aman Sharma
/etc/passwd
system_u:object_r:passwd_file_t:s0
Post by Aman Sharma
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
/lib/libc.so.6 system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 ->
system_u:object_r:ld_so_t:s0
Also I am using ssh session for login.
Please let me know how to change id command context to
unconfined_u
Post by Aman Sharma
or Sysadm_u.
So from your earlier message, it is clear that you (or someone else)
has heavily customized your semanage login and user mappings from the
stock targeted policy. The question is why, and whether you want/need
to retain any of those customizations. If not, then you could just
delete all local customizations (via semanage or manually) and revert
to a stock policy.
If you do need to retain some of those customizations, then please show
your current semanage login -l and semanage user -l output since you
said you ran some further semanage commands after the last output you
showed.
--
Thanks
Aman
--
Thanks
Aman
--
Simon Sekidde
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
Aman Sharma
2017-11-29 15:34:47 UTC
Permalink
No, I am not using 3rd party SSH client. This is normal ssh .
Post by Simon Sekidde
Aman,
----- Original Message -----
Sent: Wednesday, November 29, 2017 10:17:19 AM
Subject: Re: Fwd: Qwery regarding Selinux Change Id context
Hi Stephen,
I tried all the three command i.e.
semanage export > localchanges
semanage login -D
semanage user -D
Then I reboot the system and after reboot , still its showing the root
User
as Same id context i.e.
*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
* id -Z*
*system_u:system_r:unconfined_t:s0-s0:c0.c1023*
Are you using a 3rd party ssh client?
*semanage user -l*
* Labeling MLS/ MLS/ *
*SELinux User Prefix MCS Level MCS Range
SELinux Roles*
*guest_u user s0 s0
guest_r*
*root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r*
*staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r*
*sysadm_u user s0 s0-s0:c0.c1023
sysadm_r*
*system_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*user_u user s0 s0
user_r*
*xguest_u user s0 s0
xguest_r*
*Login Name SELinux User MLS/MCS Range Service*
*__default__ unconfined_u s0-s0:c0.c1023 **
*root unconfined_u s0-s0:c0.c1023 **
*system_u system_u s0-s0:c0.c1023 **
*Please let me know your comments on this.*
*Thanks*
*Aman*
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
Thanks for the reply.
Can you please let me know how to delete all local customizations
(via semanage or manually) and revert
to a default policy.
First, save any local customizations in case you want to restore them
semanage export > localchanges
semanage login -D
semanage user -D
Then logout and log back in.
Post by Aman Sharma
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
admin_u user s0 s0-s0:c0.c1023
sysadm_r system_r
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r
specialuser_u user s0 s0
sysadm_r system_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
semanage login -l
Login Name SELinux User MLS/MCS Range
Service
__default__ sysadm_u s0-s0:c0.c1023 *
ccmservice specialuser_u s0 *
cucm admin_u s0-s0:c0.c1023 *
drfkeys specialuser_u s0 *
drfuser specialuser_u s0 *
informix specialuser_u s0 *
pwrecovery specialuser_u s0 *
root sysadm_u s0-s0:c0.c1023 *
sftpuser specialuser_u s0 *
system_u sysadm_u s0-s0:c0.c1023 *
Please let me know if any comments are there.
Thanks
Aman
Post by Aman Sharma
Post by Aman Sharma
Hi Stephen,
sestatus -v output
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
system_u:system_r:unconfined_t:s0-
Post by Aman Sharma
s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/usr/sbin/sshd system_u:system_r:sshd_t:s0-
s0:c0.c1023
system_u:object_r:sshd_devpts_t:s0
Post by Aman Sharma
/etc/passwd
system_u:object_r:passwd_file_t:s0
Post by Aman Sharma
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_
t:s0
Post by Stephen Smalley
Post by Aman Sharma
Post by Aman Sharma
Post by Aman Sharma
/bin/login system_u:object_r:login_exec_
t:s0
Post by Stephen Smalley
Post by Aman Sharma
Post by Aman Sharma
Post by Aman Sharma
/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_
t:s0
Post by Stephen Smalley
Post by Aman Sharma
Post by Aman Sharma
Post by Aman Sharma
/sbin/init system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
/lib/libc.so.6 system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 ->
system_u:object_r:ld_so_t:s0
Also I am using ssh session for login.
Please let me know how to change id command context to
unconfined_u
Post by Aman Sharma
or Sysadm_u.
So from your earlier message, it is clear that you (or someone else)
has heavily customized your semanage login and user mappings from the
stock targeted policy. The question is why, and whether you want/need
to retain any of those customizations. If not, then you could just
delete all local customizations (via semanage or manually) and revert
to a stock policy.
If you do need to retain some of those customizations, then please show
your current semanage login -l and semanage user -l output since you
said you ran some further semanage commands after the last output you
showed.
--
Thanks
Aman
--
Thanks
Aman
--
Simon Sekidde
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Aman Sharma
2017-11-29 15:36:49 UTC
Permalink
Actually I am using Cent OS version 7.3. i.e

cat /etc/centos-release
CentOS Linux release 7.3.1611 (Core)
Post by Aman Sharma
No, I am not using 3rd party SSH client. This is normal ssh .
Post by Simon Sekidde
Aman,
----- Original Message -----
Sent: Wednesday, November 29, 2017 10:17:19 AM
Subject: Re: Fwd: Qwery regarding Selinux Change Id context
Hi Stephen,
I tried all the three command i.e.
semanage export > localchanges
semanage login -D
semanage user -D
Then I reboot the system and after reboot , still its showing the root
User
as Same id context i.e.
*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
* id -Z*
*system_u:system_r:unconfined_t:s0-s0:c0.c1023*
Are you using a 3rd party ssh client?
*semanage user -l*
* Labeling MLS/ MLS/ *
*SELinux User Prefix MCS Level MCS Range
SELinux Roles*
*guest_u user s0 s0
guest_r*
*root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r*
*staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r*
*sysadm_u user s0 s0-s0:c0.c1023
sysadm_r*
*system_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*user_u user s0 s0
user_r*
*xguest_u user s0 s0
xguest_r*
*Login Name SELinux User MLS/MCS Range Service*
*__default__ unconfined_u s0-s0:c0.c1023 **
*root unconfined_u s0-s0:c0.c1023 **
*system_u system_u s0-s0:c0.c1023 **
*Please let me know your comments on this.*
*Thanks*
*Aman*
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
Thanks for the reply.
Can you please let me know how to delete all local customizations
(via semanage or manually) and revert
to a default policy.
First, save any local customizations in case you want to restore them
semanage export > localchanges
semanage login -D
semanage user -D
Then logout and log back in.
Post by Aman Sharma
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
admin_u user s0 s0-s0:c0.c1023
sysadm_r system_r
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r
specialuser_u user s0 s0
sysadm_r system_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
semanage login -l
Login Name SELinux User MLS/MCS Range
Service
__default__ sysadm_u s0-s0:c0.c1023 *
ccmservice specialuser_u s0 *
cucm admin_u s0-s0:c0.c1023 *
drfkeys specialuser_u s0 *
drfuser specialuser_u s0 *
informix specialuser_u s0 *
pwrecovery specialuser_u s0 *
root sysadm_u s0-s0:c0.c1023 *
sftpuser specialuser_u s0 *
system_u sysadm_u s0-s0:c0.c1023 *
Please let me know if any comments are there.
Thanks
Aman
Post by Aman Sharma
Post by Aman Sharma
Hi Stephen,
sestatus -v output
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
system_u:system_r:unconfined_t:s0-
Post by Aman Sharma
s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/usr/sbin/sshd system_u:system_r:sshd_t:s0-
s0:c0.c1023
system_u:object_r:sshd_devpts_t:s0
Post by Aman Sharma
/etc/passwd
system_u:object_r:passwd_file_t:s0
Post by Aman Sharma
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_
t:s0
Post by Stephen Smalley
Post by Aman Sharma
Post by Aman Sharma
Post by Aman Sharma
/bin/login system_u:object_r:login_exec_t
:s0
Post by Stephen Smalley
Post by Aman Sharma
Post by Aman Sharma
Post by Aman Sharma
/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t
:s0
Post by Stephen Smalley
Post by Aman Sharma
Post by Aman Sharma
Post by Aman Sharma
/sbin/init system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0
s0
Post by Stephen Smalley
Post by Aman Sharma
Post by Aman Sharma
Post by Aman Sharma
/lib/libc.so.6 system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 ->
system_u:object_r:ld_so_t:s0
Also I am using ssh session for login.
Please let me know how to change id command context to
unconfined_u
Post by Aman Sharma
or Sysadm_u.
So from your earlier message, it is clear that you (or someone else)
has heavily customized your semanage login and user mappings from the
stock targeted policy. The question is why, and whether you want/need
to retain any of those customizations. If not, then you could
just
Post by Stephen Smalley
Post by Aman Sharma
Post by Aman Sharma
delete all local customizations (via semanage or manually) and revert
to a stock policy.
If you do need to retain some of those customizations, then please show
your current semanage login -l and semanage user -l output since you
said you ran some further semanage commands after the last output you
showed.
--
Thanks
Aman
--
Thanks
Aman
--
Simon Sekidde
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
--
Thanks
Aman
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Stephen Smalley
2017-11-29 15:40:15 UTC
Permalink
Post by Aman Sharma
Hi Stephen,
I tried all the three command i.e.
semanage export > localchanges
semanage login -D
semanage user -D
Then I reboot the system and after reboot , still its showing the
root User as Same id context i.e. 
id
uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
 id -Z
system_u:system_r:unconfined_t:s0-s0:c0.c1023
That's interesting. So what else does semanage export show now as
local changes?
Post by Aman Sharma
semanage user -l
                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                     
SELinux Roles
guest_u         user       s0         s0                           
 guest_r
root            user       s0         s0-s0:c0.c1023               
 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023               
 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023               
 sysadm_r
system_u        user       s0         s0-s0:c0.c1023               
 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023               
 system_r unconfined_r
user_u          user       s0         s0                           
 user_r
xguest_u        user       s0         s0                           
 xguest_r
Login Name           SELinux User         MLS/MCS Range       
Service
__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
Please let me know your comments on this.
Thanks
Aman
Aman Sharma
2017-11-29 15:56:41 UTC
Permalink
Hi Stephen,

The output of semanage export is :

cat localchanges
boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
boolean -m -1 domain_kernel_load_modules
boolean -m -1 selinuxuser_ping
boolean -m -1 ssh_sysadm_login
boolean -m -1 tomcat_can_network_non_http_port
port -a -t tomcat_shutdown_port_t -p tcp 8005
port -a -t ils_port_t -p tcp 8006
port -a -t clm_port_t -p tcp 8500
port -a -t clm_port_t -p udp 8500
port -a -t snmp_port_t -p udp 61441
fcontext -a -f a -t tomcat_t '/home/tomcat(/.*)?'
fcontext -a -f a -t db_t '/home/informix(/.*)?'
fcontext -a -f a -t ipsec_exec_t '/root/.security/ipsec(/.*)?'
fcontext -a -f a -t tomcat_exec_t
'/root/.security/tomcat/tomcat_diagnostics.sh'
module -d unconfined
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
I tried all the three command i.e.
semanage export > localchanges
semanage login -D
semanage user -D
Then I reboot the system and after reboot , still its showing the
root User as Same id context i.e.
id
uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
id -Z
system_u:system_r:unconfined_t:s0-s0:c0.c1023
That's interesting. So what else does semanage export show now as
local changes?
Post by Aman Sharma
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
Login Name SELinux User MLS/MCS Range
Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
Please let me know your comments on this.
Thanks
Aman
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Stephen Smalley
2017-11-29 16:02:25 UTC
Permalink
Post by Aman Sharma
Hi Stephen,
cat localchanges 
boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
boolean -m -1 domain_kernel_load_modules
boolean -m -1 selinuxuser_ping
boolean -m -1 ssh_sysadm_login
boolean -m -1 tomcat_can_network_non_http_port
port -a -t tomcat_shutdown_port_t -p tcp 8005
port -a -t ils_port_t -p tcp 8006
port -a -t clm_port_t -p tcp 8500
port -a -t clm_port_t -p udp 8500
port -a -t snmp_port_t -p udp 61441
fcontext -a -f a -t tomcat_t '/home/tomcat(/.*)?'
fcontext -a -f a -t db_t '/home/informix(/.*)?'
fcontext -a -f a -t ipsec_exec_t '/root/.security/ipsec(/.*)?'
fcontext -a -f a -t tomcat_exec_t
'/root/.security/tomcat/tomcat_diagnostics.sh'
module -d unconfined
Hmmm...someone disabled the unconfined module on your system?
So if you want to go back to using unconfined, you ought to re-enable
that, ala semodule -e unconfined. It looks like someone locked down
that system and was trying to effectively apply a "strict" policy, but
it was left in a broken state.
Post by Aman Sharma
Post by Aman Sharma
Hi Stephen,
I tried all the three command i.e.
semanage export > localchanges
semanage login -D
semanage user -D
Then I reboot the system and after reboot , still its showing the
root User as Same id context i.e. 
id
uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
 id -Z
system_u:system_r:unconfined_t:s0-s0:c0.c1023
That's interesting.  So what else does semanage export show now as
local changes?
Post by Aman Sharma
semanage user -l
                Labeling   MLS/       MLS/                       
  
Post by Aman Sharma
SELinux User    Prefix     MCS Level  MCS Range                 
   
Post by Aman Sharma
SELinux Roles
guest_u         user       s0         s0                         
 
Post by Aman Sharma
 guest_r
root            user       s0         s0-s0:c0.c1023             
 
Post by Aman Sharma
 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023             
 
Post by Aman Sharma
 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023             
 
Post by Aman Sharma
 sysadm_r
system_u        user       s0         s0-s0:c0.c1023             
 
Post by Aman Sharma
 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023             
 
Post by Aman Sharma
 system_r unconfined_r
user_u          user       s0         s0                         
 
Post by Aman Sharma
 user_r
xguest_u        user       s0         s0                         
 
Post by Aman Sharma
 xguest_r
Login Name           SELinux User         MLS/MCS Range       
Service
__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
Please let me know your comments on this.
Thanks
Aman
-- 
Thanks
Aman
Aman Sharma
2017-11-29 16:09:47 UTC
Permalink
Hi Stephen,

After enabling the unconfined module and after reboot also, Still showing
the same id context.

Is there any way to make the id context to normal state again ?


Thanks
Aman
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
cat localchanges
boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
boolean -m -1 domain_kernel_load_modules
boolean -m -1 selinuxuser_ping
boolean -m -1 ssh_sysadm_login
boolean -m -1 tomcat_can_network_non_http_port
port -a -t tomcat_shutdown_port_t -p tcp 8005
port -a -t ils_port_t -p tcp 8006
port -a -t clm_port_t -p tcp 8500
port -a -t clm_port_t -p udp 8500
port -a -t snmp_port_t -p udp 61441
fcontext -a -f a -t tomcat_t '/home/tomcat(/.*)?'
fcontext -a -f a -t db_t '/home/informix(/.*)?'
fcontext -a -f a -t ipsec_exec_t '/root/.security/ipsec(/.*)?'
fcontext -a -f a -t tomcat_exec_t
'/root/.security/tomcat/tomcat_diagnostics.sh'
module -d unconfined
Hmmm...someone disabled the unconfined module on your system?
So if you want to go back to using unconfined, you ought to re-enable
that, ala semodule -e unconfined. It looks like someone locked down
that system and was trying to effectively apply a "strict" policy, but
it was left in a broken state.
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
I tried all the three command i.e.
semanage export > localchanges
semanage login -D
semanage user -D
Then I reboot the system and after reboot , still its showing the
root User as Same id context i.e.
id
uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
id -Z
system_u:system_r:unconfined_t:s0-s0:c0.c1023
That's interesting. So what else does semanage export show now as
local changes?
Post by Aman Sharma
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
Login Name SELinux User MLS/MCS Range
Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
Please let me know your comments on this.
Thanks
Aman
--
Thanks
Aman
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Stephen Smalley
2017-11-29 16:20:00 UTC
Permalink
Post by Aman Sharma
Hi Stephen,
After enabling the unconfined module and after reboot also, Still
showing the same id context.
Is there any way to make the id context to normal state again ? 
Hmmm...try resetting all booleans too? semanage boolean -D

Or you could be drastic and completely reset your policy:
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
Aman Sharma
2017-11-29 16:31:19 UTC
Permalink
After resetting boolean also, showing the same id context.
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
After enabling the unconfined module and after reboot also, Still
showing the same id context.
Is there any way to make the id context to normal state again ?
Hmmm...try resetting all booleans too? semanage boolean -D
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Stephen Smalley
2017-11-29 17:34:18 UTC
Permalink
Post by Aman Sharma
After resetting boolean also, showing the same id context.
And did you try fully resetting your policy as I suggested:
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
reboot
Post by Aman Sharma
Post by Aman Sharma
Hi Stephen,
After enabling the unconfined module and after reboot also, Still
showing the same id context.
Is there any way to make the id context to normal state again ? 
Hmmm...try resetting all booleans too?  semanage boolean -D
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
-- 
Thanks
Aman
Aman Sharma
2017-11-30 05:40:43 UTC
Permalink
Hi Stephen,

After reseting Selinux targeted folder also (the steps you mentioned in the
earlier mail), Still its showing the same Id context i.e.

*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*[***@cucm2 ~]# id -Z*
*system_u:system_r:unconfined_t:s0-s0:c0.c1023*

*And semanage login -l is showing blank output. *

*Do you have any idea about this.*

*Thanks*
*Aman*
Post by Stephen Smalley
Post by Aman Sharma
After resetting boolean also, showing the same id context.
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
reboot
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
After enabling the unconfined module and after reboot also, Still
showing the same id context.
Is there any way to make the id context to normal state again ?
Hmmm...try resetting all booleans too? semanage boolean -D
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
--
Thanks
Aman
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Aman Sharma
2017-11-30 15:43:25 UTC
Permalink
Hi Stephen,

Do you have any other way to change the context from id command ?

Thanks
Aman
Post by Aman Sharma
Hi Stephen,
After reseting Selinux targeted folder also (the steps you mentioned in
the earlier mail), Still its showing the same Id context i.e.
*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*And semanage login -l is showing blank output. *
*Do you have any idea about this.*
*Thanks*
*Aman*
Post by Stephen Smalley
Post by Aman Sharma
After resetting boolean also, showing the same id context.
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
reboot
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
After enabling the unconfined module and after reboot also, Still
showing the same id context.
Is there any way to make the id context to normal state again ?
Hmmm...try resetting all booleans too? semanage boolean -D
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
--
Thanks
Aman
--
Thanks
Aman
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Dominick Grift
2017-11-30 20:19:20 UTC
Permalink
Post by Aman Sharma
Hi Stephen,
After reseting Selinux targeted folder also (the steps you mentioned in the
earlier mail), Still its showing the same Id context i.e.
*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*And semanage login -l is showing blank output. *
*Do you have any idea about this.*
*Thanks*
*Aman*
Try the same procedure again but this time also do before reinstalling:

mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
After resetting boolean also, showing the same id context.
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
reboot
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
After enabling the unconfined module and after reboot also, Still
showing the same id context.
Is there any way to make the id context to normal state again ?
Hmmm...try resetting all booleans too? semanage boolean -D
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
--
Thanks
Aman
--
Thanks
Aman
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Aman Sharma
2017-12-01 04:26:21 UTC
Permalink
Hi ,

mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old

This targeted folder is not there.

After searching I got the below result :

find / -type d -name "*targeted" -print

/usr/share/selinux/targeted
/etc/selinux/targeted

Pleas let me know your comments.
Post by Dominick Grift
Post by Aman Sharma
Hi Stephen,
After reseting Selinux targeted folder also (the steps you mentioned in
the
Post by Aman Sharma
earlier mail), Still its showing the same Id context i.e.
*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*And semanage login -l is showing blank output. *
*Do you have any idea about this.*
*Thanks*
*Aman*
mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
After resetting boolean also, showing the same id context.
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
reboot
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
After enabling the unconfined module and after reboot also, Still
showing the same id context.
Is there any way to make the id context to normal state again ?
Hmmm...try resetting all booleans too? semanage boolean -D
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
--
Thanks
Aman
--
Thanks
Aman
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Simon Sekidde
2017-12-01 19:16:33 UTC
Permalink
----- Original Message -----
Sent: Thursday, November 30, 2017 11:26:21 PM
Subject: Re: Fwd: Qwery regarding Selinux Change Id context
Hi ,
mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old
This targeted folder is not there.
find / -type d -name "*targeted" -print
/usr/share/selinux/targeted
/etc/selinux/targeted
Pleas let me know your comments.
Run

mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted

Also what does this output show

ps -aelfZ | grep -i ssh
Post by Dominick Grift
Post by Aman Sharma
Hi Stephen,
After reseting Selinux targeted folder also (the steps you mentioned in
the
Post by Aman Sharma
earlier mail), Still its showing the same Id context i.e.
*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*And semanage login -l is showing blank output. *
*Do you have any idea about this.*
*Thanks*
*Aman*
mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
After resetting boolean also, showing the same id context.
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
reboot
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
After enabling the unconfined module and after reboot also, Still
showing the same id context.
Is there any way to make the id context to normal state again ?
Hmmm...try resetting all booleans too? semanage boolean -D
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
--
Thanks
Aman
--
Thanks
Aman
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
--
Thanks
Aman
--
Simon Sekidde
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
Stephen Smalley
2017-12-01 19:28:17 UTC
Permalink
Post by Simon Sekidde
----- Original Message -----
Sent: Thursday, November 30, 2017 11:26:21 PM
Subject: Re: Fwd: Qwery regarding Selinux Change Id context
Hi ,
mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old
This targeted folder is not there.
find / -type d -name "*targeted" -print
/usr/share/selinux/targeted
/etc/selinux/targeted
Pleas let me know your comments.
Run
mv /etc/selinux/targeted /etc/selinux/targeted.old 
yum reinstall selinux-policy-targeted
He already tried that and it allegedly didn't help. It also seems to
leave you without a /etc/selinux/targeted/active/seusers file for some
reason, such that semanage login -l shows nothing. But you can recover
by copying /etc/selinux/targeted/seusers to
/etc/selinux/targeted/active/seusers. That's a bug.
Post by Simon Sekidde
Also what does this output show 
ps -aelfZ | grep -i ssh 
com>
Post by Dominick Grift
Post by Aman Sharma
Hi Stephen,
After reseting Selinux targeted folder also (the steps you mentioned in
the
Post by Aman Sharma
earlier mail), Still its showing the same Id context i.e.
*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*And semanage login -l is showing blank output. *
*Do you have any idea about this.*
*Thanks*
*Aman*
Try the same procedure again but this time also do before
mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old
Post by Aman Sharma
a.gov>
Post by Stephen Smalley
Post by Aman Sharma
After resetting boolean also, showing the same id context.
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
reboot
Post by Aman Sharma
.nsa.gov>
Post by Aman Sharma
Hi Stephen,
After enabling the unconfined module and after reboot
also, Still
showing the same id context.
Is there any way to make the id context to normal state again ?
Hmmm...try resetting all booleans too?  semanage boolean
-D
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
--
Thanks
Aman
--
Thanks
Aman
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B
6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7
B6B02
Dominick Grift
--
Thanks
Aman
Aman Sharma
2017-12-02 03:59:22 UTC
Permalink
Hi All,

Thanks for the information.

But after resetting the semanage User/login, and moving the targeted folder
to old one and then install the default target. then also its still showing
the
Id context as context=*system_u:system_r:unconfined_t:s0-s0:c0.c1023.*

*What I observed is after changing the permission using semanage command
also, its still showing the system_u:system_r. *

*Check the semanage login/User output :*

*semanage login -l*

*Login Name SELinux User MLS/MCS Range Service*

*__default__ unconfined_u s0-s0:c0.c1023 **
*root unconfined_u s0-s0:c0.c1023 **
*system_u system_u s0-s0:c0.c1023 **


*semanage user -l*

* Labeling MLS/ MLS/ *
*SELinux User Prefix MCS Level MCS Range
SELinux Roles*

*guest_u user s0 s0
guest_r*
*root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r*
*staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r*
*sysadm_u user s0 s0-s0:c0.c1023
sysadm_r*
*system_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r*
*user_u user s0 s0
user_r*
*xguest_u user s0 s0
xguest_r*


Looks like its related to some other issue. What you think about this.

Thanks
Aman
Post by Simon Sekidde
----- Original Message -----
Sent: Friday, December 1, 2017 2:28:17 PM
Subject: Re: Qwery regarding Selinux Change Id context
Post by Simon Sekidde
----- Original Message -----
Sent: Thursday, November 30, 2017 11:26:21 PM
Subject: Re: Fwd: Qwery regarding Selinux Change Id context
Hi ,
mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old
This targeted folder is not there.
find / -type d -name "*targeted" -print
/usr/share/selinux/targeted
/etc/selinux/targeted
Pleas let me know your comments.
Run
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
He already tried that and it allegedly didn't help. It also seems to
leave you without a /etc/selinux/targeted/active/seusers file for some
reason, such that semanage login -l shows nothing. But you can recover
by copying /etc/selinux/targeted/seusers to
/etc/selinux/targeted/active/seusers. That's a bug.
Interesting. Thanks for spotting this.
Post by Simon Sekidde
Also what does this output show
ps -aelfZ | grep -i ssh
com>
Post by Dominick Grift
Post by Aman Sharma
Hi Stephen,
After reseting Selinux targeted folder also (the steps you mentioned in
the
Post by Aman Sharma
earlier mail), Still its showing the same Id context i.e.
*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*And semanage login -l is showing blank output. *
*Do you have any idea about this.*
*Thanks*
*Aman*
mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old
Post by Aman Sharma
a.gov>
Post by Stephen Smalley
Post by Aman Sharma
After resetting boolean also, showing the same id context.
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
reboot
Post by Aman Sharma
.nsa.gov>
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
After enabling the unconfined module and after reboot
also, Still
showing the same id context.
Is there any way to make the id context to normal state
again ?
Hmmm...try resetting all booleans too? semanage boolean -D
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
--
Thanks
Aman
--
Thanks
Aman
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7
B6B02
Dominick Grift
--
Thanks
Aman
--
Simon Sekidde
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Stephen Smalley
2017-12-04 15:40:30 UTC
Permalink
Post by Aman Sharma
Hi All,
Thanks for the information.
But after resetting the semanage User/login, and moving the targeted
folder to old one and then install the default target. then also its
still showing the 
Id context as context=system_u:system_r:unconfined_t:s0-s0:c0.c1023.
What I observed is after changing the permission using semanage
command also, its still showing the system_u:system_r. 
semanage login -l
Login Name           SELinux User         MLS/MCS Range       
Service
__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
semanage user -l
                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                     
SELinux Roles
guest_u         user       s0         s0                           
 guest_r
root            user       s0         s0-s0:c0.c1023               
 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023               
 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023               
 sysadm_r
system_u        user       s0         s0-s0:c0.c1023               
 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023               
 system_r unconfined_r
user_u          user       s0         s0                           
 user_r
xguest_u        user       s0         s0                           
 xguest_r
Looks like its related to some other issue. What you think about this.
Do you have any relevant error messages in /var/log/secure or
journalctl -rb? Look for anything that refers to selinux or context.

I'm guessing that pam_selinux is unable to determine a valid context
for your login for some reason, and this is causing it to fall back to
this one. Or something like that.

You could try to emulate this process via selinuxdefcon, although I'm
not sure how closely it matches pam_selinux anymore. Sample usage:

1. See what context sshd is running in.

ps -eZ | grep sshd

It should be:
system_u:system_r:sshd_t:s0-s0:c0.c1023

2. Run selinuxdefcon to compute the default context for root when
logging in from sshd:

# Second argument should be whatever was shown by ps -eZ | grep sshd
above.
selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123

It should be:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Aman Sharma
2017-12-04 16:01:31 UTC
Permalink
Hi Stephen,

I got the below logs from the file .Can you please if these logs are fine
or not :

journalctl | grep selinux
Dec 05 02:55:46 localhost.localdomain kernel: EVM: security.selinux
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0 auid=0 ses=2
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 addr=10.97.7.209
terminal=ssh res=success'
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0 auid=0 ses=3
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 addr=10.97.7.209
terminal=ssh res=success'

Please let me know if any comments are there.
Post by Stephen Smalley
Post by Aman Sharma
Hi All,
Thanks for the information.
But after resetting the semanage User/login, and moving the targeted
folder to old one and then install the default target. then also its
still showing the
Id context as context=system_u:system_r:unconfined_t:s0-s0:c0.c1023.
What I observed is after changing the permission using semanage
command also, its still showing the system_u:system_r.
semanage login -l
Login Name SELinux User MLS/MCS Range
Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
Looks like its related to some other issue. What you think about this.
Do you have any relevant error messages in /var/log/secure or
journalctl -rb? Look for anything that refers to selinux or context.
I'm guessing that pam_selinux is unable to determine a valid context
for your login for some reason, and this is causing it to fall back to
this one. Or something like that.
You could try to emulate this process via selinuxdefcon, although I'm
1. See what context sshd is running in.
ps -eZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023
2. Run selinuxdefcon to compute the default context for root when
# Second argument should be whatever was shown by ps -eZ | grep sshd
above.
selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Aman Sharma
2017-12-04 16:06:45 UTC
Permalink
Hi Stephen,

Below is my login pam file :

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so restore should only be followed by sessions to be executed
in the user context
session required pam_selinux.so restore
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so


Can you Please check if this is fine.
Post by Aman Sharma
Hi Stephen,
I got the below logs from the file .Can you please if these logs are fine
journalctl | grep selinux
Dec 05 02:55:46 localhost.localdomain kernel: EVM: security.selinux
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0 auid=0 ses=2
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_
namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 addr=10.97.7.209
terminal=ssh res=success'
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0 auid=0 ses=3
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_
namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209 addr=10.97.7.209
terminal=ssh res=success'
Please let me know if any comments are there.
Post by Stephen Smalley
Post by Aman Sharma
Hi All,
Thanks for the information.
But after resetting the semanage User/login, and moving the targeted
folder to old one and then install the default target. then also its
still showing the
Id context as context=system_u:system_r:unconfined_t:s0-s0:c0.c1023.
What I observed is after changing the permission using semanage
command also, its still showing the system_u:system_r.
semanage login -l
Login Name SELinux User MLS/MCS Range
Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
Looks like its related to some other issue. What you think about this.
Do you have any relevant error messages in /var/log/secure or
journalctl -rb? Look for anything that refers to selinux or context.
I'm guessing that pam_selinux is unable to determine a valid context
for your login for some reason, and this is causing it to fall back to
this one. Or something like that.
You could try to emulate this process via selinuxdefcon, although I'm
1. See what context sshd is running in.
ps -eZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023
2. Run selinuxdefcon to compute the default context for root when
# Second argument should be whatever was shown by ps -eZ | grep sshd
above.
selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
--
Thanks
Aman
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Stephen Smalley
2017-12-04 16:09:44 UTC
Permalink
Post by Aman Sharma
Hi Stephen,
I got the below logs from the file .Can you please if these logs are
journalctl | grep selinux
Dec 05 02:55:46 localhost.localdomain kernel: EVM: security.selinux
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0 auid=0
ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyin
it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
addr=10.97.7.209 terminal=ssh res=success'
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0 auid=0
ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyin
it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
addr=10.97.7.209 terminal=ssh res=success'
Please let me know if any comments are there.
Those are normal. Check journalctl and /var/log/secure for any errors
from sshd.
Also try the selinuxdefcon command I mentioned.
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
Hi All,
Thanks for the information.
But after resetting the semanage User/login, and moving the
targeted
Post by Aman Sharma
folder to old one and then install the default target. then also
its
Post by Aman Sharma
still showing the 
Id context as context=system_u:system_r:unconfined_t:s0-
s0:c0.c1023.
Post by Aman Sharma
What I observed is after changing the permission using semanage
command also, its still showing the system_u:system_r. 
semanage login -l
Login Name           SELinux User         MLS/MCS Range       
Service
__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
semanage user -l
                Labeling   MLS/       MLS/                       
  
Post by Aman Sharma
SELinux User    Prefix     MCS Level  MCS Range                 
   
Post by Aman Sharma
SELinux Roles
guest_u         user       s0         s0                         
 
Post by Aman Sharma
 guest_r
root            user       s0         s0-s0:c0.c1023             
 
Post by Aman Sharma
 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023             
 
Post by Aman Sharma
 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023             
 
Post by Aman Sharma
 sysadm_r
system_u        user       s0         s0-s0:c0.c1023             
 
Post by Aman Sharma
 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023             
 
Post by Aman Sharma
 system_r unconfined_r
user_u          user       s0         s0                         
 
Post by Aman Sharma
 user_r
xguest_u        user       s0         s0                         
 
Post by Aman Sharma
 xguest_r
Looks like its related to some other issue. What you think about this.
Do you have any relevant error messages in /var/log/secure or
journalctl -rb?  Look for anything that refers to selinux or
context.
I'm guessing that pam_selinux is unable to determine a valid
context
for your login for some reason, and this is causing it to fall back to
this one.  Or something like that.
You could try to emulate this process via selinuxdefcon, although I'm
1. See what context sshd is running in.
ps -eZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023
2. Run selinuxdefcon to compute the default context for root when
# Second argument should be whatever was shown by ps -eZ | grep sshd
above.
selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-- 
Thanks
Aman
Aman Sharma
2017-12-04 16:34:48 UTC
Permalink
Hi Stephen,

Thanks alot for the help.

I got the issue. Its due to the problem in /etc/pam.d/sshd file.

After fixing this, now is working fine. Thanks alot once again.
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
I got the below logs from the file .Can you please if these logs are
journalctl | grep selinux
Dec 05 02:55:46 localhost.localdomain kernel: EVM: security.selinux
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0 auid=0
ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyin
it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
addr=10.97.7.209 terminal=ssh res=success'
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0 auid=0
ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyin
it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
addr=10.97.7.209 terminal=ssh res=success'
Please let me know if any comments are there.
Those are normal. Check journalctl and /var/log/secure for any errors
from sshd.
Also try the selinuxdefcon command I mentioned.
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
Hi All,
Thanks for the information.
But after resetting the semanage User/login, and moving the
targeted
Post by Aman Sharma
folder to old one and then install the default target. then also
its
Post by Aman Sharma
still showing the
Id context as context=system_u:system_r:unconfined_t:s0-
s0:c0.c1023.
Post by Aman Sharma
What I observed is after changing the permission using semanage
command also, its still showing the system_u:system_r.
semanage login -l
Login Name SELinux User MLS/MCS Range
Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
Looks like its related to some other issue. What you think about this.
Do you have any relevant error messages in /var/log/secure or
journalctl -rb? Look for anything that refers to selinux or context.
I'm guessing that pam_selinux is unable to determine a valid context
for your login for some reason, and this is causing it to fall back to
this one. Or something like that.
You could try to emulate this process via selinuxdefcon, although I'm
1. See what context sshd is running in.
ps -eZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023
2. Run selinuxdefcon to compute the default context for root when
# Second argument should be whatever was shown by ps -eZ | grep sshd
above.
selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
--
Thanks
Aman
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Stephen Smalley
2017-12-04 16:38:02 UTC
Permalink
Post by Aman Sharma
Hi Stephen,
Thanks alot for the help. 
I got the issue. Its due to the problem in /etc/pam.d/sshd file.
After fixing this, now is working fine. Thanks alot once again.
Ok, can you explain what exactly what wrong in your /etc/pam.d/sshd
file, so that if someone else encounters this behavior in the future,
they can find a solution in the list archives?
Post by Aman Sharma
Post by Aman Sharma
Post by Aman Sharma
Hi Stephen,
I got the below logs from the file .Can you please if these logs
are
Post by Aman Sharma
journalctl | grep selinux
security.selinux
Post by Aman Sharma
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0
auid=0
Post by Aman Sharma
ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_key
in
Post by Aman Sharma
it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
addr=10.97.7.209 terminal=ssh res=success'
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0
auid=0
Post by Aman Sharma
ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_key
in
Post by Aman Sharma
it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
addr=10.97.7.209 terminal=ssh res=success'
Please let me know if any comments are there.
Those are normal.  Check journalctl and /var/log/secure for any
errors
from sshd.
Also try the selinuxdefcon command I mentioned.
v>
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
Hi All,
Thanks for the information.
But after resetting the semanage User/login, and moving the
targeted
Post by Aman Sharma
folder to old one and then install the default target. then
also
Post by Aman Sharma
Post by Simon Sekidde
its
Post by Aman Sharma
still showing the 
Id context as context=system_u:system_r:unconfined_t:s0-
s0:c0.c1023.
Post by Aman Sharma
What I observed is after changing the permission using
semanage
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
command also, its still showing the system_u:system_r. 
semanage login -l
Login Name           SELinux User         MLS/MCS Range     
 
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
Service
__default__          unconfined_u         s0-s0:c0.c1023     
 *
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
root                 unconfined_u         s0-s0:c0.c1023     
 *
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
system_u             system_u             s0-s0:c0.c1023     
 *
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
semanage user -l
                Labeling   MLS/       MLS/                   
   
Post by Aman Sharma
Post by Simon Sekidde
  
Post by Aman Sharma
SELinux User    Prefix     MCS Level  MCS Range             
   
Post by Aman Sharma
Post by Simon Sekidde
   
Post by Aman Sharma
SELinux Roles
guest_u         user       s0         s0                     
   
Post by Aman Sharma
Post by Simon Sekidde
 
Post by Aman Sharma
 guest_r
root            user       s0         s0-s0:c0.c1023         
   
Post by Aman Sharma
Post by Simon Sekidde
 
Post by Aman Sharma
 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023         
   
Post by Aman Sharma
Post by Simon Sekidde
 
Post by Aman Sharma
 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023         
   
Post by Aman Sharma
Post by Simon Sekidde
 
Post by Aman Sharma
 sysadm_r
system_u        user       s0         s0-s0:c0.c1023         
   
Post by Aman Sharma
Post by Simon Sekidde
 
Post by Aman Sharma
 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023         
   
Post by Aman Sharma
Post by Simon Sekidde
 
Post by Aman Sharma
 system_r unconfined_r
user_u          user       s0         s0                     
   
Post by Aman Sharma
Post by Simon Sekidde
 
Post by Aman Sharma
 user_r
xguest_u        user       s0         s0                     
   
Post by Aman Sharma
Post by Simon Sekidde
 
Post by Aman Sharma
 xguest_r
Looks like its related to some other issue. What you think
about
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
this.
Do you have any relevant error messages in /var/log/secure or
journalctl -rb?  Look for anything that refers to selinux or
context.
I'm guessing that pam_selinux is unable to determine a valid context
for your login for some reason, and this is causing it to fall
back
Post by Aman Sharma
Post by Simon Sekidde
to
this one.  Or something like that.
You could try to emulate this process via selinuxdefcon,
although
Post by Aman Sharma
Post by Simon Sekidde
I'm
not sure how closely it matches pam_selinux anymore.  Sample
1. See what context sshd is running in.
ps -eZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023
2. Run selinuxdefcon to compute the default context for root
when
Post by Aman Sharma
Post by Simon Sekidde
# Second argument should be whatever was shown by ps -eZ | grep sshd
above.
selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-- 
Thanks
Aman
-- 
Thanks
Aman
Aman Sharma
2017-12-05 08:32:37 UTC
Permalink
Hi Stephen,

Below is the changes which I made in Login and ssh file :

cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
# Used with polkit to reauthorize users in remote sessions
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in
the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
# Used with polkit to reauthorize users in remote sessions


cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so restore should only be followed by sessions to be executed
in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so

Please Let me know if any comments are there.
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
Thanks alot for the help.
I got the issue. Its due to the problem in /etc/pam.d/sshd file.
After fixing this, now is working fine. Thanks alot once again.
Ok, can you explain what exactly what wrong in your /etc/pam.d/sshd
file, so that if someone else encounters this behavior in the future,
they can find a solution in the list archives?
Post by Aman Sharma
Post by Aman Sharma
Post by Aman Sharma
Hi Stephen,
I got the below logs from the file .Can you please if these logs
are
Post by Aman Sharma
journalctl | grep selinux
security.selinux
Post by Aman Sharma
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0
auid=0
Post by Aman Sharma
ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_key
in
Post by Aman Sharma
it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
addr=10.97.7.209 terminal=ssh res=success'
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0
auid=0
Post by Aman Sharma
ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_key
in
Post by Aman Sharma
it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
addr=10.97.7.209 terminal=ssh res=success'
Please let me know if any comments are there.
Those are normal. Check journalctl and /var/log/secure for any errors
from sshd.
Also try the selinuxdefcon command I mentioned.
v>
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
Hi All,
Thanks for the information.
But after resetting the semanage User/login, and moving the
targeted
Post by Aman Sharma
folder to old one and then install the default target. then
also
Post by Aman Sharma
Post by Simon Sekidde
its
Post by Aman Sharma
still showing the
Id context as context=system_u:system_r:unconfined_t:s0-
s0:c0.c1023.
Post by Aman Sharma
What I observed is after changing the permission using
semanage
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
command also, its still showing the system_u:system_r.
semanage login -l
Login Name SELinux User MLS/MCS Range
Service
__default__ unconfined_u s0-s0:c0.c1023
*
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
root unconfined_u s0-s0:c0.c1023
*
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
system_u system_u s0-s0:c0.c1023
*
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
Looks like its related to some other issue. What you think
about
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
this.
Do you have any relevant error messages in /var/log/secure or
journalctl -rb? Look for anything that refers to selinux or context.
I'm guessing that pam_selinux is unable to determine a valid context
for your login for some reason, and this is causing it to fall
back
Post by Aman Sharma
Post by Simon Sekidde
to
this one. Or something like that.
You could try to emulate this process via selinuxdefcon,
although
Post by Aman Sharma
Post by Simon Sekidde
I'm
not sure how closely it matches pam_selinux anymore. Sample
1. See what context sshd is running in.
ps -eZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023
2. Run selinuxdefcon to compute the default context for root
when
Post by Aman Sharma
Post by Simon Sekidde
# Second argument should be whatever was shown by ps -eZ | grep sshd
above.
selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
--
Thanks
Aman
--
Thanks
Aman
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Dominick Grift
2017-12-05 08:40:04 UTC
Permalink
Post by Aman Sharma
Hi Stephen,
cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
side note: this is a "bug"
https://src.fedoraproject.org/rpms/openssh/c/e044c5cf76618b023a4315f41fe126c80c06b833?branch=master
Post by Aman Sharma
auth include password-auth
# Used with polkit to reauthorize users in remote sessions
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in
the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
# Used with polkit to reauthorize users in remote sessions
cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so restore should only be followed by sessions to be executed
in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
Please Let me know if any comments are there.
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
Thanks alot for the help.
I got the issue. Its due to the problem in /etc/pam.d/sshd file.
After fixing this, now is working fine. Thanks alot once again.
Ok, can you explain what exactly what wrong in your /etc/pam.d/sshd
file, so that if someone else encounters this behavior in the future,
they can find a solution in the list archives?
Post by Aman Sharma
Post by Aman Sharma
Post by Aman Sharma
Hi Stephen,
I got the below logs from the file .Can you please if these logs
are
Post by Aman Sharma
journalctl | grep selinux
security.selinux
Post by Aman Sharma
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0
auid=0
Post by Aman Sharma
ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_key
in
Post by Aman Sharma
it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
addr=10.97.7.209 terminal=ssh res=success'
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0
auid=0
Post by Aman Sharma
ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_key
in
Post by Aman Sharma
it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
addr=10.97.7.209 terminal=ssh res=success'
Please let me know if any comments are there.
Those are normal. Check journalctl and /var/log/secure for any errors
from sshd.
Also try the selinuxdefcon command I mentioned.
v>
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
Hi All,
Thanks for the information.
But after resetting the semanage User/login, and moving the
targeted
Post by Aman Sharma
folder to old one and then install the default target. then
also
Post by Aman Sharma
Post by Simon Sekidde
its
Post by Aman Sharma
still showing the
Id context as context=system_u:system_r:unconfined_t:s0-
s0:c0.c1023.
Post by Aman Sharma
What I observed is after changing the permission using
semanage
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
command also, its still showing the system_u:system_r.
semanage login -l
Login Name SELinux User MLS/MCS Range
Service
__default__ unconfined_u s0-s0:c0.c1023
*
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
root unconfined_u s0-s0:c0.c1023
*
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
system_u system_u s0-s0:c0.c1023
*
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
Looks like its related to some other issue. What you think
about
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
this.
Do you have any relevant error messages in /var/log/secure or
journalctl -rb? Look for anything that refers to selinux or context.
I'm guessing that pam_selinux is unable to determine a valid context
for your login for some reason, and this is causing it to fall
back
Post by Aman Sharma
Post by Simon Sekidde
to
this one. Or something like that.
You could try to emulate this process via selinuxdefcon,
although
Post by Aman Sharma
Post by Simon Sekidde
I'm
not sure how closely it matches pam_selinux anymore. Sample
1. See what context sshd is running in.
ps -eZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023
2. Run selinuxdefcon to compute the default context for root
when
Post by Aman Sharma
Post by Simon Sekidde
# Second argument should be whatever was shown by ps -eZ | grep sshd
above.
selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
--
Thanks
Aman
--
Thanks
Aman
--
Thanks
Aman
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Aman Sharma
2017-12-05 09:04:26 UTC
Permalink
Is this a bug in cent OS 7.3 ?
Post by Dominick Grift
Post by Aman Sharma
Hi Stephen,
cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
side note: this is a "bug"
https://src.fedoraproject.org/rpms/openssh/c/
e044c5cf76618b023a4315f41fe126c80c06b833?branch=master
Post by Aman Sharma
auth include password-auth
# Used with polkit to reauthorize users in remote sessions
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed
in
Post by Aman Sharma
the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
# Used with polkit to reauthorize users in remote sessions
cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so restore should only be followed by sessions to be
executed
Post by Aman Sharma
in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
Please Let me know if any comments are there.
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
Thanks alot for the help.
I got the issue. Its due to the problem in /etc/pam.d/sshd file.
After fixing this, now is working fine. Thanks alot once again.
Ok, can you explain what exactly what wrong in your /etc/pam.d/sshd
file, so that if someone else encounters this behavior in the future,
they can find a solution in the list archives?
Post by Aman Sharma
Post by Aman Sharma
Post by Aman Sharma
Hi Stephen,
I got the below logs from the file .Can you please if these logs
are
Post by Aman Sharma
journalctl | grep selinux
security.selinux
Post by Aman Sharma
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0
auid=0
Post by Aman Sharma
ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_
namespace,pam_key
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
Post by Aman Sharma
in
Post by Aman Sharma
it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
addr=10.97.7.209 terminal=ssh res=success'
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0
auid=0
Post by Aman Sharma
ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_
namespace,pam_key
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
Post by Aman Sharma
in
Post by Aman Sharma
it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
addr=10.97.7.209 terminal=ssh res=success'
Please let me know if any comments are there.
Those are normal. Check journalctl and /var/log/secure for any errors
from sshd.
Also try the selinuxdefcon command I mentioned.
v>
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
Hi All,
Thanks for the information.
But after resetting the semanage User/login, and moving the
targeted
Post by Aman Sharma
folder to old one and then install the default target. then
also
Post by Aman Sharma
Post by Simon Sekidde
its
Post by Aman Sharma
still showing the
Id context as context=system_u:system_r:unconfined_t:s0-
s0:c0.c1023.
Post by Aman Sharma
What I observed is after changing the permission using
semanage
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
command also, its still showing the system_u:system_r.
semanage login -l
Login Name SELinux User MLS/MCS Range
Service
__default__ unconfined_u s0-s0:c0.c1023
*
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
root unconfined_u s0-s0:c0.c1023
*
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
system_u system_u s0-s0:c0.c1023
*
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
Looks like its related to some other issue. What you think
about
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
this.
Do you have any relevant error messages in /var/log/secure or
journalctl -rb? Look for anything that refers to selinux or
context.
I'm guessing that pam_selinux is unable to determine a valid
context
for your login for some reason, and this is causing it to fall
back
Post by Aman Sharma
Post by Simon Sekidde
to
this one. Or something like that.
You could try to emulate this process via selinuxdefcon,
although
Post by Aman Sharma
Post by Simon Sekidde
I'm
not sure how closely it matches pam_selinux anymore. Sample
1. See what context sshd is running in.
ps -eZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023
2. Run selinuxdefcon to compute the default context for root
when
Post by Aman Sharma
Post by Simon Sekidde
# Second argument should be whatever was shown by ps -eZ | grep
sshd
above.
selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
--
Thanks
Aman
--
Thanks
Aman
--
Thanks
Aman
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
--
Thanks
Aman
Cell: +91 9990296404 | Email ID : ***@gmail.com
Dominick Grift
2017-12-05 09:13:49 UTC
Permalink
Post by Aman Sharma
Is this a bug in cent OS 7.3 ?
I suppose.. but it will only affect you if you actually leverage pam_sepermit (ie. if you edit /etc/security/sepermit.conf)
Post by Aman Sharma
Post by Dominick Grift
Post by Aman Sharma
Hi Stephen,
cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
side note: this is a "bug"
https://src.fedoraproject.org/rpms/openssh/c/
e044c5cf76618b023a4315f41fe126c80c06b833?branch=master
Post by Aman Sharma
auth include password-auth
# Used with polkit to reauthorize users in remote sessions
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed
in
Post by Aman Sharma
the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
# Used with polkit to reauthorize users in remote sessions
cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so restore should only be followed by sessions to be
executed
Post by Aman Sharma
in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
Please Let me know if any comments are there.
Post by Stephen Smalley
Post by Aman Sharma
Hi Stephen,
Thanks alot for the help.
I got the issue. Its due to the problem in /etc/pam.d/sshd file.
After fixing this, now is working fine. Thanks alot once again.
Ok, can you explain what exactly what wrong in your /etc/pam.d/sshd
file, so that if someone else encounters this behavior in the future,
they can find a solution in the list archives?
Post by Aman Sharma
Post by Aman Sharma
Post by Aman Sharma
Hi Stephen,
I got the below logs from the file .Can you please if these logs
are
Post by Aman Sharma
journalctl | grep selinux
security.selinux
Post by Aman Sharma
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.129:107): pid=7145 uid=0
auid=0
Post by Aman Sharma
ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_
namespace,pam_key
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
Post by Aman Sharma
in
Post by Aman Sharma
it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
addr=10.97.7.209 terminal=ssh res=success'
Dec 04 21:26:10 cucm audispd[569]: node=localhost.localdomain
type=USER_START msg=audit(1512402970.131:108): pid=7568 uid=0
auid=0
Post by Aman Sharma
ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_
namespace,pam_key
Post by Aman Sharma
Post by Stephen Smalley
Post by Aman Sharma
Post by Aman Sharma
in
Post by Aman Sharma
it,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
acct="root" exe="/usr/sbin/sshd" hostname=10.97.7.209
addr=10.97.7.209 terminal=ssh res=success'
Please let me know if any comments are there.
Those are normal. Check journalctl and /var/log/secure for any errors
from sshd.
Also try the selinuxdefcon command I mentioned.
v>
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
Hi All,
Thanks for the information.
But after resetting the semanage User/login, and moving the
targeted
Post by Aman Sharma
folder to old one and then install the default target. then
also
Post by Aman Sharma
Post by Simon Sekidde
its
Post by Aman Sharma
still showing the
Id context as context=system_u:system_r:unconfined_t:s0-
s0:c0.c1023.
Post by Aman Sharma
What I observed is after changing the permission using
semanage
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
command also, its still showing the system_u:system_r.
semanage login -l
Login Name SELinux User MLS/MCS Range
Service
__default__ unconfined_u s0-s0:c0.c1023
*
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
root unconfined_u s0-s0:c0.c1023
*
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
system_u system_u s0-s0:c0.c1023
*
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
Looks like its related to some other issue. What you think
about
Post by Aman Sharma
Post by Simon Sekidde
Post by Aman Sharma
this.
Do you have any relevant error messages in /var/log/secure or
journalctl -rb? Look for anything that refers to selinux or
context.
I'm guessing that pam_selinux is unable to determine a valid
context
for your login for some reason, and this is causing it to fall
back
Post by Aman Sharma
Post by Simon Sekidde
to
this one. Or something like that.
You could try to emulate this process via selinuxdefcon,
although
Post by Aman Sharma
Post by Simon Sekidde
I'm
not sure how closely it matches pam_selinux anymore. Sample
1. See what context sshd is running in.
ps -eZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023
2. Run selinuxdefcon to compute the default context for root
when
Post by Aman Sharma
Post by Simon Sekidde
# Second argument should be whatever was shown by ps -eZ | grep
sshd
above.
selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
--
Thanks
Aman
--
Thanks
Aman
--
Thanks
Aman
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
--
Thanks
Aman
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Stephen Smalley
2017-12-01 19:26:56 UTC
Permalink
Post by Aman Sharma
Hi Stephen,
After reseting Selinux targeted folder also (the steps you mentioned
in the earlier mail), Still its showing the same Id context i.e. 
id
uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
system_u:system_r:unconfined_t:s0-s0:c0.c1023
And semanage login -l is showing blank output. 
Do you have any idea about this.
The second part seems to be a bug in the policy package. To fix, try
this:
cp /etc/selinux/targeted/seusers /etc/selinux/targeted/active
Loading...