From: Dominick Grift <dominick.grift@defensec.nl>
To: Peter Whittaker <peterwhittaker@sphyrnasecurity.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: Defining SELinux users, "Unable to get valid context...". Help!
Date: Fri, 12 Feb 2021 08:22:39 +0100 [thread overview]
Message-ID: <ypjlblcppx6o.fsf@defensec.nl> (raw)
In-Reply-To: <CAGeouKF3jSsvDosCWDb3q4RSq8g1RiZma6V1N=1ZaSUtf2TadA@mail.gmail.com> (Peter Whittaker's message of "Thu, 11 Feb 2021 15:12:54 -0500")
Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes:
> Good afternoon,
>
> BLUF: Logging in via SSH or directly at the console results
> in "Unable to get valid context...". Help! Much info included.
>
> I'm working on a software diode implementing a linear assured pipeline
> which is secured with SELinux. As part of this, I am defining a number
> of SELinux users, with the goal being that Linux users belonging to a
> specific Linux group will, at login, be assigned to the applicable
> SELinux user, then role, then type, etc.
>
> However. When I log in as my test user, icmc01, via the console or via
> SSH, I get the message "Unable to get valid context for icmc01". A
> check with "id -Z" shows that my test user has the following context:
>
> system_u:system_r:unconfined_t:s0-s0:c0.c1023
>
> I really want them to have the context:
>
> CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0-s0:c0.c1023
>
> (In fact, I don't care about the MLS/MCS portion, I am more than happy
> to accept system defaults; I'm really only going for the MAC.)
>
> What follows is everything I could think to include, from their passwd
> entry and the group file to semanage settings, from the contexts and
> content of various SELinux configuration files to the relevant snips
> of the TE file itself.
A few things that I could find but that are needed for computing
contexts are:
the login programs need to be allowed to manual transition to the user
type. So for example if you want to login with sshd_t:
allow sshd_t xferHigh2Local_t:process transition;
The user type needs to be a bin and shell entry type:
allow xferHigh2Local_t { bin_t shell_exec_t }:file entrypoint;
There is probably more that i am overlooking but these, i think, are
important part for computation of contexts
See where those get you.
>
> NOTE: This is all under permissive mode, targeted policy.
>
> Any insight or direction will be much appreciated, I am tearing out
> my hair. Thank you!
>
> % grep icmc01 /etc/passwd
> icmc01:x:2105:2105::/home/icmc01:/bin/bash
>
> % grep 2105 /etc/group
> CDTml_high2local:x:2105:
>
> % semanage login -l |grep CDTml_high2local_u
> %CDTml_high2local CDTml_high2local_u s0-s0:c0.c1023 *
>
> % semanage user -l |grep CDTml_high2local_u
> CDTml_high2local_u user s0 s0-s0:c0.c1023
> CDTml_high2local_r
>
> % ls -lZ /etc/selinux/targeted/contexts/users/CDTml_high2local_u
> -rw-r--r--. root root system_u:object_r:default_context_t:s0
> /etc/selinux/targeted/contexts/users/CDTml_high2local_u
>
> % cat /etc/selinux/targeted/contexts/users/CDTml_high2local_u
> system_r:crond_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
> system_r:initrc_su_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
> system_r:local_login_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
> system_r:remote_login_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
> system_r:sshd_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
>
> % ls -lZ /etc/selinux/targeted/contexts/default_*
> -rw-r--r--. root root system_u:object_r:default_context_t:s0
> /etc/selinux/targeted/contexts/default_contexts
> -rw-r--r--. root root system_u:object_r:default_context_t:s0
> /etc/selinux/targeted/contexts/default_type
>
> % cat /etc/selinux/targeted/contexts/default_contexts
> system_r:crond_t:s0 system_r:system_cronjob_t:s0
> system_r:local_login_t:s0 user_r:user_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
> system_r:remote_login_t:s0 user_r:user_t:s0
> CDTml_high2local_r:xferHigh2Local_t:s0
> system_r:sshd_t:s0 user_r:user_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0
> system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
> system_r:xdm_t:s0 user_r:user_t:s0
>
> % uname -a
> Linux localhost.localdomain 3.10.0-1160.6.1.el7.x86_64 #1 SMP Wed
> Oct 21 13:44:38 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux
>
> % more /etc/redhat-release
> Red Hat Enterprise Linux Server release 7.9 (Maipo)
>
> % yum info installed \*selinux\*|grep -A3 '^Name'
> Name : libselinux
> Arch : x86_64
> Version : 2.5
> Release : 15.el7
> --
> Name : libselinux-python
> Arch : x86_64
> Version : 2.5
> Release : 15.el7
> --
> Name : libselinux-utils
> Arch : x86_64
> Version : 2.5
> Release : 15.el7
> --
> Name : selinux-policy
> Arch : noarch
> Version : 3.13.1
> Release : 268.el7_9.2
> --
> Name : selinux-policy-devel
> Arch : noarch
> Version : 3.13.1
> Release : 268.el7_9.2
> --
> Name : selinux-policy-targeted
> Arch : noarch
> Version : 3.13.1
> Release : 268.el7_9.2
>
> % grep -C3 CDTml_high2local_r CDTml.te
> # and grant them access to our types
> role CDTml_low2local_r;
> role CDTml_local2high_r;
> role CDTml_high2local_r;
> role CDTml_local2low_r;
> role CDTml_auditor_r;
>
> allow system_r {
> CDTml_low2local_r
> CDTml_local2high_r
> CDTml_high2local_r
> CDTml_local2low_r
> CDTml_auditor_r
> };
> allow unconfined_r {
> CDTml_low2local_r
> CDTml_local2high_r
> CDTml_high2local_r
> CDTml_local2low_r
> CDTml_auditor_r
> };
> --
> xferLocal2High_t
> xferLocal2High_exec_t
> };
> role CDTml_high2local_r types {
> xferHigh2Local_t
> xferHigh2Local_exec_t
> };
>
> % tail -f /var/log/secure
> Feb 11 14:57:44 localhost login: pam_selinux(login:session): Open Session
> Feb 11 14:57:44 localhost login: pam_selinux(login:session): Open Session
> Feb 11 14:57:44 localhost login: pam_selinux(login:session):
> Username= icmc01 SELinux User= CDTml_high2local_u Level=
> s0-s0:c0.c1023
> Feb 11 14:57:44 localhost login: pam_selinux(login:session):
> Unable to get valid context for icmc01
> Feb 11 14:57:44 localhost login: pam_unix(login:session): session
> opened for user icmc01 by LOGIN(uid=0)
> Feb 11 14:57:44 localhost login: LOGIN ON tty2 BY icmc01
>
>
> Peter Whittaker
> Director, Business Development
> www.SphyrnaSecurity.com
> +1 613 864 5337
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
next prev parent reply other threads:[~2021-02-12 7:23 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-11 20:12 Defining SELinux users, "Unable to get valid context...". Help! Peter Whittaker
2021-02-11 20:40 ` Fwd: " Peter Whittaker
2021-02-12 7:22 ` Dominick Grift [this message]
2021-02-12 7:54 ` Dominick Grift
2021-02-12 21:16 ` Peter Whittaker
2021-02-12 21:49 ` Dominick Grift
2021-02-12 22:43 ` Peter Whittaker
2021-02-13 7:22 ` Dominick Grift
2021-02-13 14:13 ` Peter Whittaker
2021-02-13 16:09 ` Dominick Grift
2021-02-13 18:06 ` Topi Miettinen
2021-02-13 20:26 ` Peter Whittaker
2021-02-13 20:39 ` Dominick Grift
2021-02-13 22:42 ` Peter Whittaker
2021-02-14 7:30 ` Dominick Grift
2021-02-14 16:25 ` Peter Whittaker
2021-02-14 16:32 ` Dominick Grift
2021-02-14 16:37 ` Dominick Grift
2021-02-14 17:02 ` Peter Whittaker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ypjlblcppx6o.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=peterwhittaker@sphyrnasecurity.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.