Can't access via ssh when user is sysadm_u.

Support for security such as Firewalls and securing linux
Post Reply
bryn1u
Posts: 40
Joined: 2010/04/09 15:38:07
Contact:
Contact bryn1u

Can't access via ssh when user is sysadm_u.

Post by bryn1u » 2016/09/23 08:32:32

Hello,

I have made a user called bryn1u. I've given him to sysadm_u becouse i want to can log in as a superuser (su). After that i connected via ssh but doesn't work. Where is the problem. I checked with user_u and works like a charm.

Code: Select all


[root@proton ~]# semanage login -a -s sysadm_u bryn1u
[root@proton ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
bryn1u               user_u               s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
[root@proton ~]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

bryn1u          user       s0         s0                             user_r sysadm_r
guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
[root@proton ~]# ^C
Logs from /var/log/secure

Code: Select all

Sep 23 10:26:18 proton sshd[16522]: Accepted password for bryn1u from 213.189.55.149 port 13348 ssh2
Sep 23 10:26:18 proton sshd[16522]: pam_selinux(sshd:session): Unable to get valid context for bryn1u
Sep 23 10:26:18 proton sshd[16522]: pam_unix(sshd:session): session opened for user bryn1u by (uid=0)
Sep 23 10:26:18 proton sshd[16522]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Sep 23 10:26:18 proton sshd[16522]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
Sep 23 10:26:18 proton sshd[16527]: Received disconnect from 213.189.55.149: 11: disconnected by user
Regards,
Last edited by bryn1u on 2016/09/23 09:25:25, edited 1 time in total.
Top
User avatar
TrevorH
Site Admin
Posts: 33219
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Can't access via ssh when user is sysadm_u.

Post by TrevorH » 2016/09/23 09:24:59

http://forums.fedoraforum.org/showthread.php?t=250473 any use?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Top
bryn1u
Posts: 40
Joined: 2010/04/09 15:38:07
Contact:
Contact bryn1u

Re: Can't access via ssh when user is sysadm_u.

Post by bryn1u » 2016/09/27 09:24:31

chcon system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd

or

I had same problem. I dig into the issue and the problem was `pam_selinux.so` module was not loaded in `/etc/pam.d/sshd` file. Please modify and add these two lines to reolve this issue..

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
session required pam_selinux.so close
session required pam_selinux.so open env_params
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This resolved my issue. Hope this will help you.
Top
dob
Posts: 1
Joined: 2017/06/30 19:19:54

Re: Can't access via ssh when user is sysadm_u.

Post by dob » 2017/06/30 19:21:47

setsebool -P ssh_sysadm_login 1
Top
Post Reply

Return to “CentOS 7 - Security Support”