Re: PAM Security related issue

[Aman Sharma]

Hi All,

Below is the output of semanage USer command output for sftpuser:

*specialuser_u   user   s0 s0
 sysadm_r system_r*

and for command semanage login -l , output is :

*sftpuser specialuser_us0   **

*and also, after adding the debugging option, its showing the below error
message as :*

Dec 13 15:46:10 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session): Unable
to get valid context for sftpuser

Dec 13 15:46:10 cucmSUB authpriv 5 sshd: pam_selinux(sshd:session): Open
Session

Dec 13 15:46:11 cucmSUB authpriv 7 sshd: pam_selinux(sshd:session):
Username= sftpuser SELinux User= specialuser_u Level= s0

Dec 13 15:46:11 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session): Unable
to get valid context for sftpuser


also Selinuxdefcon command is showing error while running for sftpuser i.e.

*sudo /usr/sbin/selinuxdefcon sftpuser system_u:system_r:sshd_t:s0*

*/usr/sbin/selinuxdefcon: Invalid argument*


*Please let me know your comments on this.*


*Thanks*

*Aman*

On Thu, Dec 14, 2017 at 12:45 AM, Stephen Smalley  wrote:

> On Wed, 2017-12-13 at 21:40 +0530, Aman Sharma wrote:
> > Hi Stephen,
> >
> > Yes , I am using open env_params for it. But for this, my sftp is not
> > working and getting the below error message :
> >
> > Dec 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session):
> > Unable to get valid context for sftpuser
> > Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session
> > opened for user sftpuser by (uid=0)
> >
> > Please let me know if you have any idea on this.
>
> Do you have any semanage login mapping for sftpuser or is it just using
> the __default__ entry? (what does semanage login -l show)  How was
> sftpuser created?
>
> You could add the debug option on the pam_selinux.so line to try to get
> more information.
>
> You could run selinuxdefcon to query what context would be used for
> that user, e.g.
> selinuxdefcon sftpuser system_u:system_r:sshd_t:s0-s0.c0123
>
> >
> > On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley 
> > wrote:
> > > On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote:
> > > > Hi All,
> > > >
> > > > just wanted to know the meaning of line sessionrequired
> > > >  pam_selinux.so open env_params added in /etc/pam.d/sshd file.
> > > > Actually I am facing one issue related to this. When I changed
> > > this
> > > > env_params to restore then my Sftp is not working.
> > > >
> > > > Can anybody Please guide me on this.
> > >
> > > man pam_selinux describes the options and what they mean.
> > > Why did you change it to restore?  Per the man page, restore is to
> > > temporarily restore the contexts and would be a separate entry in
> > > the
> > > PAM stack before the module that needs the original contexts,
> > > followed
> > > by a pam_selinux.so open env_params after that module to set them
> > > up
> > > again.  But don't use restore unless you actually need it for some
> > > reason.
> > >
> > >
> > >
> > >
> >
> >
> >
> > --
> >
> > Thanks
> > Aman
> > Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com
>



-- 

Thanks
Aman
Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

Re: PAM Security related issue

[Stephen Smalley]

On Wed, 2017-12-13 at 21:40 +0530, Aman Sharma wrote:
> Hi Stephen,
> 
> Yes , I am using open env_params for it. But for this, my sftp is not
> working and getting the below error message :
> 
> Dec 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session):
> Unable to get valid context for sftpuser
> Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session
> opened for user sftpuser by (uid=0)
> 
> Please let me know if you have any idea on this.

Do you have any semanage login mapping for sftpuser or is it just using
the __default__ entry? (what does semanage login -l show)  How was
sftpuser created?

You could add the debug option on the pam_selinux.so line to try to get
more information.

You could run selinuxdefcon to query what context would be used for
that user, e.g.
selinuxdefcon sftpuser system_u:system_r:sshd_t:s0-s0.c0123

> 
> On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley 
> wrote:
> > On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote:
> > > Hi All,
> > >
> > > just wanted to know the meaning of line session    required   
> > >  pam_selinux.so open env_params added in /etc/pam.d/sshd file.
> > > Actually I am facing one issue related to this. When I changed
> > this
> > > env_params to restore then my Sftp is not working. 
> > >
> > > Can anybody Please guide me on this.
> > 
> > man pam_selinux describes the options and what they mean.
> > Why did you change it to restore?  Per the man page, restore is to
> > temporarily restore the contexts and would be a separate entry in
> > the
> > PAM stack before the module that needs the original contexts,
> > followed
> > by a pam_selinux.so open env_params after that module to set them
> > up
> > again.  But don't use restore unless you actually need it for some
> > reason.
> > 
> > 
> > 
> > 
> 
> 
> 
> -- 
> 
> Thanks
> Aman
> Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

Re: PAM Security related issue

[Dominick Grift]

On Wed, Dec 13, 2017 at 09:40:25PM +0530, Aman Sharma wrote:
> Hi Stephen,
> 
> Yes , I am using open env_params for it. But for this, my sftp is not
> working and getting the below error message :
> 
> Dec 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session): Unable to
> get valid context for sftpuser
> Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session
> opened for user sftpuser by (uid=0)

Not sure if this is actually the issue but:

AFAIK the user must have access to "context contains" for env_params

See if the context assoc. with the sftpuser process has access to context 
contains

> 
> Please let me know if you have any idea on this.
> 
> On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley  wrote:
> 
> > On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote:
> > > Hi All,
> > >
> > > just wanted to know the meaning of line sessionrequired
> > >  pam_selinux.so open env_params added in /etc/pam.d/sshd file.
> > > Actually I am facing one issue related to this. When I changed this
> > > env_params to restore then my Sftp is not working.
> > >
> > > Can anybody Please guide me on this.
> >
> > man pam_selinux describes the options and what they mean.
> > Why did you change it to restore?  Per the man page, restore is to
> > temporarily restore the contexts and would be a separate entry in the
> > PAM stack before the module that needs the original contexts, followed
> > by a pam_selinux.so open env_params after that module to set them up
> > again.  But don't use restore unless you actually need it for some
> > reason.
> >
> >
> >
> >
> 
> 
> -- 
> 
> Thanks
> Aman
> Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift


signature.asc
Description: PGP signature

Re: PAM Security related issue

[Aman Sharma]

Hi Stephen,

Yes , I am using open env_params for it. But for this, my sftp is not
working and getting the below error message :

Dec 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session): Unable to
get valid context for sftpuser
Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session
opened for user sftpuser by (uid=0)

Please let me know if you have any idea on this.

On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley  wrote:

> On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote:
> > Hi All,
> >
> > just wanted to know the meaning of line sessionrequired
> >  pam_selinux.so open env_params added in /etc/pam.d/sshd file.
> > Actually I am facing one issue related to this. When I changed this
> > env_params to restore then my Sftp is not working.
> >
> > Can anybody Please guide me on this.
>
> man pam_selinux describes the options and what they mean.
> Why did you change it to restore?  Per the man page, restore is to
> temporarily restore the contexts and would be a separate entry in the
> PAM stack before the module that needs the original contexts, followed
> by a pam_selinux.so open env_params after that module to set them up
> again.  But don't use restore unless you actually need it for some
> reason.
>
>
>
>


-- 

Thanks
Aman
Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

Re: PAM Security related issue

[Stephen Smalley]

On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote:
> Hi All,
> 
> just wanted to know the meaning of line session    required   
>  pam_selinux.so open env_params added in /etc/pam.d/sshd file.
> Actually I am facing one issue related to this. When I changed this
> env_params to restore then my Sftp is not working. 
> 
> Can anybody Please guide me on this.

man pam_selinux describes the options and what they mean.
Why did you change it to restore?  Per the man page, restore is to
temporarily restore the contexts and would be a separate entry in the
PAM stack before the module that needs the original contexts, followed
by a pam_selinux.so open env_params after that module to set them up
again.  But don't use restore unless you actually need it for some
reason.

Re: [BUG]kernel softlockup due to sidtab_search_context run for long time because of too many sidtab context node

[Stephen Smalley]

On Wed, 2017-12-13 at 09:25 +, yangjihong wrote:
> Hello, 
> 
> I am doing stressing testing on 3.10 kernel(centos 7.4), to
> constantly starting numbers of docker ontainers with selinux enabled,
> and after about 2 days, the kernel softlockup panic:
>    [] sched_show_task+0xb8/0x120
>  [] show_lock_info+0x20f/0x3a0
>  [] watchdog_timer_fn+0x1da/0x2f0
>  [] ? watchdog_enable_all_cpus.part.4+0x40/0x40
>  [] __hrtimer_run_queues+0xd2/0x260
>  [] hrtimer_interrupt+0xb0/0x1e0
>  [] local_apic_timer_interrupt+0x37/0x60
>  [] smp_apic_timer_interrupt+0x50/0x140
>  [] apic_timer_interrupt+0x6d/0x80
>    [] ? sidtab_context_to_sid+0xb3/0x480
>  [] ? sidtab_context_to_sid+0x110/0x480
>  [] ? mls_setup_user_range+0x145/0x250
>  [] security_get_user_sids+0x3f7/0x550
>  [] sel_write_user+0x12b/0x210
>  [] ? sel_write_member+0x200/0x200
>  [] selinux_transaction_write+0x48/0x80
>  [] vfs_write+0xbd/0x1e0
>  [] SyS_write+0x7f/0xe0
>  [] system_call_fastpath+0x16/0x1b
> 
> My opinion:
> when the docker container starts, it would mount overlay filesystem
> with different selinux context, mount point such as: 
> overlay on
> /var/lib/docker/overlay2/be3ef517730d92fc4530e0e952eae4f6cb0f07b4bc32
> 6cb07495ca08fc9ddb66/merged type overlay
> (rw,relatime,context="system_u:object_r:svirt_sandbox_file_t:s0:c414,
> c873",lowerdir=/var/lib/docker/overlay2/l/Z4U7WY6ASNV5CFWLADPARHHWY7:
> /var/lib/docker/overlay2/l/V2S3HOKEFEOQLHBVAL5WLA3YLS:/var/lib/docker
> /overlay2/l/46YGYO474KLOULZGDSZDW2JPRI,upperdir=/var/lib/docker/overl
> ay2/be3ef517730d92fc4530e0e952eae4f6cb0f07b4bc326cb07495ca08fc9ddb66/
> diff,workdir=/var/lib/docker/overlay2/be3ef517730d92fc4530e0e952eae4f
> 6cb0f07b4bc326cb07495ca08fc9ddb66/work)
> shm on
> /var/lib/docker/containers/9fd65e177d2132011d7b422755793449c91327ca57
> 7b8f5d9d6a4adf218d4876/shm type tmpfs
> (rw,nosuid,nodev,noexec,relatime,context="system_u:object_r:svirt_san
> dbox_file_t:s0:c414,c873",size=65536k)
> overlay on
> /var/lib/docker/overlay2/38d1544d080145c7d76150530d0255991dfb7258cbca
> 14ff6d165b94353eefab/merged type overlay
> (rw,relatime,context="system_u:object_r:svirt_sandbox_file_t:s0:c431,
> c651",lowerdir=/var/lib/docker/overlay2/l/3MQQXB4UCLFB7ANVRHPAVRCRSS:
> /var/lib/docker/overlay2/l/46YGYO474KLOULZGDSZDW2JPRI,upperdir=/var/l
> ib/docker/overlay2/38d1544d080145c7d76150530d0255991dfb7258cbca14ff6d
> 165b94353eefab/diff,workdir=/var/lib/docker/overlay2/38d1544d080145c7
> d76150530d0255991dfb7258cbca14ff6d165b94353eefab/work)
> shm on
> /var/lib/docker/containers/662e7f798fc08b09eae0f0f944537a4bcedc1dcf05
> a65866458523ffd4a71614/shm type tmpfs
> (rw,nosuid,nodev,noexec,relatime,context="system_u:object_r:svirt_san
> dbox_file_t:s0:c431,c651",size=65536k)
> 
> sidtab_search_context check the context whether is in the sidtab
> list, If not found, a new node is generated and insert into the list,
> As the number of containers is increasing,  context nodes are also
> more and more, we tested the final number of nodes reached 300,000 +,
> sidtab_context_to_sid runtime needs 100-200ms, which will lead to the
> system softlockup.
> 
> Is this a selinux bug? When filesystem umount, why context node is
> not deleted?  I cannot find the relevant function to delete the node
> in sidtab.c
> 
> Thanks for reading and looking forward to your reply.

So, does docker just keep allocating a unique category set for every
new container, never reusing them even if the container is destroyed? 
That would be a bug in docker IMHO.  Or are you creating an unbounded
number of containers and never destroying the older ones?

On the selinux userspace side, we'd also like to eliminate the use of
/sys/fs/selinux/user (sel_write_user -> security_get_user_sids)
entirely, which is what triggered this for you.

We cannot currently delete a sidtab node because we have no way of
knowing if there are any lingering references to the SID.  Fixing that
would require reference-counted SIDs, which goes beyond just SELinux
since SIDs/secids are returned by LSM hooks and cached in other kernel
data structures.

sidtab_search_context() could no doubt be optimized for the negative
case; there was an earlier optimization for the positive case by adding
a cache to sidtab_context_to_sid() prior to calling it.  It's a reverse
lookup in the sidtab.

[BUG]kernel softlockup due to sidtab_search_context run for long time because of too many sidtab context node

[yangjihong]

Hello, 

I am doing stressing testing on 3.10 kernel(centos 7.4), to constantly starting 
numbers of docker ontainers with selinux enabled, and after about 2 days, the 
kernel softlockup panic:
   [] sched_show_task+0xb8/0x120
 [] show_lock_info+0x20f/0x3a0
 [] watchdog_timer_fn+0x1da/0x2f0
 [] ? watchdog_enable_all_cpus.part.4+0x40/0x40
 [] __hrtimer_run_queues+0xd2/0x260
 [] hrtimer_interrupt+0xb0/0x1e0
 [] local_apic_timer_interrupt+0x37/0x60
 [] smp_apic_timer_interrupt+0x50/0x140
 [] apic_timer_interrupt+0x6d/0x80
   [] ? sidtab_context_to_sid+0xb3/0x480
 [] ? sidtab_context_to_sid+0x110/0x480
 [] ? mls_setup_user_range+0x145/0x250
 [] security_get_user_sids+0x3f7/0x550
 [] sel_write_user+0x12b/0x210
 [] ? sel_write_member+0x200/0x200
 [] selinux_transaction_write+0x48/0x80
 [] vfs_write+0xbd/0x1e0
 [] SyS_write+0x7f/0xe0
 [] system_call_fastpath+0x16/0x1b

My opinion:
when the docker container starts, it would mount overlay filesystem with 
different selinux context, mount point such as: 
overlay on 
/var/lib/docker/overlay2/be3ef517730d92fc4530e0e952eae4f6cb0f07b4bc326cb07495ca08fc9ddb66/merged
 type overlay 
(rw,relatime,context="system_u:object_r:svirt_sandbox_file_t:s0:c414,c873",lowerdir=/var/lib/docker/overlay2/l/Z4U7WY6ASNV5CFWLADPARHHWY7:/var/lib/docker/overlay2/l/V2S3HOKEFEOQLHBVAL5WLA3YLS:/var/lib/docker/overlay2/l/46YGYO474KLOULZGDSZDW2JPRI,upperdir=/var/lib/docker/overlay2/be3ef517730d92fc4530e0e952eae4f6cb0f07b4bc326cb07495ca08fc9ddb66/diff,workdir=/var/lib/docker/overlay2/be3ef517730d92fc4530e0e952eae4f6cb0f07b4bc326cb07495ca08fc9ddb66/work)
shm on 
/var/lib/docker/containers/9fd65e177d2132011d7b422755793449c91327ca577b8f5d9d6a4adf218d4876/shm
 type tmpfs 
(rw,nosuid,nodev,noexec,relatime,context="system_u:object_r:svirt_sandbox_file_t:s0:c414,c873",size=65536k)
overlay on 
/var/lib/docker/overlay2/38d1544d080145c7d76150530d0255991dfb7258cbca14ff6d165b94353eefab/merged
 type overlay 
(rw,relatime,context="system_u:object_r:svirt_sandbox_file_t:s0:c431,c651",lowerdir=/var/lib/docker/overlay2/l/3MQQXB4UCLFB7ANVRHPAVRCRSS:/var/lib/docker/overlay2/l/46YGYO474KLOULZGDSZDW2JPRI,upperdir=/var/lib/docker/overlay2/38d1544d080145c7d76150530d0255991dfb7258cbca14ff6d165b94353eefab/diff,workdir=/var/lib/docker/overlay2/38d1544d080145c7d76150530d0255991dfb7258cbca14ff6d165b94353eefab/work)
shm on 
/var/lib/docker/containers/662e7f798fc08b09eae0f0f944537a4bcedc1dcf05a65866458523ffd4a71614/shm
 type tmpfs 
(rw,nosuid,nodev,noexec,relatime,context="system_u:object_r:svirt_sandbox_file_t:s0:c431,c651",size=65536k)

sidtab_search_context check the context whether is in the sidtab list, If not 
found, a new node is generated and insert into the list, As the number of 
containers is increasing,  context nodes are also more and more, we tested the 
final number of nodes reached 300,000 +, sidtab_context_to_sid runtime needs 
100-200ms, which will lead to the system softlockup.

Is this a selinux bug? When filesystem umount, why context node is not deleted? 
 I cannot find the relevant function to delete the node in sidtab.c

Thanks for reading and looking forward to your reply.

Re: [PATCH 2/4] sctp: Add ip option support

[Paul Moore]

On Tue, Dec 12, 2017 at 4:56 PM, Marcelo Ricardo Leitner
 wrote:
> On Tue, Dec 12, 2017 at 04:33:03PM -0500, Paul Moore wrote:
>> On Tue, Dec 12, 2017 at 11:08 AM, Marcelo Ricardo Leitner
>>  wrote:
>> > Hi Richard,
>> >
>> > On Mon, Nov 27, 2017 at 07:31:21PM +, Richard Haines wrote:
>> > ...
>> >> --- a/net/sctp/socket.c
>> >> +++ b/net/sctp/socket.c
>> >> @@ -3123,8 +3123,10 @@ static int sctp_setsockopt_maxseg(struct sock *sk, 
>> >> char __user *optval, unsigned
>> >>
>> >>   if (asoc) {
>> >>   if (val == 0) {
>> >> + struct sctp_af *af = sp->pf->af;
>> >>   val = asoc->pathmtu;
>> >> - val -= sp->pf->af->net_header_len;
>> >> + val -= af->ip_options_len(asoc->base.sk);
>> >> + val -= af->net_header_len;
>> >>   val -= sizeof(struct sctphdr) +
>> >>   sizeof(struct sctp_data_chunk);
>> >>   }
>> >
>> > Right below here there is a call to sctp_frag_point(). That function
>> > also needs this tweak.
>> >
>> > Yes, we should simplify all these calculations. I have a patch to use
>> > sctp_frag_point on where it is currently recalculating it on
>> > sctp_datamsg_from_user(), but probably should include other places as
>> > well.
>>
>> FYI: Richard let me know he is occupied with another project at the
>> moment and likely won't be able to do another respin until next week
>> at the earliest.
>
> Okay, thanks. I can do a follow-up patch if it helps.

I'll leave that up to you, I think your comments are pretty
straightforward and should be easy for Richard to incorporate, and
there is a lot to be said for including the fix in the original patch,
but if you would prefer to send a separate patch I think that's fine
too.

-- 
paul moore
www.paul-moore.com

[PATCH] python/semanage: make seobject.py backward compatible

[Petr Lautrbach]

Commit 985753f changed behavior of seobject class constructors. While
semanage itself was fixed, there are other tools like
system-config-selinux and chcat which depend on the original behavior.
This change make the constructors backward compatible.

Fixes: $ system-config-selinux
Traceback (most recent call last):
  File "/usr/share/system-config-selinux/system-config-selinux.py", line 196, 
in 
app = childWindow()
  File "/usr/share/system-config-selinux/system-config-selinux.py", line 100, 
in __init__
self.add_page(booleansPage.booleansPage(xml))
  File "/usr/share/system-config-selinux/booleansPage.py", line 142, in __init__
self.load(self.filter)
  File "/usr/share/system-config-selinux/booleansPage.py", line 212, in load
self.booleans = seobject.booleanRecords()
TypeError: __init__() missing 1 required positional argument: 'args'

Signed-off-by: Petr Lautrbach 
---
 python/semanage/seobject.py | 45 +
 1 file changed, 25 insertions(+), 20 deletions(-)

diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 770745e4..b927b184 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -240,17 +240,22 @@ class semanageRecords:
 store = None
 args = None
 
-def __init__(self, args):
+def __init__(self, args = None):
 global handle
-self.args = args
-try:
-self.noreload = args.noreload
-except:
-self.noreload = False
-self.sh = self.get_handle(args.store)
+if args:
+# legacy code - args was store originally
+if type(args) == str:
+self.store = args
+else:
+self.args = args
+self.noreload = getattr(args, "noreload", False)
+if not self.store:
+self.store = getattr(args, "store", "")
+
+self.sh = self.get_handle(self.store)
 
 rc, localstore = selinux.selinux_getpolicytype()
-if args.store == "" or args.store == localstore:
+if self.store == "" or self.store == localstore:
 self.mylog = logger()
 else:
 self.mylog = nulllogger()
@@ -331,7 +336,7 @@ class semanageRecords:
 
 class moduleRecords(semanageRecords):
 
-def __init__(self, args):
+def __init__(self, args = None):
 semanageRecords.__init__(self, args)
 
 def get_all(self):
@@ -443,7 +448,7 @@ class moduleRecords(semanageRecords):
 
 class dontauditClass(semanageRecords):
 
-def __init__(self, args):
+def __init__(self, args = None):
 semanageRecords.__init__(self, args)
 
 def toggle(self, dontaudit):
@@ -456,7 +461,7 @@ class dontauditClass(semanageRecords):
 
 class permissiveRecords(semanageRecords):
 
-def __init__(self, args):
+def __init__(self, args = None):
 semanageRecords.__init__(self, args)
 
 def get_all(self):
@@ -525,7 +530,7 @@ class permissiveRecords(semanageRecords):
 
 class loginRecords(semanageRecords):
 
-def __init__(self, args):
+def __init__(self, args = None):
 semanageRecords.__init__(self, args)
 self.oldsename = None
 self.oldserange = None
@@ -782,7 +787,7 @@ class loginRecords(semanageRecords):
 
 class seluserRecords(semanageRecords):
 
-def __init__(self, args):
+def __init__(self, args = None):
 semanageRecords.__init__(self, args)
 
 def get(self, name):
@@ -1045,7 +1050,7 @@ class portRecords(semanageRecords):
 except RuntimeError:
 valid_types = []
 
-def __init__(self, args):
+def __init__(self, args = None):
 semanageRecords.__init__(self, args)
 
 def __genkey(self, port, proto):
@@ -1320,7 +1325,7 @@ class ibpkeyRecords(semanageRecords):
 except:
 valid_types = []
 
-def __init__(self, args):
+def __init__(self, args = None):
 semanageRecords.__init__(self, args)
 
 def __genkey(self, pkey, subnet_prefix):
@@ -1573,7 +1578,7 @@ class ibendportRecords(semanageRecords):
 except:
 valid_types = []
 
-def __init__(self, args):
+def __init__(self, args = None):
 semanageRecords.__init__(self, args)
 
 def __genkey(self, ibendport, ibdev_name):
@@ -1809,7 +1814,7 @@ class nodeRecords(semanageRecords):
 except RuntimeError:
 valid_types = []
 
-def __init__(self, args):
+def __init__(self, args = None):
 semanageRecords.__init__(self, args)
 self.protocol = ["ipv4", "ipv6"]
 
@@ -2045,7 +2050,7 @@ class nodeRecords(semanageRecords):
 
 class interfaceRecords(semanageRecords):
 
-def __init__(self, args):
+def __init__(self, args = None):
 semanageRecords.__init__(self, args)
 
 def __add(self, interface, serange, ctype):
@@ -2242,7 +2247,7 @@ class fcontextRecords(semanageRecords):
 except RuntimeError:
 valid_types = []
 
-def __init__(self, args):
+def __init__(self, 

Re: PAM Security related issue

[Aman Sharma]

Also in the logs, I am getting the below error message :


Dec 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session): Unable to
get valid context for sftpuser
Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session
opened for user sftpuser by (uid=0)

On Wed, Dec 13, 2017 at 10:17 AM, Aman Sharma 
wrote:

> Hi All,
>
> just wanted to know the meaning of line *sessionrequired
>  pam_selinux.so open env_params *added in */etc/pam.d/sshd *file.
> Actually I am facing one issue related to this. When I changed this 
> *env_params
> to restore *then my Sftp is not working.
>
> Can anybody Please guide me on this.
>
>
> --
>
> Thanks
> Aman
> Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com
>



-- 

Thanks
Aman
Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com