subject:"Fwd\: Qwery regarding Selinux Change Id context"

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-30 Thread Aman Sharma

Hi ,

mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old

This targeted folder is not there.

After searching I got the below result :

find / -type d -name "*targeted" -print

/usr/share/selinux/targeted
/etc/selinux/targeted

Pleas let me know your comments.


On Fri, Dec 1, 2017 at 1:49 AM, Dominick Grift 
wrote:

> On Thu, Nov 30, 2017 at 11:10:43AM +0530, Aman Sharma wrote:
> > Hi Stephen,
> >
> > After reseting Selinux targeted folder also (the steps you mentioned in
> the
> > earlier mail), Still its showing the same Id context i.e.
> >
> > *id*
> > *uid=0(root) gid=0(root) groups=0(root)
> > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
> > *[root@cucm2 ~]# id -Z*
> > *system_u:system_r:unconfined_t:s0-s0:c0.c1023*
> >
> > *And semanage login -l is showing blank output. *
> >
> > *Do you have any idea about this.*
> >
> > *Thanks*
> > *Aman*
>
> Try the same procedure again but this time also do before reinstalling:
>
> mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old
>
> >
> >
> > On Wed, Nov 29, 2017 at 11:04 PM, Stephen Smalley 
> wrote:
> >
> > > On Wed, 2017-11-29 at 22:01 +0530, Aman Sharma wrote:
> > > > After resetting boolean also, showing the same id context.
> > >
> > > And did you try fully resetting your policy as I suggested:
> > > mv /etc/selinux/targeted /etc/selinux/targeted.old
> > > yum reinstall selinux-policy-targeted
> > > reboot
> > >
> > > >
> > > >
> > > > On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley 
> > > > wrote:
> > > > > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote:
> > > > > > Hi Stephen,
> > > > > >
> > > > > > After enabling the unconfined module and after reboot also, Still
> > > > > > showing the same id context.
> > > > > >
> > > > > > Is there any way to make the id context to normal state again ?
> > > > >
> > > > > Hmmm...try resetting all booleans too?  semanage boolean -D
> > > > >
> > > > > Or you could be drastic and completely reset your policy:
> > > > > mv /etc/selinux/targeted /etc/selinux/targeted.old
> > > > > yum reinstall selinux-policy-targeted
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > Thanks
> > > > Aman
> > > > Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com
> > >
> >
> >
> >
> > --
> >
> > Thanks
> > Aman
> > Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
> Dominick Grift
>



-- 

Thanks
Aman
Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-30 Thread Dominick Grift

On Thu, Nov 30, 2017 at 11:10:43AM +0530, Aman Sharma wrote:
> Hi Stephen,
> 
> After reseting Selinux targeted folder also (the steps you mentioned in the
> earlier mail), Still its showing the same Id context i.e.
> 
> *id*
> *uid=0(root) gid=0(root) groups=0(root)
> context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
> *[root@cucm2 ~]# id -Z*
> *system_u:system_r:unconfined_t:s0-s0:c0.c1023*
> 
> *And semanage login -l is showing blank output. *
> 
> *Do you have any idea about this.*
> 
> *Thanks*
> *Aman*

Try the same procedure again but this time also do before reinstalling:

mv /var/lib/selinux/targeted /var/lib/selinux/targeted.old

> 
> 
> On Wed, Nov 29, 2017 at 11:04 PM, Stephen Smalley  wrote:
> 
> > On Wed, 2017-11-29 at 22:01 +0530, Aman Sharma wrote:
> > > After resetting boolean also, showing the same id context.
> >
> > And did you try fully resetting your policy as I suggested:
> > mv /etc/selinux/targeted /etc/selinux/targeted.old
> > yum reinstall selinux-policy-targeted
> > reboot
> >
> > >
> > >
> > > On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley 
> > > wrote:
> > > > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote:
> > > > > Hi Stephen,
> > > > >
> > > > > After enabling the unconfined module and after reboot also, Still
> > > > > showing the same id context.
> > > > >
> > > > > Is there any way to make the id context to normal state again ?
> > > >
> > > > Hmmm...try resetting all booleans too?  semanage boolean -D
> > > >
> > > > Or you could be drastic and completely reset your policy:
> > > > mv /etc/selinux/targeted /etc/selinux/targeted.old
> > > > yum reinstall selinux-policy-targeted
> > > >
> > >
> > >
> > >
> > > --
> > >
> > > Thanks
> > > Aman
> > > Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com
> >
> 
> 
> 
> -- 
> 
> Thanks
> Aman
> Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift


signature.asc
Description: PGP signature

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-30 Thread Aman Sharma

Hi Stephen,

Do you have any other way to change the context from id command ?

Thanks
Aman

On Thu, Nov 30, 2017 at 11:10 AM, Aman Sharma 
wrote:

> Hi Stephen,
>
> After reseting Selinux targeted folder also (the steps you mentioned in
> the earlier mail), Still its showing the same Id context i.e.
>
> *id*
> *uid=0(root) gid=0(root) groups=0(root)
> context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
> *[root@cucm2 ~]# id -Z*
> *system_u:system_r:unconfined_t:s0-s0:c0.c1023*
>
> *And semanage login -l is showing blank output. *
>
> *Do you have any idea about this.*
>
> *Thanks*
> *Aman*
>
>
> On Wed, Nov 29, 2017 at 11:04 PM, Stephen Smalley 
> wrote:
>
>> On Wed, 2017-11-29 at 22:01 +0530, Aman Sharma wrote:
>> > After resetting boolean also, showing the same id context.
>>
>> And did you try fully resetting your policy as I suggested:
>> mv /etc/selinux/targeted /etc/selinux/targeted.old
>> yum reinstall selinux-policy-targeted
>> reboot
>>
>> >
>> >
>> > On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley 
>> > wrote:
>> > > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote:
>> > > > Hi Stephen,
>> > > >
>> > > > After enabling the unconfined module and after reboot also, Still
>> > > > showing the same id context.
>> > > >
>> > > > Is there any way to make the id context to normal state again ?
>> > >
>> > > Hmmm...try resetting all booleans too?  semanage boolean -D
>> > >
>> > > Or you could be drastic and completely reset your policy:
>> > > mv /etc/selinux/targeted /etc/selinux/targeted.old
>> > > yum reinstall selinux-policy-targeted
>> > >
>> >
>> >
>> >
>> > --
>> >
>> > Thanks
>> > Aman
>> > Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com
>>
>
>
>
> --
>
> Thanks
> Aman
> Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com
>



-- 

Thanks
Aman
Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-29 Thread Aman Sharma

Hi Stephen,

After reseting Selinux targeted folder also (the steps you mentioned in the
earlier mail), Still its showing the same Id context i.e.

*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*[root@cucm2 ~]# id -Z*
*system_u:system_r:unconfined_t:s0-s0:c0.c1023*

*And semanage login -l is showing blank output. *

*Do you have any idea about this.*

*Thanks*
*Aman*


On Wed, Nov 29, 2017 at 11:04 PM, Stephen Smalley  wrote:

> On Wed, 2017-11-29 at 22:01 +0530, Aman Sharma wrote:
> > After resetting boolean also, showing the same id context.
>
> And did you try fully resetting your policy as I suggested:
> mv /etc/selinux/targeted /etc/selinux/targeted.old
> yum reinstall selinux-policy-targeted
> reboot
>
> >
> >
> > On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley 
> > wrote:
> > > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote:
> > > > Hi Stephen,
> > > >
> > > > After enabling the unconfined module and after reboot also, Still
> > > > showing the same id context.
> > > >
> > > > Is there any way to make the id context to normal state again ?
> > >
> > > Hmmm...try resetting all booleans too?  semanage boolean -D
> > >
> > > Or you could be drastic and completely reset your policy:
> > > mv /etc/selinux/targeted /etc/selinux/targeted.old
> > > yum reinstall selinux-policy-targeted
> > >
> >
> >
> >
> > --
> >
> > Thanks
> > Aman
> > Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com
>



-- 

Thanks
Aman
Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-29 Thread Stephen Smalley

On Wed, 2017-11-29 at 22:01 +0530, Aman Sharma wrote:
> After resetting boolean also, showing the same id context.

And did you try fully resetting your policy as I suggested:
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted
reboot

> 
> 
> On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley 
> wrote:
> > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote:
> > > Hi Stephen,
> > >
> > > After enabling the unconfined module and after reboot also, Still
> > > showing the same id context.
> > >
> > > Is there any way to make the id context to normal state again ? 
> > 
> > Hmmm...try resetting all booleans too?  semanage boolean -D
> > 
> > Or you could be drastic and completely reset your policy:
> > mv /etc/selinux/targeted /etc/selinux/targeted.old
> > yum reinstall selinux-policy-targeted
> > 
> 
> 
> 
> -- 
> 
> Thanks
> Aman
> Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-29 Thread Aman Sharma

After resetting boolean also, showing the same id context.


On Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley  wrote:

> On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote:
> > Hi Stephen,
> >
> > After enabling the unconfined module and after reboot also, Still
> > showing the same id context.
> >
> > Is there any way to make the id context to normal state again ?
>
> Hmmm...try resetting all booleans too?  semanage boolean -D
>
> Or you could be drastic and completely reset your policy:
> mv /etc/selinux/targeted /etc/selinux/targeted.old
> yum reinstall selinux-policy-targeted
>



-- 

Thanks
Aman
Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-29 Thread Stephen Smalley

On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote:
> Hi Stephen,
> 
> After enabling the unconfined module and after reboot also, Still
> showing the same id context.
> 
> Is there any way to make the id context to normal state again ? 

Hmmm...try resetting all booleans too?  semanage boolean -D

Or you could be drastic and completely reset your policy:
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-29 Thread Aman Sharma

Hi Stephen,

After enabling the unconfined module and after reboot also, Still showing
the same id context.

Is there any way to make the id context to normal state again ?


Thanks
Aman

On Wed, Nov 29, 2017 at 9:32 PM, Stephen Smalley  wrote:

> On Wed, 2017-11-29 at 21:26 +0530, Aman Sharma wrote:
> > Hi Stephen,
> >
> > The output of semanage export is :
> >
> > cat localchanges
> > boolean -D
> > login -D
> > interface -D
> > user -D
> > port -D
> > node -D
> > fcontext -D
> > module -D
> > boolean -m -1 domain_kernel_load_modules
> > boolean -m -1 selinuxuser_ping
> > boolean -m -1 ssh_sysadm_login
> > boolean -m -1 tomcat_can_network_non_http_port
> > port -a -t tomcat_shutdown_port_t -p tcp 8005
> > port -a -t ils_port_t -p tcp 8006
> > port -a -t clm_port_t -p tcp 8500
> > port -a -t clm_port_t -p udp 8500
> > port -a -t snmp_port_t -p udp 61441
> > fcontext -a -f a -t tomcat_t '/home/tomcat(/.*)?'
> > fcontext -a -f a -t db_t '/home/informix(/.*)?'
> > fcontext -a -f a -t ipsec_exec_t '/root/.security/ipsec(/.*)?'
> > fcontext -a -f a -t tomcat_exec_t
> > '/root/.security/tomcat/tomcat_diagnostics.sh'
> > module -d unconfined
>
> Hmmm...someone disabled the unconfined module on your system?
> So if you want to go back to using unconfined, you ought to re-enable
> that, ala semodule -e unconfined.  It looks like someone locked down
> that system and was trying to effectively apply a "strict" policy, but
> it was left in a broken state.
>
> >
> >
> > On Wed, Nov 29, 2017 at 9:10 PM, Stephen Smalley 
> > wrote:
> > > On Wed, 2017-11-29 at 20:47 +0530, Aman Sharma wrote:
> > > > Hi Stephen,
> > > >
> > > > I tried all the three command i.e.
> > > > semanage export > localchanges
> > > >
> > > > semanage login -D
> > > > semanage user -D
> > > >
> > > > Then I reboot the system and after reboot , still its showing the
> > > > root User as Same id context i.e.
> > > >
> > > > id
> > > > uid=0(root) gid=0(root) groups=0(root)
> > > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> > > >
> > > >  id -Z
> > > > system_u:system_r:unconfined_t:s0-s0:c0.c1023
> > >
> > > That's interesting.  So what else does semanage export show now as
> > > local changes?
> > >
> > > > Also check the below output :
> > > > semanage user -l
> > > >
> > > > Labeling   MLS/   MLS/
> > >
> > > > SELinux UserPrefix MCS Level  MCS Range
> > >
> > > > SELinux Roles
> > > >
> > > > guest_u user   s0 s0
> > >
> > > >  guest_r
> > > > rootuser   s0 s0-s0:c0.c1023
> > >
> > > >  staff_r sysadm_r system_r unconfined_r
> > > > staff_u user   s0 s0-s0:c0.c1023
> > >
> > > >  staff_r sysadm_r system_r unconfined_r
> > > > sysadm_uuser   s0 s0-s0:c0.c1023
> > >
> > > >  sysadm_r
> > > > system_uuser   s0 s0-s0:c0.c1023
> > >
> > > >  system_r unconfined_r
> > > > unconfined_uuser   s0 s0-s0:c0.c1023
> > >
> > > >  system_r unconfined_r
> > > > user_u  user   s0 s0
> > >
> > > >  user_r
> > > > xguest_uuser   s0 s0
> > >
> > > >  xguest_r
> > > > [root@cucm ~]# semanage login -l
> > > >
> > > > Login Name   SELinux User MLS/MCS Range
> > > > Service
> > > >
> > > > __default__  unconfined_u s0-s0:c0.c1023   *
> > > > root unconfined_u s0-s0:c0.c1023   *
> > > > system_u system_u s0-s0:c0.c1023   *
> > > >
> > > > Please let me know your comments on this.
> > > >
> > > > Thanks
> > > > Aman
> > >
> >
> >
> >
> > --
> >
> > Thanks
> > Aman
> > Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com
>



-- 

Thanks
Aman
Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-29 Thread Stephen Smalley

On Wed, 2017-11-29 at 21:26 +0530, Aman Sharma wrote:
> Hi Stephen,
> 
> The output of semanage export is :
> 
> cat localchanges 
> boolean -D
> login -D
> interface -D
> user -D
> port -D
> node -D
> fcontext -D
> module -D
> boolean -m -1 domain_kernel_load_modules
> boolean -m -1 selinuxuser_ping
> boolean -m -1 ssh_sysadm_login
> boolean -m -1 tomcat_can_network_non_http_port
> port -a -t tomcat_shutdown_port_t -p tcp 8005
> port -a -t ils_port_t -p tcp 8006
> port -a -t clm_port_t -p tcp 8500
> port -a -t clm_port_t -p udp 8500
> port -a -t snmp_port_t -p udp 61441
> fcontext -a -f a -t tomcat_t '/home/tomcat(/.*)?'
> fcontext -a -f a -t db_t '/home/informix(/.*)?'
> fcontext -a -f a -t ipsec_exec_t '/root/.security/ipsec(/.*)?'
> fcontext -a -f a -t tomcat_exec_t
> '/root/.security/tomcat/tomcat_diagnostics.sh'
> module -d unconfined

Hmmm...someone disabled the unconfined module on your system?
So if you want to go back to using unconfined, you ought to re-enable
that, ala semodule -e unconfined.  It looks like someone locked down
that system and was trying to effectively apply a "strict" policy, but
it was left in a broken state.

> 
> 
> On Wed, Nov 29, 2017 at 9:10 PM, Stephen Smalley 
> wrote:
> > On Wed, 2017-11-29 at 20:47 +0530, Aman Sharma wrote:
> > > Hi Stephen,
> > >
> > > I tried all the three command i.e.
> > > semanage export > localchanges
> > >
> > > semanage login -D
> > > semanage user -D
> > >
> > > Then I reboot the system and after reboot , still its showing the
> > > root User as Same id context i.e. 
> > >
> > > id
> > > uid=0(root) gid=0(root) groups=0(root)
> > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> > >
> > >  id -Z
> > > system_u:system_r:unconfined_t:s0-s0:c0.c1023
> > 
> > That's interesting.  So what else does semanage export show now as
> > local changes?
> > 
> > > Also check the below output :
> > > semanage user -l
> > >
> > >                 Labeling   MLS/       MLS/                       
> >   
> > > SELinux User    Prefix     MCS Level  MCS Range                 
> >    
> > > SELinux Roles
> > >
> > > guest_u         user       s0         s0                         
> >  
> > >  guest_r
> > > root            user       s0         s0-s0:c0.c1023             
> >  
> > >  staff_r sysadm_r system_r unconfined_r
> > > staff_u         user       s0         s0-s0:c0.c1023             
> >  
> > >  staff_r sysadm_r system_r unconfined_r
> > > sysadm_u        user       s0         s0-s0:c0.c1023             
> >  
> > >  sysadm_r
> > > system_u        user       s0         s0-s0:c0.c1023             
> >  
> > >  system_r unconfined_r
> > > unconfined_u    user       s0         s0-s0:c0.c1023             
> >  
> > >  system_r unconfined_r
> > > user_u          user       s0         s0                         
> >  
> > >  user_r
> > > xguest_u        user       s0         s0                         
> >  
> > >  xguest_r
> > > [root@cucm ~]# semanage login -l
> > >
> > > Login Name           SELinux User         MLS/MCS Range       
> > > Service
> > >
> > > __default__          unconfined_u         s0-s0:c0.c1023       *
> > > root                 unconfined_u         s0-s0:c0.c1023       *
> > > system_u             system_u             s0-s0:c0.c1023       *
> > >
> > > Please let me know your comments on this.
> > >
> > > Thanks
> > > Aman
> > 
> 
> 
> 
> -- 
> 
> Thanks
> Aman
> Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-29 Thread Aman Sharma

Hi Stephen,

The output of semanage export is :

cat localchanges
boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
boolean -m -1 domain_kernel_load_modules
boolean -m -1 selinuxuser_ping
boolean -m -1 ssh_sysadm_login
boolean -m -1 tomcat_can_network_non_http_port
port -a -t tomcat_shutdown_port_t -p tcp 8005
port -a -t ils_port_t -p tcp 8006
port -a -t clm_port_t -p tcp 8500
port -a -t clm_port_t -p udp 8500
port -a -t snmp_port_t -p udp 61441
fcontext -a -f a -t tomcat_t '/home/tomcat(/.*)?'
fcontext -a -f a -t db_t '/home/informix(/.*)?'
fcontext -a -f a -t ipsec_exec_t '/root/.security/ipsec(/.*)?'
fcontext -a -f a -t tomcat_exec_t
'/root/.security/tomcat/tomcat_diagnostics.sh'
module -d unconfined


On Wed, Nov 29, 2017 at 9:10 PM, Stephen Smalley  wrote:

> On Wed, 2017-11-29 at 20:47 +0530, Aman Sharma wrote:
> > Hi Stephen,
> >
> > I tried all the three command i.e.
> > semanage export > localchanges
> >
> > semanage login -D
> > semanage user -D
> >
> > Then I reboot the system and after reboot , still its showing the
> > root User as Same id context i.e.
> >
> > id
> > uid=0(root) gid=0(root) groups=0(root)
> > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> >
> >  id -Z
> > system_u:system_r:unconfined_t:s0-s0:c0.c1023
>
> That's interesting.  So what else does semanage export show now as
> local changes?
>
> > Also check the below output :
> > semanage user -l
> >
> > Labeling   MLS/   MLS/
> > SELinux UserPrefix MCS Level  MCS Range
> > SELinux Roles
> >
> > guest_u user   s0 s0
> >  guest_r
> > rootuser   s0 s0-s0:c0.c1023
> >  staff_r sysadm_r system_r unconfined_r
> > staff_u user   s0 s0-s0:c0.c1023
> >  staff_r sysadm_r system_r unconfined_r
> > sysadm_uuser   s0 s0-s0:c0.c1023
> >  sysadm_r
> > system_uuser   s0 s0-s0:c0.c1023
> >  system_r unconfined_r
> > unconfined_uuser   s0 s0-s0:c0.c1023
> >  system_r unconfined_r
> > user_u  user   s0 s0
> >  user_r
> > xguest_uuser   s0 s0
> >  xguest_r
> > [root@cucm ~]# semanage login -l
> >
> > Login Name   SELinux User MLS/MCS Range
> > Service
> >
> > __default__  unconfined_u s0-s0:c0.c1023   *
> > root unconfined_u s0-s0:c0.c1023   *
> > system_u system_u s0-s0:c0.c1023   *
> >
> > Please let me know your comments on this.
> >
> > Thanks
> > Aman
>



-- 

Thanks
Aman
Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-29 Thread Stephen Smalley

On Wed, 2017-11-29 at 20:47 +0530, Aman Sharma wrote:
> Hi Stephen,
> 
> I tried all the three command i.e.
> semanage export > localchanges
> 
> semanage login -D
> semanage user -D
> 
> Then I reboot the system and after reboot , still its showing the
> root User as Same id context i.e. 
> 
> id
> uid=0(root) gid=0(root) groups=0(root)
> context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> 
>  id -Z
> system_u:system_r:unconfined_t:s0-s0:c0.c1023

That's interesting.  So what else does semanage export show now as
local changes?

> Also check the below output :
> semanage user -l
> 
>                 Labeling   MLS/       MLS/                          
> SELinux User    Prefix     MCS Level  MCS Range                     
> SELinux Roles
> 
> guest_u         user       s0         s0                           
>  guest_r
> root            user       s0         s0-s0:c0.c1023               
>  staff_r sysadm_r system_r unconfined_r
> staff_u         user       s0         s0-s0:c0.c1023               
>  staff_r sysadm_r system_r unconfined_r
> sysadm_u        user       s0         s0-s0:c0.c1023               
>  sysadm_r
> system_u        user       s0         s0-s0:c0.c1023               
>  system_r unconfined_r
> unconfined_u    user       s0         s0-s0:c0.c1023               
>  system_r unconfined_r
> user_u          user       s0         s0                           
>  user_r
> xguest_u        user       s0         s0                           
>  xguest_r
> [root@cucm ~]# semanage login -l
> 
> Login Name           SELinux User         MLS/MCS Range       
> Service
> 
> __default__          unconfined_u         s0-s0:c0.c1023       *
> root                 unconfined_u         s0-s0:c0.c1023       *
> system_u             system_u             s0-s0:c0.c1023       *
> 
> Please let me know your comments on this.
> 
> Thanks
> Aman

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-29 Thread Aman Sharma

Hi Stephen,

I tried all the three command i.e.
semanage export > localchanges

semanage login -D
semanage user -D

Then I reboot the system and after reboot , still its showing the root User
as Same id context i.e.

*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*

* id -Z*
*system_u:system_r:unconfined_t:s0-s0:c0.c1023*


Also check the below output :
*semanage user -l*

*Labeling   MLS/   MLS/  *
*SELinux UserPrefix MCS Level  MCS Range
SELinux Roles*

*guest_u user   s0 s0
 guest_r*
*rootuser   s0 s0-s0:c0.c1023
 staff_r sysadm_r system_r unconfined_r*
*staff_u user   s0 s0-s0:c0.c1023
 staff_r sysadm_r system_r unconfined_r*
*sysadm_uuser   s0 s0-s0:c0.c1023
 sysadm_r*
*system_uuser   s0 s0-s0:c0.c1023
 system_r unconfined_r*
*unconfined_uuser   s0 s0-s0:c0.c1023
 system_r unconfined_r*
*user_u  user   s0 s0
 user_r*
*xguest_uuser   s0 s0
 xguest_r*
*[root@cucm ~]# semanage login -l*

*Login Name   SELinux User MLS/MCS RangeService*

*__default__  unconfined_u s0-s0:c0.c1023   **
*root unconfined_u s0-s0:c0.c1023   **
*system_u system_u s0-s0:c0.c1023   **

*Please let me know your comments on this.*

*Thanks*
*Aman*

On Wed, Nov 29, 2017 at 8:17 PM, Stephen Smalley  wrote:

> On Wed, 2017-11-29 at 20:11 +0530, Aman Sharma wrote:
> > Hi Stephen,
> >
> > Thanks for the reply.
> >
> > Can you please let me know how to delete all local customizations
> > (via semanage or manually) and revert
> > to a default policy.
>
> First, save any local customizations in case you want to restore them
> later:
> semanage export > localchanges
>
> Then, delete them:
> semanage login -D
> semanage user -D
>
> Then logout and log back in.
>
> >
> > Otherwise the output of semanage login -l and semanage user -l  :
> >
> > semanage user -l
> >
> > Labeling   MLS/   MLS/
> > SELinux UserPrefix MCS Level  MCS Range
> > SELinux Roles
> >
> > admin_u user   s0 s0-s0:c0.c1023
> >  sysadm_r system_r
> > guest_u user   s0 s0
> >  guest_r
> > rootuser   s0 s0-s0:c0.c1023
> >  staff_r sysadm_r
> > specialuser_u   user   s0 s0
> >  sysadm_r system_r
> > staff_u user   s0 s0-s0:c0.c1023
> >  staff_r sysadm_r system_r
> > sysadm_uuser   s0 s0-s0:c0.c1023
> >  sysadm_r
> > system_uuser   s0 s0-s0:c0.c1023
> >  system_r
> > unconfined_uuser   s0 s0-s0:c0.c1023
> >  system_r unconfined_r
> > user_u  user   s0 s0
> >  user_r
> > xguest_uuser   s0 s0
> >  xguest_r
> >
> >
> >  semanage login -l
> >
> > Login Name   SELinux User MLS/MCS Range
> > Service
> >
> > __default__  sysadm_u s0-s0:c0.c1023   *
> > ccmservice   specialuser_us0   *
> > cucm admin_u  s0-s0:c0.c1023   *
> > drfkeys  specialuser_us0   *
> > drfuser  specialuser_us0   *
> > informix specialuser_us0   *
> > pwrecovery   specialuser_us0   *
> > root sysadm_u s0-s0:c0.c1023   *
> > sftpuser specialuser_us0   *
> > system_u sysadm_u s0-s0:c0.c1023   *
> >
> > Please let me know if any comments are there.
> >
> > Thanks
> > Aman
> >
> > On Wed, Nov 29, 2017 at 7:21 PM, Stephen Smalley 
> > wrote:
> > > On Wed, 2017-11-29 at 09:33 +0530, Aman Sharma wrote:
> > > > Hi Stephen,
> > > >
> > > > Below is the output of command :
> > > >
> > > >  sestatus -v output
> > > > SELinux status: enabled
> > > > SELinuxfs mount:/sys/fs/selinux
> > > > SELinux root directory: /etc/selinux
> > > > Loaded policy name: targeted
> > > > Current mode:   enforcing
> > > > Mode from config file:  permissive
> > > > Policy MLS status:  enabled
> > > > Policy deny_unknown status: allowed
> > > > Max kernel policy version:  28
> > > >
> > > > Process contexts:
> > > > Current context:
> > > system_u:system_r:unconfined_t:s0-
> > > > s0:c0.c1023
> > > > Init context:   system_u:system_r:init_t:s0
> > > > /usr/sbin/sshd  system_u:system_r:sshd_t:s0-
> > > > s0:c0.c1023
> > > >
> > > > File contexts:
> > > > Controlling terminal:
> > >  system_u:object_r:sshd_devpts_t:s0
> > > > /etc/passwd
> > >  system_u:object_r:passwd_file_t:s0

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-29 Thread Stephen Smalley

On Wed, 2017-11-29 at 20:11 +0530, Aman Sharma wrote:
> Hi Stephen,
> 
> Thanks for the reply.
> 
> Can you please let me know how to delete all local customizations
> (via semanage or manually) and revert
> to a default policy. 

First, save any local customizations in case you want to restore them
later:
semanage export > localchanges

Then, delete them:
semanage login -D
semanage user -D

Then logout and log back in.

> 
> Otherwise the output of semanage login -l and semanage user -l  :
> 
> semanage user -l
> 
>                 Labeling   MLS/       MLS/                          
> SELinux User    Prefix     MCS Level  MCS Range                     
> SELinux Roles
> 
> admin_u         user       s0         s0-s0:c0.c1023               
>  sysadm_r system_r
> guest_u         user       s0         s0                           
>  guest_r
> root            user       s0         s0-s0:c0.c1023               
>  staff_r sysadm_r
> specialuser_u   user       s0         s0                           
>  sysadm_r system_r
> staff_u         user       s0         s0-s0:c0.c1023               
>  staff_r sysadm_r system_r
> sysadm_u        user       s0         s0-s0:c0.c1023               
>  sysadm_r
> system_u        user       s0         s0-s0:c0.c1023               
>  system_r
> unconfined_u    user       s0         s0-s0:c0.c1023               
>  system_r unconfined_r
> user_u          user       s0         s0                           
>  user_r
> xguest_u        user       s0         s0                           
>  xguest_r
> 
> 
>  semanage login -l
> 
> Login Name           SELinux User         MLS/MCS Range       
> Service
> 
> __default__          sysadm_u             s0-s0:c0.c1023       *
> ccmservice           specialuser_u        s0                   *
> cucm                 admin_u              s0-s0:c0.c1023       *
> drfkeys              specialuser_u        s0                   *
> drfuser              specialuser_u        s0                   *
> informix             specialuser_u        s0                   *
> pwrecovery           specialuser_u        s0                   *
> root                 sysadm_u             s0-s0:c0.c1023       *
> sftpuser             specialuser_u        s0                   *
> system_u             sysadm_u             s0-s0:c0.c1023       *
> 
> Please let me know if any comments are there.
> 
> Thanks
> Aman
> 
> On Wed, Nov 29, 2017 at 7:21 PM, Stephen Smalley 
> wrote:
> > On Wed, 2017-11-29 at 09:33 +0530, Aman Sharma wrote:
> > > Hi Stephen,
> > >
> > > Below is the output of command :
> > >
> > >  sestatus -v output
> > > SELinux status:                 enabled
> > > SELinuxfs mount:                /sys/fs/selinux
> > > SELinux root directory:         /etc/selinux
> > > Loaded policy name:             targeted
> > > Current mode:                   enforcing
> > > Mode from config file:          permissive
> > > Policy MLS status:              enabled
> > > Policy deny_unknown status:     allowed
> > > Max kernel policy version:      28
> > >
> > > Process contexts:
> > > Current context:               
> > system_u:system_r:unconfined_t:s0-
> > > s0:c0.c1023
> > > Init context:                   system_u:system_r:init_t:s0
> > > /usr/sbin/sshd                  system_u:system_r:sshd_t:s0-
> > > s0:c0.c1023
> > >
> > > File contexts:
> > > Controlling terminal:         
> >  system_u:object_r:sshd_devpts_t:s0
> > > /etc/passwd                   
> >  system_u:object_r:passwd_file_t:s0
> > > /etc/shadow                     system_u:object_r:shadow_t:s0
> > > /bin/bash                       system_u:object_r:shell_exec_t:s0
> > > /bin/login                      system_u:object_r:login_exec_t:s0
> > > /bin/sh                         system_u:object_r:bin_t:s0 ->
> > > system_u:object_r:shell_exec_t:s0
> > > /sbin/agetty                    system_u:object_r:getty_exec_t:s0
> > > /sbin/init                      system_u:object_r:bin_t:s0 ->
> > > system_u:object_r:init_exec_t:s0
> > > /usr/sbin/sshd                  system_u:object_r:sshd_exec_t:s0
> > > /lib/libc.so.6                  system_u:object_r:lib_t:s0 ->
> > > system_u:object_r:lib_t:s0
> > > /lib/ld-linux.so.2              system_u:object_r:lib_t:s0 ->
> > > system_u:object_r:ld_so_t:s0
> > >
> > > Also I am using ssh session for login.
> > >
> > > Please let me know how to change id command context to
> > unconfined_u
> > > or Sysadm_u.
> > 
> > So from your earlier message, it is clear that you (or someone
> > else)
> > has heavily customized your semanage login and user mappings from
> > the
> > stock targeted policy.  The question is why, and whether you
> > want/need
> > to retain any of those customizations.  If not, then you could just
> > delete all local customizations (via semanage or manually) and
> > revert
> > to a stock policy.
> > 
> > If you do need to retain some of those customizations, then please
> > show
> > your current semanage login -l and semanage

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-29 Thread Aman Sharma

Hi Stephen,

Thanks for the reply.

Can you please let me know how to delete all local customizations (via
semanage or manually) and revert
to a default policy.

Otherwise the output of semanage login -l and semanage user -l  :

*semanage user -l*

*Labeling   MLS/   MLS/  *
*SELinux UserPrefix MCS Level  MCS Range
SELinux Roles*

*admin_u user   s0 s0-s0:c0.c1023
 sysadm_r system_r*
*guest_u user   s0 s0
 guest_r*
*rootuser   s0 s0-s0:c0.c1023
 staff_r sysadm_r*
*specialuser_u   user   s0 s0
 sysadm_r system_r*
*staff_u user   s0 s0-s0:c0.c1023
 staff_r sysadm_r system_r*
*sysadm_uuser   s0 s0-s0:c0.c1023
 sysadm_r*
*system_uuser   s0 s0-s0:c0.c1023
 system_r*
*unconfined_uuser   s0 s0-s0:c0.c1023
 system_r unconfined_r*
*user_u  user   s0 s0
 user_r*
*xguest_uuser   s0 s0
 xguest_r*


* semanage login -l*

*Login Name   SELinux User MLS/MCS RangeService*

*__default__  sysadm_u s0-s0:c0.c1023   **
*ccmservice   specialuser_us0   **
*cucm admin_u  s0-s0:c0.c1023   **
*drfkeys  specialuser_us0   **
*drfuser  specialuser_us0   **
*informix specialuser_us0   **
*pwrecovery   specialuser_us0   **
*root sysadm_u s0-s0:c0.c1023   **
*sftpuser specialuser_us0   **
*system_u sysadm_u s0-s0:c0.c1023   **

*Please let me know if any comments are there.*

*Thanks*
*Aman*

On Wed, Nov 29, 2017 at 7:21 PM, Stephen Smalley  wrote:

> On Wed, 2017-11-29 at 09:33 +0530, Aman Sharma wrote:
> > Hi Stephen,
> >
> > Below is the output of command :
> >
> >  sestatus -v output
> > SELinux status: enabled
> > SELinuxfs mount:/sys/fs/selinux
> > SELinux root directory: /etc/selinux
> > Loaded policy name: targeted
> > Current mode:   enforcing
> > Mode from config file:  permissive
> > Policy MLS status:  enabled
> > Policy deny_unknown status: allowed
> > Max kernel policy version:  28
> >
> > Process contexts:
> > Current context:system_u:system_r:unconfined_t:s0-
> > s0:c0.c1023
> > Init context:   system_u:system_r:init_t:s0
> > /usr/sbin/sshd  system_u:system_r:sshd_t:s0-
> > s0:c0.c1023
> >
> > File contexts:
> > Controlling terminal:   system_u:object_r:sshd_devpts_t:s0
> > /etc/passwd system_u:object_r:passwd_file_t:s0
> > /etc/shadow system_u:object_r:shadow_t:s0
> > /bin/bash   system_u:object_r:shell_exec_t:s0
> > /bin/login  system_u:object_r:login_exec_t:s0
> > /bin/sh system_u:object_r:bin_t:s0 ->
> > system_u:object_r:shell_exec_t:s0
> > /sbin/agettysystem_u:object_r:getty_exec_t:s0
> > /sbin/init  system_u:object_r:bin_t:s0 ->
> > system_u:object_r:init_exec_t:s0
> > /usr/sbin/sshd  system_u:object_r:sshd_exec_t:s0
> > /lib/libc.so.6  system_u:object_r:lib_t:s0 ->
> > system_u:object_r:lib_t:s0
> > /lib/ld-linux.so.2  system_u:object_r:lib_t:s0 ->
> > system_u:object_r:ld_so_t:s0
> >
> > Also I am using ssh session for login.
> >
> > Please let me know how to change id command context to unconfined_u
> > or Sysadm_u.
>
> So from your earlier message, it is clear that you (or someone else)
> has heavily customized your semanage login and user mappings from the
> stock targeted policy.  The question is why, and whether you want/need
> to retain any of those customizations.  If not, then you could just
> delete all local customizations (via semanage or manually) and revert
> to a stock policy.
>
> If you do need to retain some of those customizations, then please show
> your current semanage login -l and semanage user -l output since you
> said you ran some further semanage commands after the last output you
> showed.
>
>


-- 

Thanks
Aman
Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-29 Thread Stephen Smalley

On Wed, 2017-11-29 at 09:33 +0530, Aman Sharma wrote:
> Hi Stephen,
> 
> Below is the output of command :
> 
>  sestatus -v output
> SELinux status:                 enabled
> SELinuxfs mount:                /sys/fs/selinux
> SELinux root directory:         /etc/selinux
> Loaded policy name:             targeted
> Current mode:                   enforcing
> Mode from config file:          permissive
> Policy MLS status:              enabled
> Policy deny_unknown status:     allowed
> Max kernel policy version:      28
> 
> Process contexts:
> Current context:                system_u:system_r:unconfined_t:s0-
> s0:c0.c1023
> Init context:                   system_u:system_r:init_t:s0
> /usr/sbin/sshd                  system_u:system_r:sshd_t:s0-
> s0:c0.c1023
> 
> File contexts:
> Controlling terminal:           system_u:object_r:sshd_devpts_t:s0
> /etc/passwd                     system_u:object_r:passwd_file_t:s0
> /etc/shadow                     system_u:object_r:shadow_t:s0
> /bin/bash                       system_u:object_r:shell_exec_t:s0
> /bin/login                      system_u:object_r:login_exec_t:s0
> /bin/sh                         system_u:object_r:bin_t:s0 ->
> system_u:object_r:shell_exec_t:s0
> /sbin/agetty                    system_u:object_r:getty_exec_t:s0
> /sbin/init                      system_u:object_r:bin_t:s0 ->
> system_u:object_r:init_exec_t:s0
> /usr/sbin/sshd                  system_u:object_r:sshd_exec_t:s0
> /lib/libc.so.6                  system_u:object_r:lib_t:s0 ->
> system_u:object_r:lib_t:s0
> /lib/ld-linux.so.2              system_u:object_r:lib_t:s0 ->
> system_u:object_r:ld_so_t:s0
> 
> Also I am using ssh session for login.
> 
> Please let me know how to change id command context to unconfined_u
> or Sysadm_u.

So from your earlier message, it is clear that you (or someone else)
has heavily customized your semanage login and user mappings from the
stock targeted policy.  The question is why, and whether you want/need
to retain any of those customizations.  If not, then you could just
delete all local customizations (via semanage or manually) and revert
to a stock policy.

If you do need to retain some of those customizations, then please show
your current semanage login -l and semanage user -l output since you
said you ran some further semanage commands after the last output you
showed.

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-29 Thread Dominick Grift

On Wed, Nov 29, 2017 at 02:21:46PM +0530, Aman Sharma wrote:
> Hi ,
> 
> Check the output for the same.
> 
> * getsebool -a | grep ssh*
> fenced_can_ssh --> off
> selinuxuser_use_ssh_chroot --> on
> ssh_chroot_rw_homedirs --> off
> ssh_keysign --> off
> ssh_sysadm_login --> on

Thanks. That means I was wrong.

> 
> 
> On Wed, Nov 29, 2017 at 1:52 PM, Dominick Grift 
> wrote:
> 
> > On Wed, Nov 29, 2017 at 09:33:31AM +0530, Aman Sharma wrote:
> > > Hi Stephen,
> > >
> > > Below is the output of command :
> > >
> > > * sestatus -v output*
> > > *SELinux status: enabled*
> > > *SELinuxfs mount:/sys/fs/selinux*
> > > *SELinux root directory: /etc/selinux*
> > > *Loaded policy name: targeted*
> > > *Current mode:   enforcing*
> > > *Mode from config file:  permissive*
> > > *Policy MLS status:  enabled*
> > > *Policy deny_unknown status: allowed*
> > > *Max kernel policy version:  28*
> > >
> > > *Process contexts:*
> > > *Current context:
> > > system_u:system_r:unconfined_t:s0-s0:c0.c1023*
> > > *Init context:   system_u:system_r:init_t:s0*
> > > */usr/sbin/sshd  system_u:system_r:sshd_t:s0-
> > s0:c0.c1023*
> > >
> > > *File contexts:*
> > > *Controlling terminal:   system_u:object_r:sshd_devpts_t:s0*
> > > */etc/passwd system_u:object_r:passwd_file_t:s0*
> > > */etc/shadow system_u:object_r:shadow_t:s0*
> > > */bin/bash   system_u:object_r:shell_exec_t:s0*
> > > */bin/login  system_u:object_r:login_exec_t:s0*
> > > */bin/sh system_u:object_r:bin_t:s0 ->
> > > system_u:object_r:shell_exec_t:s0*
> > > */sbin/agettysystem_u:object_r:getty_exec_t:s0*
> > > */sbin/init  system_u:object_r:bin_t:s0 ->
> > > system_u:object_r:init_exec_t:s0*
> > > */usr/sbin/sshd  system_u:object_r:sshd_exec_t:s0*
> > > */lib/libc.so.6  system_u:object_r:lib_t:s0 ->
> > > system_u:object_r:lib_t:s0*
> > > */lib/ld-linux.so.2  system_u:object_r:lib_t:s0 ->
> > > system_u:object_r:ld_so_t:s0*
> > >
> > > *Also I am using ssh session for login.*
> > >
> > > *Please let me know how to change id command context to unconfined_u or
> > > Sysadm_u.*
> > >
> > > Thanks in advance
> > > Aman
> >
> > not sure and shot in dark, but:
> >
> > root is assoc. with sysadm_u. sysadm_u is only authorized to use sysadm_r.
> > if you have the boolean ssh_priv_login set to off then
> > sysadm_u:sysadm_r:sysadm_t:s0 is inaccessible
> > pam_selinux attempts to use any other contexts that are accessible, and it
> > appears that system_u:system_r:unconfined_t was it.
> >
> > Do you have the ssh_priv_login boolean set to off? `getsebool -a | grep
> > ssh`
> >
> > >
> > > On Mon, Nov 27, 2017 at 9:29 PM, Stephen Smalley 
> > wrote:
> > >
> > > > On Fri, 2017-11-24 at 10:47 +0530, Aman Sharma wrote:
> > > > >
> > > > >
> > > > > Hi All,
> > > > >
> > > > > Currently Working on Cent OS 7.3 and login as a root User and my Id
> > > > > command output is :
> > > > >
> > > > > id
> > > > > uid=0(root) gid=0(root) groups=0(root)
> > > > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> > > > >
> > > > > I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r
> > > > > or unconfined_u:unconfined_r.
> > > > >
> > > > > Also showing the output of following command :
> > > > >
> > > > > semanage user -l
> > > > >
> > > > > Labeling   MLS/   MLS/
> > > > > SELinux UserPrefix MCS Level  MCS Range
> > > > > SELinux Roles
> > > > >
> > > > > admin_u user   s0 s0-s0:c0.c1023
> > > > >  sysadm_r system_r
> > > > > guest_u user   s0 s0
> > > > >  guest_r
> > > > > rootuser   s0 s0-s0:c0.c1023
> > > > >  staff_r sysadm_r
> > > > > specialuser_u   user   s0 s0
> > > > >  sysadm_r system_r
> > > > > staff_u user   s0 s0-s0:c0.c1023
> > > > >  staff_r sysadm_r system_r
> > > > > sysadm_uuser   s0 s0-s0:c0.c1023
> > > > >  sysadm_r
> > > > > system_uuser   s0 s0-s0:c0.c1023
> > > > >  system_r
> > > > > unconfined_uuser   s0 s0-s0:c0.c1023
> > > > >  system_r unconfined_r
> > > > > user_u  user   s0 s0
> > > > >  user_r
> > > > > xguest_uuser   s0 s0
> > > > >  xguest_r
> > > > >
> > > > >
> > > > >  semanage login -l
> > > > >
> > > > > Login Name   SELinux User MLS/MCS Range
> > > > > Service
> > > > >
> > > > > __default__  sysadm_u s0-s0:c0.c1023   *
> > > > > ccmservice   specialuser_us0   *
> > > > > cucm admin_u  s0-s0:c0.c1023   *
> > > > > drfkeys

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-29 Thread Aman Sharma

Hi ,

Check the output for the same.

* getsebool -a | grep ssh*
fenced_can_ssh --> off
selinuxuser_use_ssh_chroot --> on
ssh_chroot_rw_homedirs --> off
ssh_keysign --> off
ssh_sysadm_login --> on


On Wed, Nov 29, 2017 at 1:52 PM, Dominick Grift 
wrote:

> On Wed, Nov 29, 2017 at 09:33:31AM +0530, Aman Sharma wrote:
> > Hi Stephen,
> >
> > Below is the output of command :
> >
> > * sestatus -v output*
> > *SELinux status: enabled*
> > *SELinuxfs mount:/sys/fs/selinux*
> > *SELinux root directory: /etc/selinux*
> > *Loaded policy name: targeted*
> > *Current mode:   enforcing*
> > *Mode from config file:  permissive*
> > *Policy MLS status:  enabled*
> > *Policy deny_unknown status: allowed*
> > *Max kernel policy version:  28*
> >
> > *Process contexts:*
> > *Current context:
> > system_u:system_r:unconfined_t:s0-s0:c0.c1023*
> > *Init context:   system_u:system_r:init_t:s0*
> > */usr/sbin/sshd  system_u:system_r:sshd_t:s0-
> s0:c0.c1023*
> >
> > *File contexts:*
> > *Controlling terminal:   system_u:object_r:sshd_devpts_t:s0*
> > */etc/passwd system_u:object_r:passwd_file_t:s0*
> > */etc/shadow system_u:object_r:shadow_t:s0*
> > */bin/bash   system_u:object_r:shell_exec_t:s0*
> > */bin/login  system_u:object_r:login_exec_t:s0*
> > */bin/sh system_u:object_r:bin_t:s0 ->
> > system_u:object_r:shell_exec_t:s0*
> > */sbin/agettysystem_u:object_r:getty_exec_t:s0*
> > */sbin/init  system_u:object_r:bin_t:s0 ->
> > system_u:object_r:init_exec_t:s0*
> > */usr/sbin/sshd  system_u:object_r:sshd_exec_t:s0*
> > */lib/libc.so.6  system_u:object_r:lib_t:s0 ->
> > system_u:object_r:lib_t:s0*
> > */lib/ld-linux.so.2  system_u:object_r:lib_t:s0 ->
> > system_u:object_r:ld_so_t:s0*
> >
> > *Also I am using ssh session for login.*
> >
> > *Please let me know how to change id command context to unconfined_u or
> > Sysadm_u.*
> >
> > Thanks in advance
> > Aman
>
> not sure and shot in dark, but:
>
> root is assoc. with sysadm_u. sysadm_u is only authorized to use sysadm_r.
> if you have the boolean ssh_priv_login set to off then
> sysadm_u:sysadm_r:sysadm_t:s0 is inaccessible
> pam_selinux attempts to use any other contexts that are accessible, and it
> appears that system_u:system_r:unconfined_t was it.
>
> Do you have the ssh_priv_login boolean set to off? `getsebool -a | grep
> ssh`
>
> >
> > On Mon, Nov 27, 2017 at 9:29 PM, Stephen Smalley 
> wrote:
> >
> > > On Fri, 2017-11-24 at 10:47 +0530, Aman Sharma wrote:
> > > >
> > > >
> > > > Hi All,
> > > >
> > > > Currently Working on Cent OS 7.3 and login as a root User and my Id
> > > > command output is :
> > > >
> > > > id
> > > > uid=0(root) gid=0(root) groups=0(root)
> > > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> > > >
> > > > I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r
> > > > or unconfined_u:unconfined_r.
> > > >
> > > > Also showing the output of following command :
> > > >
> > > > semanage user -l
> > > >
> > > > Labeling   MLS/   MLS/
> > > > SELinux UserPrefix MCS Level  MCS Range
> > > > SELinux Roles
> > > >
> > > > admin_u user   s0 s0-s0:c0.c1023
> > > >  sysadm_r system_r
> > > > guest_u user   s0 s0
> > > >  guest_r
> > > > rootuser   s0 s0-s0:c0.c1023
> > > >  staff_r sysadm_r
> > > > specialuser_u   user   s0 s0
> > > >  sysadm_r system_r
> > > > staff_u user   s0 s0-s0:c0.c1023
> > > >  staff_r sysadm_r system_r
> > > > sysadm_uuser   s0 s0-s0:c0.c1023
> > > >  sysadm_r
> > > > system_uuser   s0 s0-s0:c0.c1023
> > > >  system_r
> > > > unconfined_uuser   s0 s0-s0:c0.c1023
> > > >  system_r unconfined_r
> > > > user_u  user   s0 s0
> > > >  user_r
> > > > xguest_uuser   s0 s0
> > > >  xguest_r
> > > >
> > > >
> > > >  semanage login -l
> > > >
> > > > Login Name   SELinux User MLS/MCS Range
> > > > Service
> > > >
> > > > __default__  sysadm_u s0-s0:c0.c1023   *
> > > > ccmservice   specialuser_us0   *
> > > > cucm admin_u  s0-s0:c0.c1023   *
> > > > drfkeys  specialuser_us0   *
> > > > drfuser  specialuser_us0   *
> > > > informix specialuser_us0   *
> > > > pwrecovery   specialuser_us0   *
> > > > root sysadm_u s0-s0:c0.c1023   *
> > > > sftpuser

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-29 Thread Dominick Grift

On Wed, Nov 29, 2017 at 09:33:31AM +0530, Aman Sharma wrote:
> Hi Stephen,
> 
> Below is the output of command :
> 
> * sestatus -v output*
> *SELinux status: enabled*
> *SELinuxfs mount:/sys/fs/selinux*
> *SELinux root directory: /etc/selinux*
> *Loaded policy name: targeted*
> *Current mode:   enforcing*
> *Mode from config file:  permissive*
> *Policy MLS status:  enabled*
> *Policy deny_unknown status: allowed*
> *Max kernel policy version:  28*
> 
> *Process contexts:*
> *Current context:
> system_u:system_r:unconfined_t:s0-s0:c0.c1023*
> *Init context:   system_u:system_r:init_t:s0*
> */usr/sbin/sshd  system_u:system_r:sshd_t:s0-s0:c0.c1023*
> 
> *File contexts:*
> *Controlling terminal:   system_u:object_r:sshd_devpts_t:s0*
> */etc/passwd system_u:object_r:passwd_file_t:s0*
> */etc/shadow system_u:object_r:shadow_t:s0*
> */bin/bash   system_u:object_r:shell_exec_t:s0*
> */bin/login  system_u:object_r:login_exec_t:s0*
> */bin/sh system_u:object_r:bin_t:s0 ->
> system_u:object_r:shell_exec_t:s0*
> */sbin/agettysystem_u:object_r:getty_exec_t:s0*
> */sbin/init  system_u:object_r:bin_t:s0 ->
> system_u:object_r:init_exec_t:s0*
> */usr/sbin/sshd  system_u:object_r:sshd_exec_t:s0*
> */lib/libc.so.6  system_u:object_r:lib_t:s0 ->
> system_u:object_r:lib_t:s0*
> */lib/ld-linux.so.2  system_u:object_r:lib_t:s0 ->
> system_u:object_r:ld_so_t:s0*
> 
> *Also I am using ssh session for login.*
> 
> *Please let me know how to change id command context to unconfined_u or
> Sysadm_u.*
> 
> Thanks in advance
> Aman

not sure and shot in dark, but:

root is assoc. with sysadm_u. sysadm_u is only authorized to use sysadm_r.
if you have the boolean ssh_priv_login set to off then 
sysadm_u:sysadm_r:sysadm_t:s0 is inaccessible
pam_selinux attempts to use any other contexts that are accessible, and it 
appears that system_u:system_r:unconfined_t was it.

Do you have the ssh_priv_login boolean set to off? `getsebool -a | grep ssh`

> 
> On Mon, Nov 27, 2017 at 9:29 PM, Stephen Smalley  wrote:
> 
> > On Fri, 2017-11-24 at 10:47 +0530, Aman Sharma wrote:
> > >
> > >
> > > Hi All,
> > >
> > > Currently Working on Cent OS 7.3 and login as a root User and my Id
> > > command output is :
> > >
> > > id
> > > uid=0(root) gid=0(root) groups=0(root)
> > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> > >
> > > I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r
> > > or unconfined_u:unconfined_r.
> > >
> > > Also showing the output of following command :
> > >
> > > semanage user -l
> > >
> > > Labeling   MLS/   MLS/
> > > SELinux UserPrefix MCS Level  MCS Range
> > > SELinux Roles
> > >
> > > admin_u user   s0 s0-s0:c0.c1023
> > >  sysadm_r system_r
> > > guest_u user   s0 s0
> > >  guest_r
> > > rootuser   s0 s0-s0:c0.c1023
> > >  staff_r sysadm_r
> > > specialuser_u   user   s0 s0
> > >  sysadm_r system_r
> > > staff_u user   s0 s0-s0:c0.c1023
> > >  staff_r sysadm_r system_r
> > > sysadm_uuser   s0 s0-s0:c0.c1023
> > >  sysadm_r
> > > system_uuser   s0 s0-s0:c0.c1023
> > >  system_r
> > > unconfined_uuser   s0 s0-s0:c0.c1023
> > >  system_r unconfined_r
> > > user_u  user   s0 s0
> > >  user_r
> > > xguest_uuser   s0 s0
> > >  xguest_r
> > >
> > >
> > >  semanage login -l
> > >
> > > Login Name   SELinux User MLS/MCS Range
> > > Service
> > >
> > > __default__  sysadm_u s0-s0:c0.c1023   *
> > > ccmservice   specialuser_us0   *
> > > cucm admin_u  s0-s0:c0.c1023   *
> > > drfkeys  specialuser_us0   *
> > > drfuser  specialuser_us0   *
> > > informix specialuser_us0   *
> > > pwrecovery   specialuser_us0   *
> > > root sysadm_u s0-s0:c0.c1023   *
> > > sftpuser specialuser_us0   *
> > > system_u sysadm_u s0-s0:c0.c1023   *
> > >
> > >
> > > Can anybody Please help me.
> >
> > What is your sestatus -v output?  How are you logging in (console, gdm,
> > ssh, ...)?
> >
> > You don't appear to be running the default policy, or if you are,
> > someone has heavily customized your user and login mappings.
> >
> >
> >
> 
> 
> -- 
> 
> Thanks
> Aman
> Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

-- 
Key

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-28 Thread Aman Sharma

Hi Stephen,

Below is the output of command :

* sestatus -v output*
*SELinux status: enabled*
*SELinuxfs mount:/sys/fs/selinux*
*SELinux root directory: /etc/selinux*
*Loaded policy name: targeted*
*Current mode:   enforcing*
*Mode from config file:  permissive*
*Policy MLS status:  enabled*
*Policy deny_unknown status: allowed*
*Max kernel policy version:  28*

*Process contexts:*
*Current context:
system_u:system_r:unconfined_t:s0-s0:c0.c1023*
*Init context:   system_u:system_r:init_t:s0*
*/usr/sbin/sshd  system_u:system_r:sshd_t:s0-s0:c0.c1023*

*File contexts:*
*Controlling terminal:   system_u:object_r:sshd_devpts_t:s0*
*/etc/passwd system_u:object_r:passwd_file_t:s0*
*/etc/shadow system_u:object_r:shadow_t:s0*
*/bin/bash   system_u:object_r:shell_exec_t:s0*
*/bin/login  system_u:object_r:login_exec_t:s0*
*/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0*
*/sbin/agettysystem_u:object_r:getty_exec_t:s0*
*/sbin/init  system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0*
*/usr/sbin/sshd  system_u:object_r:sshd_exec_t:s0*
*/lib/libc.so.6  system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0*
*/lib/ld-linux.so.2  system_u:object_r:lib_t:s0 ->
system_u:object_r:ld_so_t:s0*

*Also I am using ssh session for login.*

*Please let me know how to change id command context to unconfined_u or
Sysadm_u.*

Thanks in advance
Aman

On Mon, Nov 27, 2017 at 9:29 PM, Stephen Smalley  wrote:

> On Fri, 2017-11-24 at 10:47 +0530, Aman Sharma wrote:
> >
> >
> > Hi All,
> >
> > Currently Working on Cent OS 7.3 and login as a root User and my Id
> > command output is :
> >
> > id
> > uid=0(root) gid=0(root) groups=0(root)
> > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> >
> > I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r
> > or unconfined_u:unconfined_r.
> >
> > Also showing the output of following command :
> >
> > semanage user -l
> >
> > Labeling   MLS/   MLS/
> > SELinux UserPrefix MCS Level  MCS Range
> > SELinux Roles
> >
> > admin_u user   s0 s0-s0:c0.c1023
> >  sysadm_r system_r
> > guest_u user   s0 s0
> >  guest_r
> > rootuser   s0 s0-s0:c0.c1023
> >  staff_r sysadm_r
> > specialuser_u   user   s0 s0
> >  sysadm_r system_r
> > staff_u user   s0 s0-s0:c0.c1023
> >  staff_r sysadm_r system_r
> > sysadm_uuser   s0 s0-s0:c0.c1023
> >  sysadm_r
> > system_uuser   s0 s0-s0:c0.c1023
> >  system_r
> > unconfined_uuser   s0 s0-s0:c0.c1023
> >  system_r unconfined_r
> > user_u  user   s0 s0
> >  user_r
> > xguest_uuser   s0 s0
> >  xguest_r
> >
> >
> >  semanage login -l
> >
> > Login Name   SELinux User MLS/MCS Range
> > Service
> >
> > __default__  sysadm_u s0-s0:c0.c1023   *
> > ccmservice   specialuser_us0   *
> > cucm admin_u  s0-s0:c0.c1023   *
> > drfkeys  specialuser_us0   *
> > drfuser  specialuser_us0   *
> > informix specialuser_us0   *
> > pwrecovery   specialuser_us0   *
> > root sysadm_u s0-s0:c0.c1023   *
> > sftpuser specialuser_us0   *
> > system_u sysadm_u s0-s0:c0.c1023   *
> >
> >
> > Can anybody Please help me.
>
> What is your sestatus -v output?  How are you logging in (console, gdm,
> ssh, ...)?
>
> You don't appear to be running the default policy, or if you are,
> someone has heavily customized your user and login mappings.
>
>
>


-- 

Thanks
Aman
Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

Re: Fwd: Qwery regarding Selinux Change Id context

2017-11-27 Thread Stephen Smalley

On Fri, 2017-11-24 at 10:47 +0530, Aman Sharma wrote:
> 
> 
> Hi All,
> 
> Currently Working on Cent OS 7.3 and login as a root User and my Id
> command output is :
> 
> id
> uid=0(root) gid=0(root) groups=0(root)
> context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> 
> I want to change System_u:system_r:unconfined_t to sysadm_u:sysadm_r
> or unconfined_u:unconfined_r. 
> 
> Also showing the output of following command :
> 
> semanage user -l
> 
>                 Labeling   MLS/       MLS/                          
> SELinux User    Prefix     MCS Level  MCS Range                     
> SELinux Roles
> 
> admin_u         user       s0         s0-s0:c0.c1023               
>  sysadm_r system_r
> guest_u         user       s0         s0                           
>  guest_r
> root            user       s0         s0-s0:c0.c1023               
>  staff_r sysadm_r
> specialuser_u   user       s0         s0                           
>  sysadm_r system_r
> staff_u         user       s0         s0-s0:c0.c1023               
>  staff_r sysadm_r system_r
> sysadm_u        user       s0         s0-s0:c0.c1023               
>  sysadm_r
> system_u        user       s0         s0-s0:c0.c1023               
>  system_r
> unconfined_u    user       s0         s0-s0:c0.c1023               
>  system_r unconfined_r
> user_u          user       s0         s0                           
>  user_r
> xguest_u        user       s0         s0                           
>  xguest_r
> 
> 
>  semanage login -l
> 
> Login Name           SELinux User         MLS/MCS Range       
> Service
> 
> __default__          sysadm_u             s0-s0:c0.c1023       *
> ccmservice           specialuser_u        s0                   *
> cucm                 admin_u              s0-s0:c0.c1023       *
> drfkeys              specialuser_u        s0                   *
> drfuser              specialuser_u        s0                   *
> informix             specialuser_u        s0                   *
> pwrecovery           specialuser_u        s0                   *
> root                 sysadm_u             s0-s0:c0.c1023       *
> sftpuser             specialuser_u        s0                   *
> system_u             sysadm_u             s0-s0:c0.c1023       *
> 
> 
> Can anybody Please help me.

What is your sestatus -v output?  How are you logging in (console, gdm,
ssh, ...)?

You don't appear to be running the default policy, or if you are,
someone has heavily customized your user and login mappings.

Fwd: Qwery regarding Selinux Change Id context

2017-11-23 Thread Aman Sharma

Hi All,

Currently Working on Cent OS 7.3 and login as a root User and my Id command
output is :

*id*
*uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*

I want to change *System_u:system_r:unconfined_t to sysadm_u:sysadm_r or *
*unconfined_u:**unconfined_r**. *

*Also showing the output of following command :*

*semanage user -l*

*Labeling   MLS/   MLS/  *
*SELinux UserPrefix MCS Level  MCS Range
SELinux Roles*

*admin_u user   s0 s0-s0:c0.c1023
 sysadm_r system_r*
*guest_u user   s0 s0
 guest_r*
*rootuser   s0 s0-s0:c0.c1023
 staff_r sysadm_r*
*specialuser_u   user   s0 s0
 sysadm_r system_r*
*staff_u user   s0 s0-s0:c0.c1023
 staff_r sysadm_r system_r*
*sysadm_uuser   s0 s0-s0:c0.c1023
 sysadm_r*
*system_uuser   s0 s0-s0:c0.c1023
 system_r*
*unconfined_uuser   s0 s0-s0:c0.c1023
 system_r unconfined_r*
*user_u  user   s0 s0
 user_r*
*xguest_uuser   s0 s0
 xguest_r*


* semanage login -l*

*Login Name   SELinux User MLS/MCS RangeService*

*__default__  sysadm_u s0-s0:c0.c1023   **
*ccmservice   specialuser_us0   **
*cucm admin_u  s0-s0:c0.c1023   **
*drfkeys  specialuser_us0   **
*drfuser  specialuser_us0   **
*informix specialuser_us0   **
*pwrecovery   specialuser_us0   **
*root sysadm_u s0-s0:c0.c1023   **
*sftpuser specialuser_us0   **
*system_u sysadm_u s0-s0:c0.c1023   **


*Can anybody Please help me.*

-- 

Thanks
Aman
Cell: +91 9990296404 |  Email ID : amansh.shar...@gmail.com

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Re: Fwd: Qwery regarding Selinux Change Id context

Fwd: Qwery regarding Selinux Change Id context

21 matches

Site Navigation

Mail list logo

Footer information