Bug 1814549

Summary: ssh fails for sysadm_u user: Unable to get valid context for admin
Product: Red Hat Enterprise Linux 8 Reporter: Martin Pitt <mpitt>
Component: pamAssignee: Iker Pedrosa <ipedrosa>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: dapospis, lvrabec, mvollmer, pbrezina, plautrba, sbroz, tmraz, zpytela
Target Milestone: rcKeywords: SELinux
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-18 10:29:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Pitt 2020-03-18 08:09:02 UTC
Description of problem: With SELinux user role sysadm_u, ssh fails. 

These roles are documented here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-targeted_policy-confined_and_unconfined_users

They don't talk about ssh restrictions, lesser privileged roles like staff_u and user_u work, and intuitively it's not clear why sysadmins should be forbidden to log in through ssh.

Version-Release number of selected component (if applicable):

pam-1.3.1-8.el8.x86_64
selinux-policy-3.14.3-40.el8.noarch
openssh-8.0p1-4.el8_1.x86_64

How reproducible: Always


Steps to Reproduce:
1. Create an "admin" user which is in group wheel, so that they can run sudo
2. Assign sysadmin role:
   # semanage login -a -s sysadm_u admin
3. Try to "ssh admin@" into that machine.

Actual results: Fails with:

$ ssh admin@c
Unable to get valid context for admin
Last login: Wed Mar 18 03:55:06 2020 from 172.27.0.2
Connection to 127.0.0.2 closed.

It actually does create a session, but quickly tears it down again. Journal:

Mar 18 04:02:03 m1.cockpit.lan sshd[1378]: Accepted password for admin from 172.27.0.2 port 48864 ssh2
Mar 18 04:02:03 m1.cockpit.lan sshd[1378]: pam_selinux(sshd:session): Unable to get valid context for admin
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Created slice User Slice of UID 1001.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Started /run/user/1001 mount wrapper.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Starting User Manager for UID 1001...
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Started Session 8 of user admin.
Mar 18 04:02:03 m1.cockpit.lan systemd-logind[824]: New session 8 of user admin.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: pam_unix(systemd-user:session): session opened for user admin by (uid=0)
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Starting D-Bus User Message Bus Socket.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Started Mark boot as successful after the user session has run 2 minutes.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Reached target Timers.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Reached target Paths.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Listening on D-Bus User Message Bus Socket.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Reached target Sockets.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Reached target Basic System.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Reached target Default.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Startup finished in 41ms.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Started User Manager for UID 1001.
Mar 18 04:02:03 m1.cockpit.lan sshd[1378]: pam_unix(sshd:session): session opened for user admin by (uid=0)
Mar 18 04:02:03 m1.cockpit.lan sshd[1378]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Mar 18 04:02:03 m1.cockpit.lan sshd[1378]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
Mar 18 04:02:03 m1.cockpit.lan sshd[1393]: Received disconnect from 172.27.0.2 port 48864:11: disconnected by user
Mar 18 04:02:03 m1.cockpit.lan sshd[1393]: Disconnected from user admin 172.27.0.2 port 48864
Mar 18 04:02:03 m1.cockpit.lan systemd-logind[824]: Session 8 logged out. Waiting for processes to exit.
Mar 18 04:02:03 m1.cockpit.lan systemd-logind[824]: Removed session 8.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: user-runtime-dir: Unit not needed anymore. Stopping.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Stopping User Manager for UID 1001...
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Stopped target Default.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Stopped target Basic System.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Stopped target Paths.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Stopped target Sockets.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Closed D-Bus User Message Bus Socket.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Stopped target Timers.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Stopped Mark boot as successful after the user session has run 2 minutes.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Reached target Shutdown.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Starting Exit the Session...
Mar 18 04:02:03 m1.cockpit.lan systemd[1387]: pam_unix(systemd-user:session): session closed for user admin
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: user: Killing process 1396 (systemctl) with signal SIGKILL.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: user-runtime-dir: Unit not needed anymore. Stopping.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Stopped User Manager for UID 1001.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: user-runtime-dir: Unit not needed anymore. Stopping.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Stopping /run/user/1001 mount wrapper...
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Removed slice User Slice of UID 1001.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Stopped /run/user/1001 mount wrapper.



Expected results: ssh works.


Additional info:
 - Doing the same reproducer with staff_u or user_u works.
 - This fails the same way on Fedora 31 and 32.

Comment 1 Tomas Mraz 2020-03-18 08:33:42 UTC
This most probably needs to be investigated and solved on selinux-policy side.

Comment 2 Petr Lautrbach 2020-03-18 09:12:36 UTC
By default, sysadm_u is not allowed to login directly via ssh. You need to switch `ssh_sysadm_login` boolean to `on`:

[root@localhost ~]# adduser -Z sysadm_u sysadm

[root@localhost ~]# ssh sysadm@localhost
sysadm@localhost's password: 
Unable to get valid context for sysadm
Connection to localhost closed.

[root@localhost ~]# setsebool -P ssh_sysadm_login on

[root@localhost ~]# ssh sysadm@localhost
sysadm@localhost's password: 
Last login: Wed Mar 18 05:10:35 2020 from localhost

[sysadm@localhost ~]$ id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

Comment 3 Petr Lautrbach 2020-03-18 09:16:37 UTC
See "How to set up a system with SELinux confined users" - https://access.redhat.com/articles/3263671

Comment 4 Zdenek Pytela 2020-03-18 09:32:23 UTC
The documentation explicitly mentions X window and a terminal:

Linux users in the sysadm_t, staff_t, user_t, and xguest_t domains can log in using the X Window System and a terminal. 

and the rest of the sections documents su/sudo usage only, but I think it's worth mentioning how it is with regard to ssh.

With that being said, this is not a bug. I will reach out to documentation team for enhancement covering ssh usage.

Comment 5 Martin Pitt 2020-03-18 09:57:12 UTC
Ack, thanks Zdenek. Pointing this out in the documentation is much appreciated then. It's a little weird as it's a hole in the privilege hierarchy for ssh: unconfined_u (works) > sysadm_u (fails) > staff_u (works) > user_u (works). So feel free to close this as wontfix, unless you want to keep it open for the documentation bit?

Comment 6 Zdenek Pytela 2020-03-18 10:07:51 UTC
Martin,

We have a jira task for RHEL 8 confined users documentation:

https://projects.engineering.redhat.com/browse/RHELPLAN-39025

so no need to keep this bz open. I've already mentioned this enhancement there and put a link to this bz not to forget about it. Depending on the result state, we can also discuss if an effort should be made to note it in RHEL 7 docs, too.

Comment 7 Martin Pitt 2020-03-18 10:29:44 UTC
Ack, thanks!