Bug 1814549
Summary: | ssh fails for sysadm_u user: Unable to get valid context for admin | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Martin Pitt <mpitt> |
Component: | pam | Assignee: | Iker Pedrosa <ipedrosa> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.2 | CC: | dapospis, lvrabec, mvollmer, pbrezina, plautrba, sbroz, tmraz, zpytela |
Target Milestone: | rc | Keywords: | SELinux |
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-18 10:29:44 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Martin Pitt
2020-03-18 08:09:02 UTC
This most probably needs to be investigated and solved on selinux-policy side. By default, sysadm_u is not allowed to login directly via ssh. You need to switch `ssh_sysadm_login` boolean to `on`: [root@localhost ~]# adduser -Z sysadm_u sysadm [root@localhost ~]# ssh sysadm@localhost sysadm@localhost's password: Unable to get valid context for sysadm Connection to localhost closed. [root@localhost ~]# setsebool -P ssh_sysadm_login on [root@localhost ~]# ssh sysadm@localhost sysadm@localhost's password: Last login: Wed Mar 18 05:10:35 2020 from localhost [sysadm@localhost ~]$ id -Z sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 See "How to set up a system with SELinux confined users" - https://access.redhat.com/articles/3263671 The documentation explicitly mentions X window and a terminal: Linux users in the sysadm_t, staff_t, user_t, and xguest_t domains can log in using the X Window System and a terminal. and the rest of the sections documents su/sudo usage only, but I think it's worth mentioning how it is with regard to ssh. With that being said, this is not a bug. I will reach out to documentation team for enhancement covering ssh usage. Ack, thanks Zdenek. Pointing this out in the documentation is much appreciated then. It's a little weird as it's a hole in the privilege hierarchy for ssh: unconfined_u (works) > sysadm_u (fails) > staff_u (works) > user_u (works). So feel free to close this as wontfix, unless you want to keep it open for the documentation bit? Martin, We have a jira task for RHEL 8 confined users documentation: https://projects.engineering.redhat.com/browse/RHELPLAN-39025 so no need to keep this bz open. I've already mentioned this enhancement there and put a link to this bz not to forget about it. Depending on the result state, we can also discuss if an effort should be made to note it in RHEL 7 docs, too. Ack, thanks! |