1814549 – ssh fails for sysadm_u user: Unable to get valid context for admin

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1814549 - ssh fails for sysadm_u user: Unable to get valid context for admin

Summary: ssh fails for sysadm_u user: Unable to get valid context for admin

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pam
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Iker Pedrosa
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-03-18 08:09 UTC by Martin Pitt
Modified:	2021-03-12 11:55 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-18 10:29:44 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	4359441	0	None	None	None	2021-03-12 11:55:22 UTC

Description Martin Pitt 2020-03-18 08:09:02 UTC

Description of problem: With SELinux user role sysadm_u, ssh fails. 

These roles are documented here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-targeted_policy-confined_and_unconfined_users

They don't talk about ssh restrictions, lesser privileged roles like staff_u and user_u work, and intuitively it's not clear why sysadmins should be forbidden to log in through ssh.

Version-Release number of selected component (if applicable):

pam-1.3.1-8.el8.x86_64
selinux-policy-3.14.3-40.el8.noarch
openssh-8.0p1-4.el8_1.x86_64

How reproducible: Always


Steps to Reproduce:
1. Create an "admin" user which is in group wheel, so that they can run sudo
2. Assign sysadmin role:
   # semanage login -a -s sysadm_u admin
3. Try to "ssh admin@" into that machine.

Actual results: Fails with:

$ ssh admin@c
Unable to get valid context for admin
Last login: Wed Mar 18 03:55:06 2020 from 172.27.0.2
Connection to 127.0.0.2 closed.

It actually does create a session, but quickly tears it down again. Journal:

Mar 18 04:02:03 m1.cockpit.lan sshd[1378]: Accepted password for admin from 172.27.0.2 port 48864 ssh2
Mar 18 04:02:03 m1.cockpit.lan sshd[1378]: pam_selinux(sshd:session): Unable to get valid context for admin
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Created slice User Slice of UID 1001.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Started /run/user/1001 mount wrapper.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Starting User Manager for UID 1001...
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Started Session 8 of user admin.
Mar 18 04:02:03 m1.cockpit.lan systemd-logind[824]: New session 8 of user admin.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: pam_unix(systemd-user:session): session opened for user admin by (uid=0)
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Starting D-Bus User Message Bus Socket.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Started Mark boot as successful after the user session has run 2 minutes.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Reached target Timers.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Reached target Paths.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Listening on D-Bus User Message Bus Socket.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Reached target Sockets.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Reached target Basic System.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Reached target Default.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Startup finished in 41ms.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Started User Manager for UID 1001.
Mar 18 04:02:03 m1.cockpit.lan sshd[1378]: pam_unix(sshd:session): session opened for user admin by (uid=0)
Mar 18 04:02:03 m1.cockpit.lan sshd[1378]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Mar 18 04:02:03 m1.cockpit.lan sshd[1378]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
Mar 18 04:02:03 m1.cockpit.lan sshd[1393]: Received disconnect from 172.27.0.2 port 48864:11: disconnected by user
Mar 18 04:02:03 m1.cockpit.lan sshd[1393]: Disconnected from user admin 172.27.0.2 port 48864
Mar 18 04:02:03 m1.cockpit.lan systemd-logind[824]: Session 8 logged out. Waiting for processes to exit.
Mar 18 04:02:03 m1.cockpit.lan systemd-logind[824]: Removed session 8.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: user-runtime-dir: Unit not needed anymore. Stopping.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Stopping User Manager for UID 1001...
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Stopped target Default.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Stopped target Basic System.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Stopped target Paths.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Stopped target Sockets.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Closed D-Bus User Message Bus Socket.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Stopped target Timers.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Stopped Mark boot as successful after the user session has run 2 minutes.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Reached target Shutdown.
Mar 18 04:02:03 m1.cockpit.lan systemd[1383]: Starting Exit the Session...
Mar 18 04:02:03 m1.cockpit.lan systemd[1387]: pam_unix(systemd-user:session): session closed for user admin
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: user: Killing process 1396 (systemctl) with signal SIGKILL.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: user-runtime-dir: Unit not needed anymore. Stopping.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Stopped User Manager for UID 1001.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: user-runtime-dir: Unit not needed anymore. Stopping.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Stopping /run/user/1001 mount wrapper...
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Removed slice User Slice of UID 1001.
Mar 18 04:02:03 m1.cockpit.lan systemd[1]: Stopped /run/user/1001 mount wrapper.



Expected results: ssh works.


Additional info:
 - Doing the same reproducer with staff_u or user_u works.
 - This fails the same way on Fedora 31 and 32.

Comment 1 Tomas Mraz 2020-03-18 08:33:42 UTC

This most probably needs to be investigated and solved on selinux-policy side.

Comment 2 Petr Lautrbach 2020-03-18 09:12:36 UTC

By default, sysadm_u is not allowed to login directly via ssh. You need to switch `ssh_sysadm_login` boolean to `on`:

[root@localhost ~]# adduser -Z sysadm_u sysadm

[root@localhost ~]# ssh sysadm@localhost
sysadm@localhost's password: 
Unable to get valid context for sysadm
Connection to localhost closed.

[root@localhost ~]# setsebool -P ssh_sysadm_login on

[root@localhost ~]# ssh sysadm@localhost
sysadm@localhost's password: 
Last login: Wed Mar 18 05:10:35 2020 from localhost

[sysadm@localhost ~]$ id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

Comment 3 Petr Lautrbach 2020-03-18 09:16:37 UTC

See "How to set up a system with SELinux confined users" - https://access.redhat.com/articles/3263671

Comment 4 Zdenek Pytela 2020-03-18 09:32:23 UTC

The documentation explicitly mentions X window and a terminal:

Linux users in the sysadm_t, staff_t, user_t, and xguest_t domains can log in using the X Window System and a terminal. 

and the rest of the sections documents su/sudo usage only, but I think it's worth mentioning how it is with regard to ssh.

With that being said, this is not a bug. I will reach out to documentation team for enhancement covering ssh usage.

Comment 5 Martin Pitt 2020-03-18 09:57:12 UTC

Ack, thanks Zdenek. Pointing this out in the documentation is much appreciated then. It's a little weird as it's a hole in the privilege hierarchy for ssh: unconfined_u (works) > sysadm_u (fails) > staff_u (works) > user_u (works). So feel free to close this as wontfix, unless you want to keep it open for the documentation bit?

Comment 6 Zdenek Pytela 2020-03-18 10:07:51 UTC

Martin,

We have a jira task for RHEL 8 confined users documentation:

https://projects.engineering.redhat.com/browse/RHELPLAN-39025

so no need to keep this bz open. I've already mentioned this enhancement there and put a link to this bz not to forget about it. Depending on the result state, we can also discuss if an effort should be made to note it in RHEL 7 docs, too.

Comment 7 Martin Pitt 2020-03-18 10:29:44 UTC

Ack, thanks!

Note You need to log in before you can comment on or make changes to this bug.