Summary:
I want to be able to log in to a machine that has SELINUX=enforcing as a user with a custom shell both over ssh and from the login screen at the machine directly. Currently the problem is that I can only log in from one method or the other, never both.
Details:
I have a user called user using an alternative shell at /othershells/user-shell and I've recently enabled SELINUX.
When logging in as user directly on the machine and it works fine as long as I set the context of the file to login_exec_t.
However, if I try to log in from another machine over ssh I get permission denied. When inspecting the audit.log I see the following:
SELinux is preventing /usr/sbin/sshd from getattr access on the file /othershells/user-shell.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that sshd should be allowed getattr access on the user-shell file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do allow this access for now by executing:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context system_u:object_r:login_exec_t:s0
Target Objects /othershells/user-shell [ file ]
Source sshd
Source Path /usr/sbin/sshd
Port <Unknown>
Host <Unknown>
Source RPM Packages openssh-server-5.3p1-122.el6.x86_64
Target RPM Packages file /othershells/user-shell is
not owned by any package
Policy RPM selinux-policy-3.7.19-307.el6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name S3CDN-94C691108F1B-133-FifthMA
Platform Linux S3CDN-94C691108F1B-133-FifthMA
2.6.32-696.el6.x86_64 #1 SMP Tue Mar 21 19:29:05
UTC 2017 x86_64 x86_64
Alert Count 2
First Seen Tue Mar 20 17:09:59 2018
Last Seen Tue Mar 20 17:19:47 2018
Local ID c824c859-26b9-4d82-b818-0aef394df449
Raw Audit Messages
type=AVC msg=audit(1521566387.844:731): avc: denied { getattr } for pid=25466 comm="sshd" path="/othershells/user-shell" dev=dm-1 ino=130776 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:login_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1521566387.844:731): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f7fc2f2747f a1=7ffcb9baf120 a2=7ffcb9baf120 a3=1999999999999999 items=0 ppid=8963 pid=25466 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
So it wants me to set the context to sshd_t but if I do that, then directly logging doesn't work. There's no way to have multiple contexts so I checked to see if there were generic contexts that would allow multiple uses of a file and found these two:
public_content_t
public_content_rw_t
Neither of which worked because they're read, and read/write respectively. I'd need some kind of public read/write/execute.
I took a look at the booleans available in https://www.systutorials.com/docs/linux/man/8-sshd_selinux/ and none of them worked either.
Is there anything I can do to be able to achieve this? Thanks.
I managed to solve it. The context I wanted was shell_exec_t