Actually I am using Cent OS version 7.3. i.e cat /etc/centos-release CentOS Linux release 7.3.1611 (Core)
On Wed, Nov 29, 2017 at 9:04 PM, Aman Sharma <amansh.shar...@gmail.com> wrote: > No, I am not using 3rd party SSH client. This is normal ssh . > > On Wed, Nov 29, 2017 at 8:59 PM, Simon Sekidde <sseki...@redhat.com> > wrote: > >> Aman, >> >> ----- Original Message ----- >> > From: "Aman Sharma" <amansh.shar...@gmail.com> >> > To: "Stephen Smalley" <s...@tycho.nsa.gov> >> > Cc: "SELinux" <selinux@tycho.nsa.gov> >> > Sent: Wednesday, November 29, 2017 10:17:19 AM >> > Subject: Re: Fwd: Qwery regarding Selinux Change Id context >> > >> > Hi Stephen, >> > >> > I tried all the three command i.e. >> > semanage export > localchanges >> > >> > semanage login -D >> > semanage user -D >> > >> > Then I reboot the system and after reboot , still its showing the root >> User >> > as Same id context i.e. >> > >> > *id* >> > *uid=0(root) gid=0(root) groups=0(root) >> > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023* >> > >> > * id -Z* >> > *system_u:system_r:unconfined_t:s0-s0:c0.c1023* >> > >> >> Are you using a 3rd party ssh client? >> >> > >> > Also check the below output : >> > *semanage user -l* >> > >> > * Labeling MLS/ MLS/ * >> > *SELinux User Prefix MCS Level MCS Range >> > SELinux Roles* >> > >> > *guest_u user s0 s0 >> > guest_r* >> > *root user s0 s0-s0:c0.c1023 >> > staff_r sysadm_r system_r unconfined_r* >> > *staff_u user s0 s0-s0:c0.c1023 >> > staff_r sysadm_r system_r unconfined_r* >> > *sysadm_u user s0 s0-s0:c0.c1023 >> > sysadm_r* >> > *system_u user s0 s0-s0:c0.c1023 >> > system_r unconfined_r* >> > *unconfined_u user s0 s0-s0:c0.c1023 >> > system_r unconfined_r* >> > *user_u user s0 s0 >> > user_r* >> > *xguest_u user s0 s0 >> > xguest_r* >> > *[root@cucm ~]# semanage login -l* >> > >> > *Login Name SELinux User MLS/MCS Range Service* >> > >> > *__default__ unconfined_u s0-s0:c0.c1023 ** >> > *root unconfined_u s0-s0:c0.c1023 ** >> > *system_u system_u s0-s0:c0.c1023 ** >> > >> > *Please let me know your comments on this.* >> > >> > *Thanks* >> > *Aman* >> > >> > On Wed, Nov 29, 2017 at 8:17 PM, Stephen Smalley <s...@tycho.nsa.gov> >> wrote: >> > >> > > On Wed, 2017-11-29 at 20:11 +0530, Aman Sharma wrote: >> > > > Hi Stephen, >> > > > >> > > > Thanks for the reply. >> > > > >> > > > Can you please let me know how to delete all local customizations >> > > > (via semanage or manually) and revert >> > > > to a default policy. >> > > >> > > First, save any local customizations in case you want to restore them >> > > later: >> > > semanage export > localchanges >> > > >> > > Then, delete them: >> > > semanage login -D >> > > semanage user -D >> > > >> > > Then logout and log back in. >> > > >> > > > >> > > > Otherwise the output of semanage login -l and semanage user -l : >> > > > >> > > > semanage user -l >> > > > >> > > > Labeling MLS/ MLS/ >> > > > SELinux User Prefix MCS Level MCS Range >> > > > SELinux Roles >> > > > >> > > > admin_u user s0 s0-s0:c0.c1023 >> > > > sysadm_r system_r >> > > > guest_u user s0 s0 >> > > > guest_r >> > > > root user s0 s0-s0:c0.c1023 >> > > > staff_r sysadm_r >> > > > specialuser_u user s0 s0 >> > > > sysadm_r system_r >> > > > staff_u user s0 s0-s0:c0.c1023 >> > > > staff_r sysadm_r system_r >> > > > sysadm_u user s0 s0-s0:c0.c1023 >> > > > sysadm_r >> > > > system_u user s0 s0-s0:c0.c1023 >> > > > system_r >> > > > unconfined_u user s0 s0-s0:c0.c1023 >> > > > system_r unconfined_r >> > > > user_u user s0 s0 >> > > > user_r >> > > > xguest_u user s0 s0 >> > > > xguest_r >> > > > >> > > > >> > > > semanage login -l >> > > > >> > > > Login Name SELinux User MLS/MCS Range >> > > > Service >> > > > >> > > > __default__ sysadm_u s0-s0:c0.c1023 * >> > > > ccmservice specialuser_u s0 * >> > > > cucm admin_u s0-s0:c0.c1023 * >> > > > drfkeys specialuser_u s0 * >> > > > drfuser specialuser_u s0 * >> > > > informix specialuser_u s0 * >> > > > pwrecovery specialuser_u s0 * >> > > > root sysadm_u s0-s0:c0.c1023 * >> > > > sftpuser specialuser_u s0 * >> > > > system_u sysadm_u s0-s0:c0.c1023 * >> > > > >> > > > Please let me know if any comments are there. >> > > > >> > > > Thanks >> > > > Aman >> > > > >> > > > On Wed, Nov 29, 2017 at 7:21 PM, Stephen Smalley <s...@tycho.nsa.gov >> > >> > > > wrote: >> > > > > On Wed, 2017-11-29 at 09:33 +0530, Aman Sharma wrote: >> > > > > > Hi Stephen, >> > > > > > >> > > > > > Below is the output of command : >> > > > > > >> > > > > > sestatus -v output >> > > > > > SELinux status: enabled >> > > > > > SELinuxfs mount: /sys/fs/selinux >> > > > > > SELinux root directory: /etc/selinux >> > > > > > Loaded policy name: targeted >> > > > > > Current mode: enforcing >> > > > > > Mode from config file: permissive >> > > > > > Policy MLS status: enabled >> > > > > > Policy deny_unknown status: allowed >> > > > > > Max kernel policy version: 28 >> > > > > > >> > > > > > Process contexts: >> > > > > > Current context: >> > > > > system_u:system_r:unconfined_t:s0- >> > > > > > s0:c0.c1023 >> > > > > > Init context: system_u:system_r:init_t:s0 >> > > > > > /usr/sbin/sshd system_u:system_r:sshd_t:s0- >> > > > > > s0:c0.c1023 >> > > > > > >> > > > > > File contexts: >> > > > > > Controlling terminal: >> > > > > system_u:object_r:sshd_devpts_t:s0 >> > > > > > /etc/passwd >> > > > > system_u:object_r:passwd_file_t:s0 >> > > > > > /etc/shadow system_u:object_r:shadow_t:s0 >> > > > > > /bin/bash system_u:object_r:shell_exec_ >> t:s0 >> > > > > > /bin/login system_u:object_r:login_exec_t >> :s0 >> > > > > > /bin/sh system_u:object_r:bin_t:s0 -> >> > > > > > system_u:object_r:shell_exec_t:s0 >> > > > > > /sbin/agetty system_u:object_r:getty_exec_t >> :s0 >> > > > > > /sbin/init system_u:object_r:bin_t:s0 -> >> > > > > > system_u:object_r:init_exec_t:s0 >> > > > > > /usr/sbin/sshd system_u:object_r:sshd_exec_t: >> s0 >> > > > > > /lib/libc.so.6 system_u:object_r:lib_t:s0 -> >> > > > > > system_u:object_r:lib_t:s0 >> > > > > > /lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> >> > > > > > system_u:object_r:ld_so_t:s0 >> > > > > > >> > > > > > Also I am using ssh session for login. >> > > > > > >> > > > > > Please let me know how to change id command context to >> > > > > unconfined_u >> > > > > > or Sysadm_u. >> > > > > >> > > > > So from your earlier message, it is clear that you (or someone >> > > > > else) >> > > > > has heavily customized your semanage login and user mappings from >> > > > > the >> > > > > stock targeted policy. The question is why, and whether you >> > > > > want/need >> > > > > to retain any of those customizations. If not, then you could >> just >> > > > > delete all local customizations (via semanage or manually) and >> > > > > revert >> > > > > to a stock policy. >> > > > > >> > > > > If you do need to retain some of those customizations, then please >> > > > > show >> > > > > your current semanage login -l and semanage user -l output since >> > > > > you >> > > > > said you ran some further semanage commands after the last output >> > > > > you >> > > > > showed. >> > > > > >> > > > > >> > > > >> > > > >> > > > >> > > > -- >> > > > >> > > > Thanks >> > > > Aman >> > > > Cell: +91 9990296404 | Email ID : amansh.shar...@gmail.com >> > > >> > >> > >> > >> > -- >> > >> > Thanks >> > Aman >> > Cell: +91 9990296404 | Email ID : amansh.shar...@gmail.com >> > >> >> -- >> Simon Sekidde >> gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E >> >> >> > > > -- > > Thanks > Aman > Cell: +91 9990296404 | Email ID : amansh.shar...@gmail.com > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.shar...@gmail.com