Hi All, Below is the output of semanage USer command output for sftpuser:
*specialuser_u user s0 s0 sysadm_r system_r* and for command semanage login -l , output is : *sftpuser specialuser_u s0 ** *and also, after adding the debugging option, its showing the below error message as :* Dec 13 15:46:10 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session): Unable to get valid context for sftpuser Dec 13 15:46:10 cucmSUB authpriv 5 sshd: pam_selinux(sshd:session): Open Session Dec 13 15:46:11 cucmSUB authpriv 7 sshd: pam_selinux(sshd:session): Username= sftpuser SELinux User= specialuser_u Level= s0 Dec 13 15:46:11 cucmSUB authpriv 3 sshd: pam_selinux(sshd:session): Unable to get valid context for sftpuser also Selinuxdefcon command is showing error while running for sftpuser i.e. *sudo /usr/sbin/selinuxdefcon sftpuser system_u:system_r:sshd_t:s0* */usr/sbin/selinuxdefcon: Invalid argument* *Please let me know your comments on this.* *Thanks* *Aman* On Thu, Dec 14, 2017 at 12:45 AM, Stephen Smalley <[email protected]> wrote: > On Wed, 2017-12-13 at 21:40 +0530, Aman Sharma wrote: > > Hi Stephen, > > > > Yes , I am using open env_params for it. But for this, my sftp is not > > working and getting the below error message : > > > > Dec 13 13:00:00 aman authpriv 3 sshd: pam_selinux(sshd:session): > > Unable to get valid context for sftpuser > > Dec 13 13:00:00 aman authpriv 6 sshd: pam_unix(sshd:session): session > > opened for user sftpuser by (uid=0) > > > > Please let me know if you have any idea on this. > > Do you have any semanage login mapping for sftpuser or is it just using > the __default__ entry? (what does semanage login -l show) How was > sftpuser created? > > You could add the debug option on the pam_selinux.so line to try to get > more information. > > You could run selinuxdefcon to query what context would be used for > that user, e.g. > selinuxdefcon sftpuser system_u:system_r:sshd_t:s0-s0.c0123 > > > > > On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley <[email protected]> > > wrote: > > > On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote: > > > > Hi All, > > > > > > > > just wanted to know the meaning of line session required > > > > pam_selinux.so open env_params added in /etc/pam.d/sshd file. > > > > Actually I am facing one issue related to this. When I changed > > > this > > > > env_params to restore then my Sftp is not working. > > > > > > > > Can anybody Please guide me on this. > > > > > > man pam_selinux describes the options and what they mean. > > > Why did you change it to restore? Per the man page, restore is to > > > temporarily restore the contexts and would be a separate entry in > > > the > > > PAM stack before the module that needs the original contexts, > > > followed > > > by a pam_selinux.so open env_params after that module to set them > > > up > > > again. But don't use restore unless you actually need it for some > > > reason. > > > > > > > > > > > > > > > > > > > > -- > > > > Thanks > > Aman > > Cell: +91 9990296404 | Email ID : [email protected] > -- Thanks Aman Cell: +91 9990296404 | Email ID : [email protected]
