Mdthbs

Expenditure in Poland - Forex doesn't have Zloty

Asking bank to reduce APR instead of increasing credit limit

What is the probability of having a pair of doubles when throwing dice?

Where can I find the list of all tendons in the human body?

What are the slash markings on Gatwick's 08R/26L?

What does it mean when you think without speaking?

What are the problems in teaching guitar via Skype?

What was this black-and-white film set in the Arctic or Antarctic where the monster/alien gets fried in the end?

Does `declare -a A` create an empty array `A` in Bash?

Infinitely many hats

What is the intuition behind uniform continuity?

Thousands and thousands of words

The deliberate use of misleading terminology

Term for checking piece whose opponent daren't capture it

Adding strings in lists together

What is the indigenous Russian word for a wild boar?

SPI on stm32 won't work without pullup resistors and even then performs poorly

Can I install a row of bricks on a slab to support a shed?

Mother abusing my finances

Draw a checker pattern with a black X in the center

Is there an evolutionary advantage to having two heads?

Are there regional foods in Westeros?

What does the behaviour of water on the skin of an aircraft in flight tell us?

Lunar orbital rendezvous

SELinux: running a custom shell binary from /etc/passwd

Vlc Media Problem in Fedora!How do I configure SELinux to allow outbound connections from a CGI script?How to get Wine to work with SELinux?Gnome terminal fails to startSELinux: determine directory of denied file creationselinux started blocking php “exec” calls after yum updateSELinux Prevents httpd Write FilesHow do I differentiate between, xterm and firefox, if both call syscall=socketcall(recvmsg)Cannot stop SELinux from blocking Apache accessing /usr/local/nagios/var/rw/nagios.cmdAllow certain risky behaviour of a single program in a safe way in SELinux

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

0

----- Problem --------

I have CentOS 7.6 running on my system. I want to invoke a custom shell instead of standard shell in the /etc/passwd file.

I have SELinux enabled, and for some reason sshd_t domain does not get transitioned to a new custom domain that my custom shell holds.

Something like this:

In /etc/passwd:
root:x:0:0:root:/root:/bin/myshell

SELinux domain transition:

myshell.fc

/bin/myshell                             gen_context(system_u:object_r:myshell_exec_t,s0)

myshell.te

role unconfined_r types myshell_t;

role_transition unconfined_r myshell_t system_r;

domtrans_pattern(sshd_t, myshell_exec_t, myshell_t)

The default user is unconfined_u:unconfined_r:unconfined_t.

I also have a role transition from unconfined_r to system_r.

---- Issue ------

For some reason sshd_t does not get transitioned into myshell_t domain.
User is root.

Here is the role change log message:

type=USER_ROLE_CHANGE msg=audit(1559079004.637:339116): pid=24478 uid=0 auid=0 ses=823 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=system_u:unconfined_r:unconfined_t:s0 selected-context=system_u:unconfined_r:unconfined_t:s0 exe="/usr/sbin/sshd" hostname=X.X.X.X addr=X.X.X.X terminal=ssh res=success'



type=AVC msg=audit(1559067681.085:327703): avc:  granted  { execute } for  pid=17593 comm="sshd" name="myshell"  scontext=system_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:myshell_exec_t:s0 tclass=file

It does execute the binary but the transition is not happening. Probably because the role is different, but I do have role transition not sure why is it not working though.

linux centos selinux

share|improve this question

edited 37 mins ago

Rui F Ribeiro

42.6k1688147

asked 2 hours ago

np08np08

41

New contributor

np08 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

----- Problem --------

I have CentOS 7.6 running on my system. I want to invoke a custom shell instead of standard shell in the /etc/passwd file.

I have SELinux enabled, and for some reason sshd_t domain does not get transitioned to a new custom domain that my custom shell holds.

Something like this:

In /etc/passwd:
root:x:0:0:root:/root:/bin/myshell

SELinux domain transition:

myshell.fc

/bin/myshell                             gen_context(system_u:object_r:myshell_exec_t,s0)

myshell.te

role unconfined_r types myshell_t;

role_transition unconfined_r myshell_t system_r;

domtrans_pattern(sshd_t, myshell_exec_t, myshell_t)

The default user is unconfined_u:unconfined_r:unconfined_t.

I also have a role transition from unconfined_r to system_r.

---- Issue ------

For some reason sshd_t does not get transitioned into myshell_t domain.
User is root.

Here is the role change log message:

type=USER_ROLE_CHANGE msg=audit(1559079004.637:339116): pid=24478 uid=0 auid=0 ses=823 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=system_u:unconfined_r:unconfined_t:s0 selected-context=system_u:unconfined_r:unconfined_t:s0 exe="/usr/sbin/sshd" hostname=X.X.X.X addr=X.X.X.X terminal=ssh res=success'



type=AVC msg=audit(1559067681.085:327703): avc:  granted  { execute } for  pid=17593 comm="sshd" name="myshell"  scontext=system_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:myshell_exec_t:s0 tclass=file

It does execute the binary but the transition is not happening. Probably because the role is different, but I do have role transition not sure why is it not working though.

linux centos selinux

share|improve this question

edited 37 mins ago

Rui F Ribeiro

42.6k1688147

asked 2 hours ago

np08np08

41

New contributor

np08 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

----- Problem --------

I have CentOS 7.6 running on my system. I want to invoke a custom shell instead of standard shell in the /etc/passwd file.

I have SELinux enabled, and for some reason sshd_t domain does not get transitioned to a new custom domain that my custom shell holds.

Something like this:

In /etc/passwd:
root:x:0:0:root:/root:/bin/myshell

SELinux domain transition:

myshell.fc

/bin/myshell                             gen_context(system_u:object_r:myshell_exec_t,s0)

myshell.te

role unconfined_r types myshell_t;

role_transition unconfined_r myshell_t system_r;

domtrans_pattern(sshd_t, myshell_exec_t, myshell_t)

The default user is unconfined_u:unconfined_r:unconfined_t.

I also have a role transition from unconfined_r to system_r.

---- Issue ------

For some reason sshd_t does not get transitioned into myshell_t domain.
User is root.

Here is the role change log message:

type=USER_ROLE_CHANGE msg=audit(1559079004.637:339116): pid=24478 uid=0 auid=0 ses=823 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=system_u:unconfined_r:unconfined_t:s0 selected-context=system_u:unconfined_r:unconfined_t:s0 exe="/usr/sbin/sshd" hostname=X.X.X.X addr=X.X.X.X terminal=ssh res=success'



type=AVC msg=audit(1559067681.085:327703): avc:  granted  { execute } for  pid=17593 comm="sshd" name="myshell"  scontext=system_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:myshell_exec_t:s0 tclass=file

It does execute the binary but the transition is not happening. Probably because the role is different, but I do have role transition not sure why is it not working though.

linux centos selinux

share|improve this question

edited 37 mins ago

Rui F Ribeiro

42.6k1688147

asked 2 hours ago

np08np08

41

New contributor

np08 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

/bin/myshell                             gen_context(system_u:object_r:myshell_exec_t,s0)

role unconfined_r types myshell_t;

role_transition unconfined_r myshell_t system_r;

domtrans_pattern(sshd_t, myshell_exec_t, myshell_t)

type=USER_ROLE_CHANGE msg=audit(1559079004.637:339116): pid=24478 uid=0 auid=0 ses=823 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=system_u:unconfined_r:unconfined_t:s0 selected-context=system_u:unconfined_r:unconfined_t:s0 exe="/usr/sbin/sshd" hostname=X.X.X.X addr=X.X.X.X terminal=ssh res=success'



type=AVC msg=audit(1559067681.085:327703): avc:  granted  { execute } for  pid=17593 comm="sshd" name="myshell"  scontext=system_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:myshell_exec_t:s0 tclass=file

share|improve this question

edited 37 mins ago

Rui F Ribeiro

42.6k1688147

asked 2 hours ago

np08np08

41

New contributor

np08 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 37 mins ago

Rui F Ribeiro

42.6k1688147

asked 2 hours ago

np08np08

41

New contributor

np08 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

edited 37 mins ago

Rui F Ribeiro

42.6k1688147

edited 37 mins ago

Rui F Ribeiro

42.6k1688147

asked 2 hours ago

np08np08

41

New contributor

np08 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 2 hours ago

np08np08

41