# selinux user contexts problem

## melts

hi there

setting up a new dev box as a public facing gateway, decided to use SELinux

i got the system into SELinux permissive mode after a lot of bumping around - got a little lost in the guides, between the wiki and the manual, and things that just didn't line up..

now it seems like a broken system and I've got to the point where I figure its best to ask what I can do.

single biggest problem; all users are in the wrong context when they log in, over ssh or locally.

```

melts@caspar ~ $ id -Z

system_u:system_r:sshd_t

melts@caspar ~ $ su

Password:

caspar melts # id -Z

system_u:system_r:sshd_t

```

and locally the type changes to Local_login_t - but I'm still in the system role and user, stopping me from doing anything

some details, below

```

 uname -r

2.6.38-hardened-r6

```

```

SELinux status:                 enabled

SELinuxfs mount:                /selinux

Current mode:                   permissive

Mode from config file:          permissive

Policy version:                 24

Policy from config file:        strict

Process contexts:

Current context:                system_u:system_r:sshd_t

Init context:                   system_u:system_r:init_t

/sbin/agetty                    system_u:system_r:getty_t

/usr/sbin/sshd                  system_u:system_r:sshd_t

File contexts:

Controlling term:               system_u:object_r:sshd_devpts_t

/sbin/init                      system_u:object_r:init_exec_t

/sbin/agetty                    system_u:object_r:getty_exec_t

/bin/login                      system_u:object_r:login_exec_t

/sbin/rc                        system_u:object_r:initrc_exec_t

/usr/sbin/sshd                  system_u:object_r:sshd_exec_t

/sbin/unix_chkpwd               system_u:object_r:chkpwd_exec_t

/etc/passwd                     system_u:object_r:etc_t

/etc/shadow                     system_u:object_r:shadow_t

/bin/sh                         system_u:object_r:bin_t -> system_u:object_r:shell_exec_t

/bin/bash                       system_u:object_r:shell_exec_t

/usr/bin/newrole                system_u:object_r:newrole_exec_t

/lib/libc.so.6                  system_u:object_r:lib_t -> system_u:object_r:lib_t

/lib/ld-linux.so.2              system_u:object_r:lib_t -> system_u:object_r:ld_so_t

```

```

emerge --info

Portage 2.1.9.42 (selinux/2007.0/amd64/hardened, gcc-4.4.5, libc-0-r0, 2.6.38-hardened-r6 x86_64)

=================================================================

System uname: Linux-2.6.38-hardened-r6-x86_64-Intel-R-_Pentium-R-_D_CPU_2.80GHz-with-gentoo-2.0.2

Timestamp of tree: Tue, 28 Jun 2011 14:45:01 +0000

app-shells/bash:     4.1_p9

dev-lang/python:     2.7.1-r1, 3.1.3-r1

dev-util/pkgconfig:  0.25-r2

sys-apps/baselayout: 2.0.2

sys-apps/openrc:     0.8.2-r1

sys-apps/sandbox:    2.4

sys-devel/autoconf:  2.65-r1

sys-devel/automake:  1.11.1

sys-devel/binutils:  2.20.1-r1

sys-devel/gcc:       4.4.5

sys-devel/gcc-config: 1.4.1-r1

sys-devel/libtool:   2.2.10

sys-devel/make:      3.82

sys-kernel/linux-headers: 2.6.36.1

sys-libs/glibc:      2.12.2

virtual/os-headers:  0

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-march=core2 -O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-march=core2 -O2 -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"

FFLAGS=""

GENTOO_MIRRORS="http://ftp.swin.edu.au/gentoo ftp://ftp.swin.edu.au/gentoo"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

SYNC="rsync://rsync.au.gentoo.org/gentoo-portage"

USE="acl amd64 berkdb cli cracklib crypt cxx dri fortran hardened iconv ipv6 ldap loop-aes modules mudflap ncurses nls openmp pam pam_ssh pcre perl pic pppd python readline selinux session skey ssl tcpd xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

```

if you have any ideas i'm all ears  :Smile: 

----------

## melts

ok so i might of fixed it

being stuck with a box i can only access remotely most of the time, i had to try and run emerge from a ssh session somehow, and was reading up on newrole, that let me stumble into runcon.

```

# runcon -u sysadm_u -r sysadm_r -t sysadm_t bash

```

after that I seem to always end up with sysadm_[u,r,t] on logon on my user account and its maintained during a su.

of course i rebuilt openssh before testing the logins, so i might of fixed it that way...

anyway, its interesting to know you can escape system_[u,r] with runcon, i thought i wouldn't be able to move out of a _u like that.

if it breaks once i reboot this system i'll post all about it

----------

