—– Problem ——–
I have CentOS 7.6 running on my system. I want to invoke a custom shell instead of standard shell in the /etc/passwd file.
I have SELinux enabled, and for some reason sshd_t domain does not get transitioned to a new custom domain that my custom shell holds.
Something like this:
In /etc/passwd:
root:x:0:0:root:/root:/bin/myshell
SELinux domain transition:
myshell.fc
/bin/myshell gen_context(system_u:object_r:myshell_exec_t,s0)
myshell.te
role unconfined_r types myshell_t;
role_transition unconfined_r myshell_t system_r;
domtrans_pattern(unconfined_t, myshell_exec_t, myshell_t)
The default user is unconfined_u:unconfined_r:unconfined_t.
I also have a role transition from unconfined_r to system_r.
—- Issue ——
For some reason sshd_t does not get transitioned into myshell_t domain.
User is root.
Here is the role change log message:
type=USER_ROLE_CHANGE msg=audit(1559079004.637:339116): pid=24478 uid=0 auid=0 ses=823 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=system_u:unconfined_r:unconfined_t:s0 selected-context=system_u:unconfined_r:unconfined_t:s0 exe="/usr/sbin/sshd" hostname=X.X.X.X addr=X.X.X.X terminal=ssh res=success'
type=AVC msg=audit(1559067681.085:327703): avc: granted { execute } for pid=17593 comm="sshd" name="myshell" scontext=system_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:myshell_exec_t:s0 tclass=file
It does execute the binary but the transition is not happening. Probably because the role is different, but I do have role transition — not sure why is it not working, though.
Best Answer
Theres two aspects here, I will address the first aspect:
ssh joe@localhost 'id -Z'
Creating new confined users, is a bit more involved but the gist is that login programs like sshd, login etc use pam_selinux to determine the context to run a login shell and they transition manually, not automatically. The files in /etc/selinux/TYPE/contexts/users/ are used for that amongst other files in /etc/selinux/TYPE/contexts