I have the following problem:
I installed SElinux, mapped my user as unconfined_r with sudo privileges and allowed SSH connections, but after I set up the enforcing mode can't log in anymore with ssh and private key.
When I try connect with ssh I get:
client_loop: send disconnect: Broken pipe
This is the configuration I did:
echo "myuser_user ALL=(ALL) TYPE=sysadm_t ROLE=system_r /bin/sh " > /etc/sudoers.d/myuser_user
getsebool -a | grep ssh
allow_ssh_keysign --> on
fenced_can_ssh --> off
sftpd_write_ssh_home --> off
ssh_sysadm_login --> on
ssh_use_gpg_agent --> off
Added the full SE Linux config I did, maybe can help for debug...
semanage user -a -r s0-s0:c0.c1023 -R "unconfined_r system_r" ubuntu_user_u
cp /etc/selinux/default/contexts/users/unconfined_u /etc/selinux/default/contexts/users/ubuntu_user_u
semanage login -a -s ubuntu_user_u -rs0:c0.c1023 ubuntu
echo "ubuntu ALL=(ALL) TYPE=system_sudo_t ROLE=system_r /bin/sh " > /etc/sudoers.d/ubuntu
chcon -R -v system_u:object_r:system_sudo_t:s0 /home/ubuntu/.ssh/
here the /var/log/audit.log that is generated when try log with ssh:
type=USER_AVC msg=audit(1606521919.331:151): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/run/systemd/transient/session-8.scope" cmdline="/lib/systemd/systemd-logind" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=0  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_START msg=audit(1606521919.823:152): pid=1163 uid=0 auid=1000 ses=8 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:session_open acct="ubuntu" exe="/usr/sbin/sshd" hostname=15.170.168.139 addr=15.170.168.139 terminal=ssh res=failed'
type=CRED_ACQ msg=audit(1606521919.823:153): pid=1231 uid=0 auid=1000 ses=8 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:setcred acct="ubuntu" exe="/usr/sbin/sshd" hostname=15.170.168.139 addr=15.170.168.139 terminal=ssh res=success'
type=CRED_DISP msg=audit(1606521919.831:154): pid=1163 uid=0 auid=1000 ses=8 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:setcred acct="ubuntu" exe="/usr/sbin/sshd" hostname=15.170.168.139 addr=15.170.168.139 terminal=ssh res=success'
audit2allow -w -a | grep "ssh"
type=USER_AVC msg=audit(1606522579.718:169): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/ssh.service" cmdline="" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=service permissive=1  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1606522579.718:170): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/ssh.service" cmdline="" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=service permissive=1  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1606522673.346:192): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/ssh.service" cmdline="" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=service permissive=0  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1606522687.874:196): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/ssh.service" cmdline="" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=service permissive=1  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1606522687.878:198): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/ssh.service" cmdline="" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=service permissive=1  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1606522853.067:220): avc:  denied  { relabelto } for  pid=1529 comm="chcon" name=".ssh" dev="nvme0n1p1" ino=256082 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:system_sudo_t:s0 tclass=dir permissive=1
type=USER_AVC msg=audit(1606527581.704:277): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/ssh.service" cmdline="" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=service permissive=1  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1606527582.256:278): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/ssh.service" cmdline="" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=service permissive=1  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1606527704.324:293): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/ssh.service" cmdline="" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=service permissive=0  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1606527713.724:297): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/ssh.service" cmdline="" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=service permissive=1  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1606527713.724:298): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/ssh.service" cmdline="" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=service permissive=1  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1606567016.248:483): avc:  denied  { relabelfrom } for  pid=10828 comm="restorecon" name=".ssh" dev="nvme0n1p1" ino=256082 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:system_sudo_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1606567026.156:487): avc:  denied  { relabelfrom } for  pid=10830 comm="restorecon" name=".ssh" dev="nvme0n1p1" ino=256082 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:system_sudo_t:s0 tclass=dir permissive=1
audit2allow -w -a | grep "auth"
type=AVC msg=audit(1606522853.063:219): avc:  denied  { associate } for  pid=1529 comm="chcon" name="authorized_keys" dev="nvme0n1p1" ino=256083 scontext=system_u:object_r:system_sudo_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1606522853.063:219): avc:  denied  { relabelto } for  pid=1529 comm="chcon" name="authorized_keys" dev="nvme0n1p1" ino=256083 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:system_sudo_t:s0 tclass=file permissive=1
type=AVC msg=audit(1606567016.248:484): avc:  denied  { relabelfrom } for  pid=10828 comm="restorecon" name="authorized_keys" dev="nvme0n1p1" ino=256083 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:system_sudo_t:s0 tclass=file permissive=0
type=AVC msg=audit(1606567026.156:488): avc:  denied  { relabelfrom } for  pid=10830 comm="restorecon" name="authorized_keys" dev="nvme0n1p1" ino=256083 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:system_sudo_t:s0 tclass=file permissive=1
Anyone can help?
/var/log/audit/audit.log?audit2allow(in the 2nd answer) might possibly provide some clues.systemdruns askernel_t. Also, why is.sshlabeledsystem_sudo_t, when it doesn't have anything to do withsudo?