On Tue, 13 Apr 2004 11:03, Tom Mitchell <mitch48@xxxxxxxxxxxxx> wrote: > I just killed a remote terminal window and noted this message triple in the > log/messages: > > sshd(pam_unix)[30912]: session opened for user root by (uid=0) > > sshd[30912]: Warning! Could not relabel with > system_u:object_r:sshd_devpts_t, not relabeling. What version of pam do you have installed? It should not even be trying to relabel a pty back to it's original type. The idea is that if someone exploits a copy of sshd we want to make it as difficult as possible to trick it into granting access to another user's session. Allowing sshd to label terminals back from userpty_type makes things easier for an attacker. > If this is what I think it is sshd will slowly run out of available ptys. I've noticed that 2.6 kernels don't seem to reuse pty numbers until they reach some large number. I don't think that there's any problem of running out of available ptys, it seems to handle things the same way in permissive and enforcing modes. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
