On Mon, 2004-08-30 at 13:24, t l wrote:
> After augmenting ssh.te with
> can_exec(sshd_t, sshd_exec_t)
> as suggested by Stephen S., inbound
> ssh to strict/enforcing system still fails.
>
> Here are avc's (running permissive):
>
> Aug 30 09:49:44 fedora kernel: audit(1093884584.213:0): avc: denied { ioctl } for pid=4998 exe=/bin/su path=/dev/pts/4 dev=devpts ino=6 scontext=user_u:user_r:user_su_t tcontext=system_u:object_r:sshd_devpts_t tclass=chr_file
> Aug 30 09:49:46 fedora kernel: audit(1093884586.516:0): avc: denied { getattr } for pid=4998 exe=/bin/su name=4 dev=devpts ino=6 scontext=user_u:user_r:user_su_t tcontext=system_u:object_r:sshd_devpts_t tclass=chr_file
> Aug 30 09:49:46 fedora kernel: audit(1093884586.542:0): avc: denied { read write } for pid=5013 exe=/bin/hostname name=4 dev=devpts ino=6 scontext=root:sysadm_r:hostname_t tcontext=root:object_r:sshd_devpts_t tclass=chr_file
>
> audit2allow says:
> allow hostname_t sshd_devpts_t:chr_file { read write };
> allow user_su_t sshd_devpts_t:chr_file { getattr ioctl };
That isn't a policy issue; it is a bug in the SELinux patch for openssh
3.9p1, already bugzilla'd.
--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency
