Hi Dan, Thanks for you response. We attempted to set ssh_sysadm_login to 1 in the booleans file for our strict policy. We also did an setsebool -P to turn on ssh_sysadm_login. We also modified the security context of root user to root:sysadm_r:sysadm_t. We see a couple of issues now 1. The value for ssh_sysadm_login is not persistent across reboots 2. Even when the ssh_sysadm_login is turned on we cannot login as root user The sealert messaged seem to indicate the following . What else do we need to do to get it working? [root@vos-cm98 ~]# sealert -l e7c8894d-a508-430a-a594-da2a693e585f Summary: SELinux is preventing sshd (sshd_t) "execute" to /lib/libdl-2.5.so (lib_t). Detailed Description: SELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /lib/libdl-2.5.so, restorecon -v '/lib/libdl-2.5.so' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:sshd_t:s0 Target Context system_u:object_r:lib_t:s0 Target Objects /lib/libdl-2.5.so [ file ] Source sshd Source Path /usr/sbin/sshd Port <Unknown> Host vos-cm98.cisco.com Source RPM Packages openssh-server-4.3p2-36.el5 Target RPM Packages glibc-2.5-42 Policy RPM selinux-policy-2.4.6-255.el5 Selinux Enabled True Policy Type strict MLS Enabled False Enforcing Mode Enforcing Plugin Name catchall_file Host Name vos-cm98.cisco.com Platform Linux vos-cm98.cisco.com 2.6.18-160.el5PAE #1 SMP Mon Jul 27 17:45:11 EDT 2009 i686 i686 Alert Count 3 First Seen Tue Sep 15 16:02:26 2009 Last Seen Tue Sep 15 17:51:19 2009 Local ID e7c8894d-a508-430a-a594-da2a693e585f Line Numbers Raw Audit Messages host=vos-cm98.cisco.com type=AVC msg=audit(1253062279.960:406): avc: denied { execute } for pid=4261 comm="sshd" path="/lib/libdl-2.5.so" dev=dm-0 ino=51413920 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:lib_t tclass=file host=vos-cm98.cisco.com type=SYSCALL msg=audit(1253062279.960:406): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=3078 a2=5 a3=802 items=0 ppid=3119 pid=4261 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t key=(null) Thanks Anamitra -----Original Message----- From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] Sent: Friday, September 11, 2009 1:49 PM To: Anamitra Dutta Majumdar (anmajumd) Subject: Re: Unconfining root user in strict policy mode On 09/11/2009 04:34 PM, Anamitra Dutta Majumdar (anmajumd) wrote: > > We need a way to unconfine the root user with the strict policy being > loaded in RHEL5.4. Currently with the strict policy the security > context for root user is root:staff_r:staff_t. > Is there a way to do so. > > > Thanks > Anamitra & Radha > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > There is no unconfined_t for Strict policy but you can set the root account to login as sysadm_t which is very close You have to turn on the ssh_sysadm_login if you want to login via ssh as sysadm_t And I think remove staff_r from root account will set it up to login as sysadm_r something like # semanage user -m -R"sysadm_r system_r" root -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
