On 09/15/2009 08:58 PM, Anamitra Dutta Majumdar (anmajumd) wrote: > > Hi Dan, > > Thanks for you response. > > We attempted to set ssh_sysadm_login to 1 in the booleans file for our > strict policy. We also did an setsebool -P to turn on ssh_sysadm_login. > We also modified the security context of root user to > root:sysadm_r:sysadm_t. We see a couple of issues now > > 1. The value for ssh_sysadm_login is not persistent across reboots setsebool -P should persist >From the looks of it, you never relabeled when you switched to the strict policy. touch /.autorelabel reboot Make sure you boot in permissive mode (Kernel option "enforcing=0") > 2. Even when the ssh_sysadm_login is turned on we cannot login as root > user > > The sealert messaged seem to indicate the following . What else do we > need to do to get it working? > > [root@vos-cm98 ~]# sealert -l e7c8894d-a508-430a-a594-da2a693e585f > > Summary: > > SELinux is preventing sshd (sshd_t) "execute" to /lib/libdl-2.5.so > (lib_t). > > Detailed Description: > > SELinux denied access requested by sshd. It is not expected that this > access is > required by sshd and this access may signal an intrusion attempt. It is > also > possible that the specific version or configuration of the application > is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for /lib/libdl-2.5.so, > > restorecon -v '/lib/libdl-2.5.so' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:sshd_t:s0 > Target Context system_u:object_r:lib_t:s0 > Target Objects /lib/libdl-2.5.so [ file ] > Source sshd > Source Path /usr/sbin/sshd > Port <Unknown> > Host vos-cm98.cisco.com > Source RPM Packages openssh-server-4.3p2-36.el5 > Target RPM Packages glibc-2.5-42 > Policy RPM selinux-policy-2.4.6-255.el5 > Selinux Enabled True > Policy Type strict > MLS Enabled False > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name vos-cm98.cisco.com > Platform Linux vos-cm98.cisco.com 2.6.18-160.el5PAE > #1 SMP > Mon Jul 27 17:45:11 EDT 2009 i686 i686 > Alert Count 3 > First Seen Tue Sep 15 16:02:26 2009 > Last Seen Tue Sep 15 17:51:19 2009 > Local ID e7c8894d-a508-430a-a594-da2a693e585f > Line Numbers > > Raw Audit Messages > > host=vos-cm98.cisco.com type=AVC msg=audit(1253062279.960:406): avc: > denied { execute } for pid=4261 comm="sshd" path="/lib/libdl-2.5.so" > dev=dm-0 ino=51413920 scontext=system_u:system_r:sshd_t > tcontext=system_u:object_r:lib_t tclass=file > > host=vos-cm98.cisco.com type=SYSCALL msg=audit(1253062279.960:406): > arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=3078 a2=5 a3=802 > items=0 ppid=3119 pid=4261 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" > exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t key=(null) > > > Thanks > Anamitra > > > -----Original Message----- > From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] > Sent: Friday, September 11, 2009 1:49 PM > To: Anamitra Dutta Majumdar (anmajumd) > Subject: Re: Unconfining root user in strict policy mode > > On 09/11/2009 04:34 PM, Anamitra Dutta Majumdar (anmajumd) wrote: >> >> We need a way to unconfine the root user with the strict policy being >> loaded in RHEL5.4. Currently with the strict policy the security >> context for root user is root:staff_r:staff_t. >> Is there a way to do so. >> >> >> Thanks >> Anamitra & Radha >> >> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > There is no unconfined_t for Strict policy but you can set the root > account to login as sysadm_t which is very close > > You have to turn on the ssh_sysadm_login if you want to login via ssh as > sysadm_t > > And I think remove staff_r from root account will set it up to login as > sysadm_r > > something like > > # semanage user -m -R"sysadm_r system_r" root -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
