On Wed, Dec 02, 2009 at 09:33:02PM -0800, David Highley wrote:
> I'm trying to get sshdfilter a Perl wrapper around sshd to work in
> Fedora 12. The script needs to be able to call iptables to drop in new
> rejection rules detected hacking connections. I used "semanage fcontext
> -a -t sshd_exec_t" which gave it the same context as sshd. I have not
> been able to change the unconfined_u to system_u:
the _u part in a context is not important. It just shows which selinux users created the subject or object.
> lz -Z /usr/sbin/sshdfilter unconfined_u:object_r:sshd_exec_t:s0
>
> I was getting avc errors so I created an allow policy:
> module mysshdfilter 1.0;
>
> require {
> type iptables_exec_t;
> type iptables_t;
> type sshd_t;
> class file execute;
> class fifo_file read;
> }
>
> #============= iptables_t ==============
> allow iptables_t self:fifo_file read;
>
> #============= sshd_t ==============
> allow sshd_t iptables_exec_t:file execute;
>
>
> Now I'm getting:
> time->Wed Dec 2 21:07:04 2009
> type=USER_ROLE_CHANGE msg=audit(1259816824.474:201): user pid=3664 uid=0
> auid=0 ses=12 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=?: exe= "/usr/sbin/sshd" hostname=? addr=? terminal=? res=failed'
Looks to me like sshdfilter is not SELinux aware or that there is an error in sshdfilter/pam configuration. pam_selinux failed.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
pgpduV18RLxyw.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
