On pon, sty 04, 2010 at 04:42:48 -0500, Stephen Smalley wrote:
> > I have a problem trying to run sshd via xinetd on a CentOS 5.4 system
> > (I want to slap a tcpwrappers-style wrapper before sshd, so I need it
> > that way).
>
> In what label/context are xinetd and sshd running (ps -eZ)?
> What are the file security contexts on their executables (ls -Z)?
In the meantime I managed to get stuff running by adding a module like below.
xinetd is running with system_u:system_r:inetd_t:SystemLow-SystemHigh,
sshd binary is labelled as system_u:object_r:sshd_exec_t, so I did not
need any relabelling, I just needed the domain transition to switch sshd
to unconfined_t. It stayed as inetd_t or went to inetd_child_t before; I
can't remember right now and I'm not too willing to hack at it again due
to kernel bugs (on a system broken in the right way the kernel panics in
do_sys_open -> (..) -> chrdev_open -> ptmx_open -> init_dev; probably
a missing IS_ERR somewhere).
I'd have expected the run_ssh_inetd tunable to do this but apparently,
it does nothing at all in the targeted policy (as of CentOS 5.4).
So, for future reference, here's the module I needed:
--------------------- cut --------------------
module inetdssh 1.0.0;
require {
type inetd_t;
type unconfined_t;
type sshd_exec_t;
class process { transition };
}
#============= inetd_t ==============
allow inetd_t unconfined_t:process transition;
type_transition inetd_t sshd_exec_t : process unconfined_t;
#============= unconfined_t ==============
allow unconfined_t self:process transition;
--------------------- cut --------------------
Best regards,
Grzegorz Nosek
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
