On 28/09/10 15:08, Daniel J Walsh wrote: >>>>>> What's wrong on my system? >>>>>> Why it's not possible to login even if selinux is in permissive mode? >>>>>> Any suggestions? >>>>> >>>>> I'd start by trying to figure out why sshd isn't running in sshd_t (it >>>>> seems to be running in sysadm_t). >>>>> >>>>> Paul. >>>>> >>>> >>>> Yes, sshd is running in sysadm_t: >>>> >>>> # ps axZ | grep sshd >>>> system_u:system_r:sysadm_t 3632 ? Ss 0:00 >>>> /usr/sbin/sshd >>>> -o PidFile=/var/run/sshd.init.pi >>>> >>>> # ls -Z /usr/sbin/sshd >>>> system_u:object_r:sshd_exec_t /usr/sbin/sshd >>>> >>>> Don't know why it's not sshd_t. I didn't modified something. It's a >>>> standard installation of sles11 with the default reference policy from >>>> tresys. >>>> >>>> Maybe this code snippet from policy/modules/services/ssh.te is >>>> responsible >>>> for that: >>>> ##<desc> >>>> ##<p> >>>> ## Allow ssh logins as sysadm_r:sysadm_t >>>> ##</p> >>>> ##</desc> >>>> gen_tunable(ssh_sysadm_login, true) >>>> >>>> Any ideas? >>> >>> Do you have boolean init_upstart set to on? if not try setting it to on. >>> I do not believe ssh_sysadm_login boolean works currently but i may be >>> mistaken. >> >> Yeah, setting init_upstart to on did the trick! THANK A LOT! >> Do you know why this prevents the user from logging in through ssh even if >> selinux is set to permissive?? >> > Probably a bug in pam_selinux or sshd if it does not use pam_selinux. > Something is not respecting the permissive mode flag. Of course you are > asking about sles on the Fedora mailing list.. :^) You'd see the same problem in Fedora if sshd wasn't running in sshd_t. The SSH server tries to compute the correct context for the session, fails, and bails out even in permissive mode. I saw this happen in the curl test suite, where we start an SSH server and try connecting to it. Paul. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
