> On 28/09/10 15:08, Daniel J Walsh wrote: >>>>>>> What's wrong on my system? >>>>>>> Why it's not possible to login even if selinux is in permissive >>>>>>> mode? >>>>>>> Any suggestions? >>>>>> >>>>>> I'd start by trying to figure out why sshd isn't running in sshd_t >>>>>> (it >>>>>> seems to be running in sysadm_t). >>>>>> >>>>>> Paul. >>>>>> >>>>> >>>>> Yes, sshd is running in sysadm_t: >>>>> >>>>> # ps axZ | grep sshd >>>>> system_u:system_r:sysadm_t 3632 ? Ss 0:00 >>>>> /usr/sbin/sshd >>>>> -o PidFile=/var/run/sshd.init.pi >>>>> >>>>> # ls -Z /usr/sbin/sshd >>>>> system_u:object_r:sshd_exec_t /usr/sbin/sshd >>>>> >>>>> Don't know why it's not sshd_t. I didn't modified something. It's a >>>>> standard installation of sles11 with the default reference policy >>>>> from >>>>> tresys. >>>>> >>>>> Maybe this code snippet from policy/modules/services/ssh.te is >>>>> responsible >>>>> for that: >>>>> ##<desc> >>>>> ##<p> >>>>> ## Allow ssh logins as sysadm_r:sysadm_t >>>>> ##</p> >>>>> ##</desc> >>>>> gen_tunable(ssh_sysadm_login, true) >>>>> >>>>> Any ideas? >>>> >>>> Do you have boolean init_upstart set to on? if not try setting it to >>>> on. >>>> I do not believe ssh_sysadm_login boolean works currently but i may be >>>> mistaken. >>> >>> Yeah, setting init_upstart to on did the trick! THANK A LOT! >>> Do you know why this prevents the user from logging in through ssh even >>> if >>> selinux is set to permissive?? >>> >> Probably a bug in pam_selinux or sshd if it does not use pam_selinux. >> Something is not respecting the permissive mode flag. Of course you are >> asking about sles on the Fedora mailing list.. :^) > > You'd see the same problem in Fedora if sshd wasn't running in sshd_t. > The SSH server tries to compute the correct context for the session, > fails, and bails out even in permissive mode. I saw this happen in the > curl test suite, where we start an SSH server and try connecting to it. > > Paul. > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > After setting init_upstart = on sshd runs in sshd_t. Do you know why? Can't sshd do a domain transition if init_upstart is disabled? -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
