On 28/09/10 16:10, imsand@xxxxxxxxx wrote: >> On 28/09/10 15:08, Daniel J Walsh wrote: >>>>>>>> What's wrong on my system? >>>>>>>> Why it's not possible to login even if selinux is in permissive >>>>>>>> mode? >>>>>>>> Any suggestions? >>>>>>> >>>>>>> I'd start by trying to figure out why sshd isn't running in sshd_t >>>>>>> (it >>>>>>> seems to be running in sysadm_t). >>>>>>> >>>>>>> Paul. >>>>>>> >>>>>> >>>>>> Yes, sshd is running in sysadm_t: >>>>>> >>>>>> # ps axZ | grep sshd >>>>>> system_u:system_r:sysadm_t 3632 ? Ss 0:00 >>>>>> /usr/sbin/sshd >>>>>> -o PidFile=/var/run/sshd.init.pi >>>>>> >>>>>> # ls -Z /usr/sbin/sshd >>>>>> system_u:object_r:sshd_exec_t /usr/sbin/sshd >>>>>> >>>>>> Don't know why it's not sshd_t. I didn't modified something. It's a >>>>>> standard installation of sles11 with the default reference policy >>>>>> from >>>>>> tresys. >>>>>> >>>>>> Maybe this code snippet from policy/modules/services/ssh.te is >>>>>> responsible >>>>>> for that: >>>>>> ##<desc> >>>>>> ##<p> >>>>>> ## Allow ssh logins as sysadm_r:sysadm_t >>>>>> ##</p> >>>>>> ##</desc> >>>>>> gen_tunable(ssh_sysadm_login, true) >>>>>> >>>>>> Any ideas? >>>>> >>>>> Do you have boolean init_upstart set to on? if not try setting it to >>>>> on. >>>>> I do not believe ssh_sysadm_login boolean works currently but i may be >>>>> mistaken. >>>> >>>> Yeah, setting init_upstart to on did the trick! THANK A LOT! >>>> Do you know why this prevents the user from logging in through ssh even >>>> if >>>> selinux is set to permissive?? >>>> >>> Probably a bug in pam_selinux or sshd if it does not use pam_selinux. >>> Something is not respecting the permissive mode flag. Of course you are >>> asking about sles on the Fedora mailing list.. :^) >> >> You'd see the same problem in Fedora if sshd wasn't running in sshd_t. >> The SSH server tries to compute the correct context for the session, >> fails, and bails out even in permissive mode. I saw this happen in the >> curl test suite, where we start an SSH server and try connecting to it. >> >> Paul. >> > After setting init_upstart = on sshd runs in sshd_t. > Do you know why? Can't sshd do a domain transition if init_upstart is > disabled? There's more on this here: https://bugzilla.novell.com/show_bug.cgi?id=582399 Paul. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
