> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/29/2010 08:23 AM, Daniel J Walsh wrote:
>> On 09/29/2010 03:26 AM, imsand@xxxxxxxxx wrote:
>>>> On Tue, Sep 28, 2010 at 03:51:11PM +0200, imsand@xxxxxxxxx wrote:
>>>>>> On Tue, Sep 28, 2010 at 01:56:13PM +0200, imsand@xxxxxxxxx wrote:
>>>>>>>> On 28/09/10 08:24, imsand@xxxxxxxxx wrote:
>>>>>>>>> Hello
>>>>>>>>>
>>>>>>>>> I get the following error when I try to log in through ssh (even
>>>>> if
>>>>>>>>> selinux is in permissive mode!!!):
>>>>>>>>>
>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted
>>>>>>>>> keyboard-interactive/pam for mat from 131.102.233.127 port 58912
>>>>> ssh2
>>>>>>>>> Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750]
>>>>>>> type=1400
>>>>>>>>> audit(1285657292.298:286): avc: denied { audit_control } for
>>>>>>>>> pid=12614
>>>>>>>>> comm="sshd" capability=30 scontext=system_u:system_r:sysadm_t
>>>>>>>>> tcontext=system_u:system_r:sysadm_t tclass=capability
>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error:
>>>>>>>>> ssh_selinux_getctxbyname: Failed to get default SELinux security
>>>>>>> context
>>>>>>>>> for mat
>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>>>>>>>>> ssh_selinux_getctxbyname: Failed to get default SELinux security
>>>>>>> context
>>>>>>>>> for mat
>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>>>>>>>>> ssh_selinux_setup_pty:
>>>>>>>>> security_compute_relabel: Invalid argument
>>>>>>>>>
>>>>>>>>> I already went through this post:
>>>>>>>>> http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml
>>>>> but
>>>>>>> I
>>>>>>>>> can't figure out the exact problem.
>>>>>>>>>
>>>>>>>>> Here is what I've done so far:
>>>>>>>>> - Downloaded the latest reference policy from tresys:
>>>>>>>>> http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2
>>>>>>>>> - Compiled and installed it on my sles 11.1
>>>>>>>>> - set selinux into permissive mode: (so far so good.. :))
>>>>>>>>> sestatus
>>>>>>>>> SELinux status: enabled
>>>>>>>>> SELinuxfs mount: /selinux
>>>>>>>>> Current mode: permissive
>>>>>>>>> Mode from config file: permissive
>>>>>>>>> Policy version: 24
>>>>>>>>> Policy from config file: refpolicy
>>>>>>>>> - Add selinux user "mat_u": semanage user -R "staff_r system_r"
>>>>>>>>> -P
>>>>>>> user
>>>>>>>>> -a
>>>>>>>>> mat_u
>>>>>>>>> - Add linux user " mat": useradd mat
>>>>>>>>> - Set password for "mat": passwd mat
>>>>>>>>> - User mapping: semanage login -s mat_u -a mat
>>>>>>>>> - add security context for "mat_u" by copying staff_u's context
>>>>>>> (don't
>>>>>>>>> know if that's needed??!): cp
>>>>>>>>> /etc/selinux/refpolicy/contexts/user/staff_u
>>>>>>>>> /etc/selinux/refpolicy/contexts/user/mat_u
>>>>>>>>> - set boolean for sysadm ssh login to true (don't know if thats
>>>>>>>>> needed?!):
>>>>>>>>> setsebool ssh_sysadm_login on
>>>>>>>>>
>>>>>>>>> In other posts I've read something about sepermit.conf and
>>>>>>>>> namespace.conf
>>>>>>>>> but these files don't exist on my system. What about these files?
>>>>> Do
>>>>>>> I
>>>>>>>>> need them?
>>>>>>>>> What's wrong on my system?
>>>>>>>>> Why it's not possible to login even if selinux is in permissive
>>>>> mode?
>>>>>>>>> Any suggestions?
>>>>>>>>
>>>>>>>> I'd start by trying to figure out why sshd isn't running in sshd_t
>>>>> (it
>>>>>>>> seems to be running in sysadm_t).
>>>>>>>>
>>>>>>>> Paul.
>>>>>>>> --
>>>>>>>> selinux mailing list
>>>>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>
>>>>>>>
>>>>>>> Yes, sshd is running in sysadm_t:
>>>>>>>
>>>>>>> # ps axZ | grep sshd
>>>>>>> system_u:system_r:sysadm_t 3632 ? Ss 0:00
>>>>>>> /usr/sbin/sshd
>>>>>>> -o PidFile=/var/run/sshd.init.pi
>>>>>>>
>>>>>>> # ls -Z /usr/sbin/sshd
>>>>>>> system_u:object_r:sshd_exec_t /usr/sbin/sshd
>>>>>>>
>>>>>>> Don't know why it's not sshd_t. I didn't modified something. It's a
>>>>>>> standard installation of sles11 with the default reference policy
>>>>> from
>>>>>>> tresys.
>>>>>>>
>>>>>>> Maybe this code snippet from policy/modules/services/ssh.te is
>>>>>>> responsible
>>>>>>> for that:
>>>>>>> ## <desc>
>>>>>>> ## <p>
>>>>>>> ## Allow ssh logins as sysadm_r:sysadm_t
>>>>>>> ## </p>
>>>>>>> ## </desc>
>>>>>>> gen_tunable(ssh_sysadm_login, true)
>>>>>>>
>>>>>>> Any ideas?
>>>>>>
>>>>>> Do you have boolean init_upstart set to on? if not try setting it to
>>>>> on.
>>>>>> I do not believe ssh_sysadm_login boolean works currently but i may
>>>>>> be
>>>>>> mistaken.
>>>>
>>>> ssh_sysadm_login DOES actually work you just need to specify your role
>>>> on
>>>> login...
>>>>
>>> I suppose to edit /etc/selinux/refpolicy/src/policy/config/local.users
>>> for
>>> doing so!? I added "user mat roles { sysadm_r };" rebuild & load the
>>> policy. But after login the the context is still
>>> "user_u:user_r:user_t".
>>> the user should be able to change the role to sysadm_r:
>>> ----
>>> semanage user -l
>>> SELinux User SELinux Roles
>>> mat_u staff_r sysadm_r
>>> ----
>>> Doing it explicitly does not work either:
>>> ----
>>> newrole -r staff_r
>>> user_u:staff_r:staff_t is not a valid context
>>> ----
>>> Don't know why. Restricted by a special policy?
>>
>>
>>> --
>>> selinux mailing list
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> semanage login -l
>>
> - --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> What does
>
>> selinuxdefcon mat system_u:system_r:sshd_t:s0
>
> show
>> selinuxdefcon dwalsh system_u:system_r:sshd_t:s0
> staff_u:staff_r:staff_t:s0-s0:c0.c1023
selinuxdefcon mat system_u:system_r:sshd_t
mat_u:staff_r:staff_t
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
