-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/29/2010 10:36 AM, imsand@xxxxxxxxx wrote: > On 09/29/2010 09:33 AM, imsand@xxxxxxxxx wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> On 09/29/2010 08:23 AM, Daniel J Walsh wrote: >>>>>> On 09/29/2010 03:26 AM, imsand@xxxxxxxxx wrote: >>>>>>>> On Tue, Sep 28, 2010 at 03:51:11PM +0200, imsand@xxxxxxxxx wrote: >>>>>>>>>> On Tue, Sep 28, 2010 at 01:56:13PM +0200, imsand@xxxxxxxxx wrote: >>>>>>>>>>>> On 28/09/10 08:24, imsand@xxxxxxxxx wrote: >>>>>>>>>>>>> Hello >>>>>>>>>>>>> >>>>>>>>>>>>> I get the following error when I try to log in through ssh >>>>>>>>>>>>> (even >>>>>>>>> if >>>>>>>>>>>>> selinux is in permissive mode!!!): >>>>>>>>>>>>> >>>>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted >>>>>>>>>>>>> keyboard-interactive/pam for mat from 131.102.233.127 port >>>>>>>>>>>>> 58912 >>>>>>>>> ssh2 >>>>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750] >>>>>>>>>>> type=1400 >>>>>>>>>>>>> audit(1285657292.298:286): avc: denied { audit_control } for >>>>>>>>>>>>> pid=12614 >>>>>>>>>>>>> comm="sshd" capability=30 scontext=system_u:system_r:sysadm_t >>>>>>>>>>>>> tcontext=system_u:system_r:sysadm_t tclass=capability >>>>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error: >>>>>>>>>>>>> ssh_selinux_getctxbyname: Failed to get default SELinux >>>>>>>>>>>>> security >>>>>>>>>>> context >>>>>>>>>>>>> for mat >>>>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error: >>>>>>>>>>>>> ssh_selinux_getctxbyname: Failed to get default SELinux >>>>>>>>>>>>> security >>>>>>>>>>> context >>>>>>>>>>>>> for mat >>>>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error: >>>>>>>>>>>>> ssh_selinux_setup_pty: >>>>>>>>>>>>> security_compute_relabel: Invalid argument >>>>>>>>>>>>> >>>>>>>>>>>>> I already went through this post: >>>>>>>>>>>>> http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml >>>>>>>>> but >>>>>>>>>>> I >>>>>>>>>>>>> can't figure out the exact problem. >>>>>>>>>>>>> >>>>>>>>>>>>> Here is what I've done so far: >>>>>>>>>>>>> - Downloaded the latest reference policy from tresys: >>>>>>>>>>>>> http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2 >>>>>>>>>>>>> - Compiled and installed it on my sles 11.1 >>>>>>>>>>>>> - set selinux into permissive mode: (so far so good.. :)) >>>>>>>>>>>>> sestatus >>>>>>>>>>>>> SELinux status: enabled >>>>>>>>>>>>> SELinuxfs mount: /selinux >>>>>>>>>>>>> Current mode: permissive >>>>>>>>>>>>> Mode from config file: permissive >>>>>>>>>>>>> Policy version: 24 >>>>>>>>>>>>> Policy from config file: refpolicy >>>>>>>>>>>>> - Add selinux user "mat_u": semanage user -R "staff_r system_r" >>>>>>>>>>>>> -P >>>>>>>>>>> user >>>>>>>>>>>>> -a >>>>>>>>>>>>> mat_u >>>>>>>>>>>>> - Add linux user " mat": useradd mat >>>>>>>>>>>>> - Set password for "mat": passwd mat >>>>>>>>>>>>> - User mapping: semanage login -s mat_u -a mat >>>>>>>>>>>>> - add security context for "mat_u" by copying staff_u's context >>>>>>>>>>> (don't >>>>>>>>>>>>> know if that's needed??!): cp >>>>>>>>>>>>> /etc/selinux/refpolicy/contexts/user/staff_u >>>>>>>>>>>>> /etc/selinux/refpolicy/contexts/user/mat_u >>>>>>>>>>>>> - set boolean for sysadm ssh login to true (don't know if thats >>>>>>>>>>>>> needed?!): >>>>>>>>>>>>> setsebool ssh_sysadm_login on >>>>>>>>>>>>> >>>>>>>>>>>>> In other posts I've read something about sepermit.conf and >>>>>>>>>>>>> namespace.conf >>>>>>>>>>>>> but these files don't exist on my system. What about these >>>>>>>>>>>>> files? >>>>>>>>> Do >>>>>>>>>>> I >>>>>>>>>>>>> need them? >>>>>>>>>>>>> What's wrong on my system? >>>>>>>>>>>>> Why it's not possible to login even if selinux is in permissive >>>>>>>>> mode? >>>>>>>>>>>>> Any suggestions? >>>>>>>>>>>> >>>>>>>>>>>> I'd start by trying to figure out why sshd isn't running in >>>>>>>>>>>> sshd_t >>>>>>>>> (it >>>>>>>>>>>> seems to be running in sysadm_t). >>>>>>>>>>>> >>>>>>>>>>>> Paul. >>>>>>>>>>>> -- >>>>>>>>>>>> selinux mailing list >>>>>>>>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Yes, sshd is running in sysadm_t: >>>>>>>>>>> >>>>>>>>>>> # ps axZ | grep sshd >>>>>>>>>>> system_u:system_r:sysadm_t 3632 ? Ss 0:00 >>>>>>>>>>> /usr/sbin/sshd >>>>>>>>>>> -o PidFile=/var/run/sshd.init.pi >>>>>>>>>>> >>>>>>>>>>> # ls -Z /usr/sbin/sshd >>>>>>>>>>> system_u:object_r:sshd_exec_t /usr/sbin/sshd >>>>>>>>>>> >>>>>>>>>>> Don't know why it's not sshd_t. I didn't modified something. It's >>>>>>>>>>> a >>>>>>>>>>> standard installation of sles11 with the default reference policy >>>>>>>>> from >>>>>>>>>>> tresys. >>>>>>>>>>> >>>>>>>>>>> Maybe this code snippet from policy/modules/services/ssh.te is >>>>>>>>>>> responsible >>>>>>>>>>> for that: >>>>>>>>>>> ## <desc> >>>>>>>>>>> ## <p> >>>>>>>>>>> ## Allow ssh logins as sysadm_r:sysadm_t >>>>>>>>>>> ## </p> >>>>>>>>>>> ## </desc> >>>>>>>>>>> gen_tunable(ssh_sysadm_login, true) >>>>>>>>>>> >>>>>>>>>>> Any ideas? >>>>>>>>>> >>>>>>>>>> Do you have boolean init_upstart set to on? if not try setting it >>>>>>>>>> to >>>>>>>>> on. >>>>>>>>>> I do not believe ssh_sysadm_login boolean works currently but i >>>>>>>>>> may >>>>>>>>>> be >>>>>>>>>> mistaken. >>>>>>>> >>>>>>>> ssh_sysadm_login DOES actually work you just need to specify your >>>>>>>> role >>>>>>>> on >>>>>>>> login... >>>>>>>> >>>>>>> I suppose to edit >>>>>>> /etc/selinux/refpolicy/src/policy/config/local.users >>>>>>> for >>>>>>> doing so!? I added "user mat roles { sysadm_r };" rebuild & load the >>>>>>> policy. But after login the the context is still >>>>>>> "user_u:user_r:user_t". >>>>>>> the user should be able to change the role to sysadm_r: >>>>>>> ---- >>>>>>> semanage user -l >>>>>>> SELinux User SELinux Roles >>>>>>> mat_u staff_r sysadm_r >>>>>>> ---- >>>>>>> Doing it explicitly does not work either: >>>>>>> ---- >>>>>>> newrole -r staff_r >>>>>>> user_u:staff_r:staff_t is not a valid context >>>>>>> ---- >>>>>>> Don't know why. Restricted by a special policy? >>>>>> >>>>>> >>>>>>> -- >>>>>>> selinux mailing list >>>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>>> >>>>>> >>>>>> semanage login -l >>>>>> >>>>> - -- >>>>> selinux mailing list >>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>> >>>>> What does >>>>> >>>>>> selinuxdefcon mat system_u:system_r:sshd_t:s0 >>>>> >>>>> show >>>>>> selinuxdefcon dwalsh system_u:system_r:sshd_t:s0 >>>>> staff_u:staff_r:staff_t:s0-s0:c0.c1023 >>>> >>>> selinuxdefcon mat system_u:system_r:sshd_t >>>> mat_u:staff_r:staff_t >>>> >>>> >>>> -- >>>> selinux mailing list >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>> >>>> > So if you ssh to the box now you should end up with staff_t, which is > what you want. >> > No, unfortunately not and thats the curious thing about that. I still end > up with user_r. > Please have a look at this: > ---------------- > root@localhost: ssh mat@stvlx05 > Password: ******** > mat@testsrv:~> id > uid=6575(mat) gid=100(users) groups=16(dialout),33(video),100(users) > context=user_u:user_r:user_t > mat@testsrv:~> sudo /usr/sbin/selinuxdefcon mat system_u:system_r:sshd_t > mat_u:staff_r:staff_tmat@testsrv:~> > ----------------- > the user's role is user_r even it should be staff_r. !?!? > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux What context is sshd running as? ps -eZ | grep sshd -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyjT+gACgkQrlYvE4MpobM9ZgCfcmJfCXiykpIBG5j7r43T/+rn 2DoAn1Q45xh7mZ528nZFR3Pcw33ws/K8 =C5nQ -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux