> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/30/2010 07:37 AM, imsand@xxxxxxxxx wrote: >>>> On 28/09/10 16:10, imsand@xxxxxxxxx wrote: >>>>>> On 28/09/10 15:08, Daniel J Walsh wrote: >>>>>>>>>>>> What's wrong on my system? >>>>>>>>>>>> Why it's not possible to login even if selinux is in >>>>>>>>>>>> permissive >>>>>>>>>>>> mode? >>>>>>>>>>>> Any suggestions? >>>>>>>>>>> >>>>>>>>>>> I'd start by trying to figure out why sshd isn't running in >>>>>>>>>>> sshd_t >>>>>>>>>>> (it >>>>>>>>>>> seems to be running in sysadm_t). >>>>>>>>>>> >>>>>>>>>>> Paul. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Yes, sshd is running in sysadm_t: >>>>>>>>>> >>>>>>>>>> # ps axZ | grep sshd >>>>>>>>>> system_u:system_r:sysadm_t 3632 ? Ss 0:00 >>>>>>>>>> /usr/sbin/sshd >>>>>>>>>> -o PidFile=/var/run/sshd.init.pi >>>>>>>>>> >>>>>>>>>> # ls -Z /usr/sbin/sshd >>>>>>>>>> system_u:object_r:sshd_exec_t /usr/sbin/sshd >>>>>>>>>> >>>>>>>>>> Don't know why it's not sshd_t. I didn't modified something. >>>>>>>>>> It's >>>>>>>>>> a >>>>>>>>>> standard installation of sles11 with the default reference >>>>>>>>>> policy >>>>>>>>>> from >>>>>>>>>> tresys. >>>>>>>>>> >>>>>>>>>> Maybe this code snippet from policy/modules/services/ssh.te is >>>>>>>>>> responsible >>>>>>>>>> for that: >>>>>>>>>> ##<desc> >>>>>>>>>> ##<p> >>>>>>>>>> ## Allow ssh logins as sysadm_r:sysadm_t >>>>>>>>>> ##</p> >>>>>>>>>> ##</desc> >>>>>>>>>> gen_tunable(ssh_sysadm_login, true) >>>>>>>>>> >>>>>>>>>> Any ideas? >>>>>>>>> >>>>>>>>> Do you have boolean init_upstart set to on? if not try setting it >>>>>>>>> to >>>>>>>>> on. >>>>>>>>> I do not believe ssh_sysadm_login boolean works currently but i >>>>>>>>> may >>>>>>>>> be >>>>>>>>> mistaken. >>>>>>>> >>>>>>>> Yeah, setting init_upstart to on did the trick! THANK A LOT! >>>>>>>> Do you know why this prevents the user from logging in through ssh >>>>>>>> even >>>>>>>> if >>>>>>>> selinux is set to permissive?? >>>>>>>> >>>>>>> Probably a bug in pam_selinux or sshd if it does not use >>>>>>> pam_selinux. >>>>>>> Something is not respecting the permissive mode flag. Of course >>>>>>> you >>>>>>> are >>>>>>> asking about sles on the Fedora mailing list.. :^) >>>>>> >>>>>> You'd see the same problem in Fedora if sshd wasn't running in >>>>>> sshd_t. >>>>>> The SSH server tries to compute the correct context for the session, >>>>>> fails, and bails out even in permissive mode. I saw this happen in >>>>>> the >>>>>> curl test suite, where we start an SSH server and try connecting to >>>>>> it. >>>>>> >>>>>> Paul. >>>>>> >>>>> After setting init_upstart = on sshd runs in sshd_t. >>>>> Do you know why? Can't sshd do a domain transition if init_upstart is >>>>> disabled? >>>> >>>> There's more on this here: >>>> >>>> https://bugzilla.novell.com/show_bug.cgi?id=582399 >>>> >>>> Paul. >>>> -- >>> Thank you for the link. I rename "/etc/initscript" like described it >>> the >>> report. now, sshing is working in both cases (init_upstart = on | off). >>> Thats fine. >>> But the role transition still not work. >>> >>> >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >> >> I found out that the role transition works when the linux user name is >> equivalent to the SELinux name (both are mat_u). >> If so, the default user context after login via ssh is: >> "context=mat_u:staff_r:staff_t" >> And the explicit role transition to sysadm_r works as desired: >> "newrole -r sysadm_r" results in "context=mat_u:sysadm_r:sysadm_t". >> >> So far as I see, the user mapping seems to be correct: >> semanage login -l | grep mat >> Login Name SELinux User >> mat mat_u >> >> When I rename the Linux Login name back to mat, the role transition >> don't >> work anymore and the SELinux context switches back to >> "user_u:user_r:user_t" which is the default context if no correspond >> user >> is found by SELinux. >> >> Do I miss something? >> >> >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> > Are you the guy on SLES? Or Fedora? In the old days pam_selinux and > libselinux used to not map Linux Users to SELinux users. So you had to > create a SELinux user for every user. You may be using an older version > of the code. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkykhQQACgkQrlYvE4MpobPJrACfS0V70jI598DSZVQFAMrppJKR > oR4An1emGUteIRfmKNzN9wP0FFUdX+TY > =HWJA > -----END PGP SIGNATURE----- I'm using sles11sp1. I know, this is a fedora list but maybe thats a common problem or a missunderstanding of something which is not related to the distribution... I'm using libselinux1-2.0.91-4.2.1 and pam-1.0.4-0.5.12. It seems that they are quite new and adopted from fedora (especially the man page of pam_selinux which is from 12/18/2009 and written you ;)) How can I verify if it's a problem of a too old libselinux or pam_selinux version? -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
