-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/23/2010 08:18 PM, Jorge Fábregas wrote: > On Thursday, December 23, 2010 03:09:11 pm Daniel J Walsh wrote: >> Theoretically we have this. >> >> unconfined_login -> on Allow a user to login as an >> unconfined domain >> >> (Not sure it works. > > I didn't know that one but it seems it's not working on Fedora 12 (I'll switch > to Fedora 14 soon I know :) > > After doing: setsebool unconfined_login off > ..and then tried to connect (as a regular unconfined user), pstree shows: > > |-sshd(`unconfined_u:system_r:sshd_t:s0-s0:c0.c1023') > | `-sshd(`unconfined_u:system_r:sshd_t:s0-s0:c0.c1023') > | `-sshd(`unconfined_u:system_r:sshd_t:s0-s0:c0.c1023') > | `-bash(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023') > > ... it transitioned into unconfined_t .so the boolean is not working here. > >> Well one thing you could try is to disable the unconfineduser policy >> package, This would eliminate the unconfined_t from your system >> altogether. >> >> Then you would have to setup the admin (root) to log in as sysadm_t. > > I'll check into this. Never used sysadm_t before. i went a bit further in my personal policy and combined to unconfined and sysadm login: [dgrift@localhost Desktop]$ ssh dgrift/sysadm_r@localhost WARNING!!! You have accessed a private network. UNAUTHORIZED ACCESS IS PROHIBITED BY LAW Violators may be prosecuted to the full extend of the law. Your access to this network may be monitored and recorded for quality assurance, security, performance, and maintenance purposes. /bin/bash: Permission denied Connection to localhost closed. [root@localhost Desktop]$ getsebool -a | grep ssh_all ssh_all_login_users --> off So with ssh_all_login_users set to on, all login users (including sysadm and unconfined) are able to login. If set to off then "privileged" users cannot log in with sshd (sysadm and unconfined) 242 tunable_policy(`ssh_all_login_users',` 243 # Relabel and access ptys created by sshd 244 # ioctl is necessary for logout() processing for utmp entry and for w to 245 # display the tty. 246 # some versions of sshd on the new SE Linux require setattr 247 userdom_spec_domtrans_all_users(sshd_t) 248 userdom_signal_all_users(sshd_t) 249 ',` 250 userdom_spec_domtrans_unpriv_users(sshd_t) 251 userdom_signal_unpriv_users(sshd_t) 252 ') http://fedorapeople.org/gitweb?p=domg472/public_git/refpolicy.git;a=blob;f=policy/modules/services/ssh.te;h=cef1cad73fbf4b79e2418cbc4dc07123e311e200;hb=HEAD Not sure why i have not implemented the same for xdm though. I should look into that. > Thanks, > Jorge > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0TvTwACgkQMlxVo39jgT+d3ACgmuYmn3bBJXPAVbsuX0AdPHFP Ft0AoKYE2ikk/VTkbIVHzWmb+X5kFEUy =Qp/Q -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
