On Sun, 2012-03-25 at 14:02 +0100, Mr Dash Four wrote:
> Since upgrading to the latest openssh (server) - v5.8p2-25 - and using
> kernel 3.2 I started getting the following avc when trying to connect
> via sftp and attempting to delete/change various files (please note that
> sftpd_full_access is on!):
>
> type=AVC msg=audit(1332653118.024:179): avc: denied { dyntransition }
> for pid=1989 comm="sshd"
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
> type=SYSCALL msg=audit(1332653118.024:179): arch=40000003 syscall=4
> success=no exit=-13 a0=3 a1=e11a48 a2=36 a3=e11a48 items=0 ppid=1986
> pid=1989 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=3 comm="sshd" exe="/usr/sbin/sshd"
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
What does audit2why say?
Might be a constraint issue?
Some shots in the dark:
# get past dyntransition kiddy lock
domain_dyntrans_type(sshd_t)
# get past subject identity change kiddy lock
domain_subj_id_change_exemption(sshd_t)
# get past role change kiddy lock
domain_role_change_exemption(sshd_t)
> I did not get the above avc with the previous version of openssh I was
> using (v5.6) and I suspect it is something to do with the unprivileged
> user transition feature, which has been implemented in this version, but
> I can't be 100% sure.
>
> I have tried to counter the above avc with including
> "dyntrans_pattern(sshd_t, unconfined_t)", then
> "unconfined_domtrans(sshd_t)" and finally a raw "allow sshd_t
> unconfined_t:process { dyntransition };" but to no avail - I am still
> getting the above avc! What am I doing wrong and is there a way to get
> this sorted? Many thanks!
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
