What does audit2why say?
Well, not what I expected :-\ :
-bash-4.1# audit2why < /var/log/audit/audit.log
Traceback (most recent call last):
File "/usr/bin/audit2allow", line 24, in <module>
import sepolgen.policygen as policygen
File "/usr/lib/python2.6/site-packages/sepolgen/policygen.py", line
33, in <module>
from setools import *
ImportError: No module named setools
So, I guess I have to transfer my audit.log on a machine which does have
setools (python) installed (the one I am getting this on is my dmz
server, so it is pretty constrained).
Some shots in the dark:
# get past dyntransition kiddy lock
domain_dyntrans_type(sshd_t)
# get past subject identity change kiddy lock
domain_subj_id_change_exemption(sshd_t)
# get past role change kiddy lock
domain_role_change_exemption(sshd_t)
I'll try these, thanks Dominick! I'll introduce these one by one as
tunables and see what works.
Could it be that the new version of openssh introduced these new hooks,
which were not present in older versions? To me this whole issue is
caused entirely by openssh.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
