justina colmena wrote:
> On Wednesday, March 7, 2018 2:26:14 PM AKST m.roth@xxxxxxxxx wrote:
>> Stephen Smalley wrote:
>>
>> > On 03/07/2018 03:18 PM, m.roth@xxxxxxxxx wrote:
>> >
>> >> CentUS 7.4
>> >> ...
>> >> From sealert:
>> >> SELinux is preventing /usr/sbin/sshd from read access on the file
>> >> /etc/ssh/moduli.
>> >> Except:
>> >> ls -laFZ /etc/ssh/moduli
>> >> -rw-r--r--. root root system:object_r:etc_t:s0
>> /etc/ssh/moduli
>> > ...
>> > NB: You have "system" rather than "system_u" above, unless that's a
>> typo.
>> > Which would be an invalid user identity, and thus an invalid security
>> > context, and therefore mapped to the unlabeled context at runtime.
>
> CentUS or CentOS? "system" or "system_u"? Am I to be amused?
Sorry, typo. We're currently overwhelmed, due to an environmental
incident, and I'm exhausted.
>
> This is frustrating. This sort of thing is typical of a hacked system, and
> for us ordinary users, there is no sane SELinux policy development taking
> place. A lot of these security labels can easily, freely, and
arbitrarily be
> changed by ordinary users with the "chcon" command, there is a lot of
covert
> resistance to locking things down any further or fixing persistent security
> problems, and SELinux has never really moved beyond the philosophy of
>
> # touch /.autorelabel && reboot
>
Which requires rebooting the system, and for a filesystem of any real
size, means waiting for-bloody-ever.
I think it gets system if you copy it without copying the selinux label....
mark
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
