Re: shellinabox

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/06/18 09:02, Paul Howarth wrote:

On Mon, 11 Jun 2018 18:25:08 +0100
lejeczek <peljasz@xxxxxxxxxxx> wrote:


hi guys,

cannot get it to work - shellinabox - not being programmer nor
selinux sorcerer.

shellinabox via apache, when I ausearch it all I get is:

#============= unconfined_service_t ==============

#!!!! The file '/usr/bin/bash' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /usr/bin/bash
allow unconfined_service_t unconfined_t:process transition;

I have shellinabox in Apache's:

<Location /cmd>
    AuthType Basic
    AuthName "some more"
    AuthBasicProvider PAM
    AuthPAMService rstudio
    Require valid-user
    #Require    all granted
    ProxyPass  http://localhost:4200/
</Location>

using:

LoadModule authnz_pam_module modules/mod_authnz_pam.so

So all seems to work there between apache & shellinabox. Last bit
when you login to shell you get denied.

Would there be a reasonable selinux module for it or is shellinabox
just too poor design?


Strange. shellinabox is working for me on Fedora 27.

What's the context of /usr/bin/bash on your system?

$ ls -lZ /usr/bin/bash
-rwxr-xr-x. 1 root root system_u:object_r:shell_exec_t:s0 1132656 Feb
13 14:08 /usr/bin/bash

If it's not shell_exec_t, the advice given in the error message you saw
should fix it.

Paul.
_______________________________________________


I should have maybe mentioned that I'm on Centos 7.5

$ ll -Z /usr/bin/bash
-rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /usr/bin/bash
$ ll -Z /usr/sbin/shellinaboxd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/shellinaboxd 
☩ WHALE 49 ~]$ ll -Z /usr/bin/bash

I think problems is here, it's how systemd does the service:
$ ps -FZp 2909167 --cols 999
LABEL UID PID PPID C SZ RSS PSR STIME TTY TIME CMD system_u:system_r:unconfined_service_t:s0 shellin+ 2909167 1 0 10785 2740 7 Jun11 ? 00:00:00 /usr/sbin/shellinaboxd -u shellinabox -g shellinabox --cert=/var/lib/shellinabox --port=4200 --localhost-only --disable-ssl 


_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/HLKEFCQYOUYIZH7FCGWJG3JZUIRVC3QT/
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux