On 12/06/18 09:02, Paul Howarth wrote:
On Mon, 11 Jun 2018 18:25:08 +0100
lejeczek <peljasz@xxxxxxxxxxx> wrote:
hi guys,
cannot get it to work - shellinabox - not being programmer nor
selinux sorcerer.
shellinabox via apache, when I ausearch it all I get is:
#============= unconfined_service_t ==============
#!!!! The file '/usr/bin/bash' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /usr/bin/bash
allow unconfined_service_t unconfined_t:process transition;
I have shellinabox in Apache's:
<Location /cmd>
AuthType Basic
AuthName "some more"
AuthBasicProvider PAM
AuthPAMService rstudio
Require valid-user
#Require all granted
ProxyPass http://localhost:4200/
</Location>
using:
LoadModule authnz_pam_module modules/mod_authnz_pam.so
So all seems to work there between apache & shellinabox. Last bit
when you login to shell you get denied.
Would there be a reasonable selinux module for it or is shellinabox
just too poor design?
Strange. shellinabox is working for me on Fedora 27.
What's the context of /usr/bin/bash on your system?
$ ls -lZ /usr/bin/bash
-rwxr-xr-x. 1 root root system_u:object_r:shell_exec_t:s0 1132656 Feb
13 14:08 /usr/bin/bash
If it's not shell_exec_t, the advice given in the error message you saw
should fix it.
Paul.
_______________________________________________
I should have maybe mentioned that I'm on Centos 7.5
$ ll -Z /usr/bin/bash
-rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /usr/bin/bash
$ ll -Z /usr/sbin/shellinaboxd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0
/usr/sbin/shellinaboxd
☩ WHALE 49 ~]$ ll -Z /usr/bin/bash
I think problems is here, it's how systemd does the service:
$ ps -FZp 2909167 --cols 999
LABEL UID PID PPID C SZ RSS
PSR STIME TTY TIME CMD
system_u:system_r:unconfined_service_t:s0 shellin+ 2909167 1 0 10785
2740 7 Jun11 ? 00:00:00 /usr/sbin/shellinaboxd -u shellinabox -g
shellinabox --cert=/var/lib/shellinabox --port=4200 --localhost-only
--disable-ssl
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/HLKEFCQYOUYIZH7FCGWJG3JZUIRVC3QT/