On Wed, 04 Aug 2010 12:54:32 +0900, Tetsuo Handa said: > # killall -KILL sshd > # /usr/sbin/sshd -o 'Banner /etc/shadow' > # ssh localhost I am unable to replicate this behavior on my system with SELinux set to enforcing mode. However, it does happen (which is to be expected) when SELinux is set to permissive mode. % rpm -q openssh selinux-policy-mls openssh-5.5p1-18.fc14.x86_64 selinux-policy-mls-3.8.8-8.fc14.noarch Tested by by trying both /etc/issue and /etc/shadow as banner files - in permissive mode, both files would be displayed. In enforcing mode, /etc/issue would show up and /etc/shadow would not. In addition, checking of the actual policy source for ssh shows no entry for auth_read_shadow() for sshd_t, although it is present for many other systemd daemons that have a need to read it. So in enforcing mode, there's no rule allowing sshd to open /etc/shadow, so it won't open. Are you sure you weren't running in permissive mode when you tested this?
Attachment:
pgppxnLkAcZxl.pgp
Description: PGP signature
