On Mon, 2009-09-28 at 14:52 -0600, Orion Poplawski wrote: > On 09/28/2009 02:22 PM, Stephen Smalley wrote: > > On Mon, 2009-09-28 at 16:17 -0400, Daniel J Walsh wrote: > >> On 09/28/2009 04:13 PM, Orion Poplawski wrote: > >>> On 09/28/2009 01:03 PM, Daniel J Walsh wrote: > >>>> On 09/22/2009 11:49 AM, Orion Poplawski wrote: > >>>>> On 09/22/2009 09:12 AM, Daniel J Walsh wrote: > >>>>>> On 09/22/2009 07:25 AM, Orion Poplawski wrote: > >>>>>>> On 09/21/2009 08:32 PM, Daniel J Walsh wrote: > >>>>>>>> Do you have labels on the rest of the system? Do you have seedit > >>>>>>>> installed? > >>>>>>> > >>>>>>> Yes, e.g.: > >>>>>>> > >>>>>>> # ls -Za /etc/ssh > >>>>>>> drwxr-xr-x root root system_u:object_r:etc_t . > >>>>>>> drwxr-xr-x root root system_u:object_r:etc_t .. > >>>>>>> -rw------- root root system_u:object_r:etc_t moduli > >>>>>>> -rw-r--r-- root root user_u:object_r:etc_t ssh_config > >>>>>>> -rw------- root root system_u:object_r:etc_t sshd_config > >>>>>>> -rw------- root root system_u:object_r:sshd_key_t > >>>>>>> ssh_host_dsa_key > >>>>>>> -rw-r--r-- root root root:object_r:etc_t > >>>>>>> ssh_host_dsa_key.pub > >>>>>>> -rw------- root root system_u:object_r:sshd_key_t ssh_host_key > >>>>>>> -rw-r--r-- root root root:object_r:etc_t > >>>>>>> ssh_host_key.pub > >>>>>>> -rw------- root root system_u:object_r:sshd_key_t > >>>>>>> ssh_host_rsa_key > >>>>>>> -rw-r--r-- root root root:object_r:etc_t > >>>>>>> ssh_host_rsa_key.pub > >>>>>>> -rw-r--r-- root root user_u:object_r:etc_t ssh_known_hosts > >>>>>>> > >>>>>>> Don't appear to have seedit, never heard of it. > >>>>>>> > >>>>>> Right now as root you execute > >>>>>> > >>>>>> # chcon system_u:object_r:etc_t:s0 /etc/ssh > >>>>>> > >>>>>> It gives you an error? > >>>>> > >>>>> yup. > >>>>> > >>>>> # chcon system_u:object_r:etc_t:s0 /etc/ssh > >>>>> chcon: failed to change context of /etc/ssh to > >>>>> system_u:object_r:etc_t:s0: Operation not permitted > > > > I think I'm missing context for this discussion. But it might help to > > know: > > 1) Output of id command, > > 2) Policy type that is being used (targeted, mls, ...?) > > 3) Policy version > > 4) Kernel version > > > > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=user_u:system_r:unconfined_t Dan, is this supposed to be user_u:system_r in RHEL5? Or should it be unconfined_u:unconfined_r as in current Fedora? Do you get any avc denial in /var/log/audit/audit.log or /var/log/messages? If so, what does audit2why say about it? > selinux-policy-targeted-2.4.6-257.el5 > > 2.6.18-128.7.1.el5 > > Basically, I'm running CentOS 5.3, but with Dan Walsh's selinux > repository enabled. For some reason it appears to be preventing the > above labeling operation, which it happening during the installation of > openssh: > > Installing : openssh [1/5] > Error unpacking rpm package openssh-4.3p2-36.el5.i386 > error: unpacking of archive failed on file /etc/ssh: cpio: lsetfilecon > > > I probably should reboot to 2.6.18-164.el5 soon, but am kind of scared > due to the intermediate state of openssh. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
