Hello !
When switching at runtime from the standard reference policy and the MLS/MCS reference policy (2.20091117), the ssh server on a Debian Lenny system does not accept new connections until it is restarted.
The following denials are generated:
type=1400 audit(1265028026.079:19): avc: denied { transition } for pid=8973 comm="sshd" path="/bin/bash" dev=dm-1 ino=146597 scontext=system_u:system_r:sshd_t:s0 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
Unfortunately, simply adding a custom module such as the following:
require {
type staff_t;
type sshd_t;
class process transition;
}
#============= sshd_t ==============
allow sshd_t staff_t:process transition;
does not help.
I believe the problem arises as soon as the ssh server opens a shell for the user as I get "/bin/bash: Permission denied" after the initial /etc/motd banner (and the connection is dropped at that point).
Does anybody have an idea on how to sort out this issue ?
I believe the server is OpenSSH version 5.1p1, while bash is version 3.2.39(1). I have not had time to test other distributions.
Kind regards,
Guido Trentalancia
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
