On Thu, 21 Oct 2010, imsand@xxxxxxxxx wrote:
> The problem of not being able to login must be in relation with permission
> denies while reading /etc/shadow
> type=AVC msg=audit(1287662213.439:407774): avc: denied { read } for
> pid=10211 comm="sshd" n
> ame="shadow" dev=dm-2 ino=48107 scontext=system_u:system_r:sshd_t
> tcontext=system_u:object_r:s
> hadow_t tclass=file
The way it's supposed to work is that unix_chkpwd will read /etc/shadow and
tell the caller (sshd or whatever) whether the password matched. That means
that sshd doesn't get read access to /etc/shadow and if it's compromised it
can't give such data away to random attackers.
Using a compromised sshd to read /etc/shadow isn't one of the more likely
attacks (the existence of such an exploit would rely on there being a sshd
bug, and it being impossible to launch a shell with said bug). But it's an
easy one to protect against.
If you have a non-PAM system then you need to allow such access though.
--
russell@xxxxxxxxxxxx
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
