-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/05/2011 09:33 AM, Simon Peter Nicholls wrote:
> On 05/02/11 00:22, Simon Peter Nicholls wrote:
>> Hi All,
>>
>> I'm having some trouble setting up SELinux using refpolicy, and am
>> unable to login my test user through ssh when in enforcing mode. Could
>> someone help me work out where the problem lies? I have some basic
>> experience with SELinux, but based on working Fedora systems that have
>> gone slightly awry.
>>
>> Similar denial messages to the ssh one are seen when trying to run
>> software like Emacs in permissive mode. In each case it feels like I
>> am restricted by the consoletype_t, whilst I was expecting to gain an
>> unconfined_t type for my user (to match unconfined_u & unconfined_r).
>>
>> I also expected to see the sshd_t type for the sshd process, but it is
>> using init_t. Are transitions failing for my startup services?
>
> Typical. The act of writing this gave substance to my suspicions. I
> checked the type for the the SSH init script and it was incorrectly set
> to etc_t, the underlying reason being that Arch Linux uses the
> non-standard /etc/rc.d directory for it's startup scripts.
>
> As a quick test to confirm, I used chcon to set the sshd script to
> initrc_exec_t, rebooted, and I find I can login under enforcing mode.
> The sshd process now has the sshd_t type, and my user also has the
> unconfined_u:unconfined_r:unconfined_t context, as I previously
> expected. The subsequent running of programs like Emacs are now no problem.
>
> I have some log related denials however, which I'll look into. Any
> pointers would be appreciated.
Looks like /dev/log is mislabelled for some reason.
Does syslog run in the proper domain?
> Feb 5 09:13:41 mailer kernel: type=1400 audit(1296893621.240:3): avc:
> denied \
> { write } for pid=945 comm="sshd" name="log" dev=devtmpfs ino=4929
> scontext=s\
> ystem_u:system_r:sshd_t tcontext=system_u:object_r:device_t
> tclass=sock_file
> Feb 5 09:13:41 mailer kernel: type=1400 audit(1296893621.240:4): avc:
> denied \
> { connectto } for pid=945 comm="sshd" path="/dev/log"
> scontext=system_u:syste\
> m_r:sshd_t tcontext=system_u:system_r:init_t tclass=unix_stream_socket
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx
> with
> the words "unsubscribe selinux" without quotes as the message.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1NT/UACgkQMlxVo39jgT8mxQCg0se84g3dMmc89cQy/aY6i0+L
aLoAnjp5NaoR2OsHVGPdxPkHU7nG8sxL
=GXdW
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
