[refpolicy] ssh issue with latest policy

Václav Ovsík vaclav.ovsik at i.cz
Thu Sep 11 07:50:25 CDT 2008 

On Wed, Sep 10, 2008 at 12:32:31PM -0700, Justin Mattock wrote:
> Hong,
> I cant seem to locate the post you sent a few days ago
> about logging into ssh. anyways I finally got around to logging into
> my machines with both the latest kernel and refpolicy;
> there was difficulty due to having /etc/host and /etc/sysctl.conf
> variables in these files preventing me from logging in.
> So with that in mind check and make sure those files
> are cleared of anything that might cause an error.
> As for the policy itself they were both in permissive mode
> via boot param, so having /etc/selinux/config in enforcing
> didnt cause an ubstruction for me.
> hope this helps.

May be. And Hong not replied yet if he did relabel the file system. :)

I have tried to restart sshd with nonsense context to show the problem
even with PERMISSIVE mode of SE Linux!

sid:~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 23
Policy from config file:        default

sid:~# runcon sysadm_u:sysadm_r:sysadm_t:s0 /etc/init.d/ssh restart

sid:~# ps -H -Z -C sshd
LABEL                             PID TTY          TIME CMD
sysadm_u:sysadm_r:sysadm_t:s0    1944 ?        00:00:00 sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 1808 ? 00:00:00 sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 1810 ? 00:00:00   sshd

That is the new parent process sshd running with sysadm_u:sysadm_r:sysadm_t:s0.

zito at bobek:~$ ssh sid
Read from remote host sid: Connection reset by peer
Connection to sid closed.

sid:~# tail -2 /var/log/syslog
Sep 11 14:32:18 sid kernel: [  649.880210] sshd[1954]: segfault at 2 ip b7ad5cea sp bfc2b04c error 4 in libc-2.7.so[b7a60000+155000]
Sep 11 14:32:18 sid kernel: [  649.883080] type=1701 audit(1221136338.451:27): auid=4294967295 uid=1000 gid=1000 ses=4294967295 subj=sysadm_u:sysadm_r:sysadm_t:s0 pid=1954 comm="sshd" sig=11


This is mature for bug report on openssh.
Conclusion: Running SE Linux in permissive mode can't prevent you from
all SE Linux problems every time! (in most cases yes of course :)

-- 
Zito

More information about the refpolicy mailing list