[refpolicy] ssh issue with latest policy
vaclav.ovsik at i.cz
Thu Sep 11 07:50:25 CDT 2008
On Wed, Sep 10, 2008 at 12:32:31PM -0700, Justin Mattock wrote:
> I cant seem to locate the post you sent a few days ago
> about logging into ssh. anyways I finally got around to logging into
> my machines with both the latest kernel and refpolicy;
> there was difficulty due to having /etc/host and /etc/sysctl.conf
> variables in these files preventing me from logging in.
> So with that in mind check and make sure those files
> are cleared of anything that might cause an error.
> As for the policy itself they were both in permissive mode
> via boot param, so having /etc/selinux/config in enforcing
> didnt cause an ubstruction for me.
> hope this helps.
May be. And Hong not replied yet if he did relabel the file system. :)
I have tried to restart sshd with nonsense context to show the problem
even with PERMISSIVE mode of SE Linux!
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 23
Policy from config file: default
sid:~# runcon sysadm_u:sysadm_r:sysadm_t:s0 /etc/init.d/ssh restart
sid:~# ps -H -Z -C sshd
LABEL PID TTY TIME CMD
sysadm_u:sysadm_r:sysadm_t:s0 1944 ? 00:00:00 sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 1808 ? 00:00:00 sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 1810 ? 00:00:00 sshd
That is the new parent process sshd running with sysadm_u:sysadm_r:sysadm_t:s0.
zito at bobek:~$ ssh sid
Read from remote host sid: Connection reset by peer
Connection to sid closed.
sid:~# tail -2 /var/log/syslog
Sep 11 14:32:18 sid kernel: [ 649.880210] sshd: segfault at 2 ip b7ad5cea sp bfc2b04c error 4 in libc-2.7.so[b7a60000+155000]
Sep 11 14:32:18 sid kernel: [ 649.883080] type=1701 audit(1221136338.451:27): auid=4294967295 uid=1000 gid=1000 ses=4294967295 subj=sysadm_u:sysadm_r:sysadm_t:s0 pid=1954 comm="sshd" sig=11
This is mature for bug report on openssh.
Conclusion: Running SE Linux in permissive mode can't prevent you from
all SE Linux problems every time! (in most cases yes of course :)
More information about the refpolicy