1 |
Hi Chris, |
2 |
|
3 |
Thanks for your helpful reply. Please see responses, below. I'll experiment |
4 |
and define the problem more precisely. But, to do so, I must have keyboard |
5 |
access. Breaking SSH is inconvenient when you're working remotely <g>. |
6 |
|
7 |
Cheers, |
8 |
|
9 |
--On Thursday, April 01, 2004 7:52 PM -0600 Chris PeBenito |
10 |
<pebenito@g.o> wrote: |
11 |
|
12 |
> On Tue, 2004-03-30 at 17:10, Bill McCarty wrote: |
13 |
>> |
14 |
>> neverallow ~{ auth auth_write } shadow_t:file ~getattr; |
15 |
> |
16 |
> This forces shadow access to only be through PAM, with few exceptions. |
17 |
> |
18 |
>> To log in via SSH and become the system administrator, I find that I |
19 |
>> must add the following permissions, which contradict the constraint: |
20 |
>> |
21 |
>> allow sshd_t shadow_t:file { getattr read }; |
22 |
>> allow sysadm_su_t shadow_t:file { getattr read }; |
23 |
> |
24 |
> I've not seen this. It seems like you don't have >=pam-0.77 installed, |
25 |
> since it affects sshd and su. |
26 |
|
27 |
Good hypothesis, but it doesn't seem to be the case, unless I should have |
28 |
pam-0.77-r1 rather than merely pam-0.77: |
29 |
|
30 |
emerge -pv pam pam-login |
31 |
|
32 |
These are the packages that I would merge, in order: |
33 |
|
34 |
Calculating dependencies ...done! |
35 |
[ebuild R ] sys-libs/pam-0.77 +berkdb -pwdb +selinux 0 kB |
36 |
[ebuild R ] sys-apps/pam-login-3.14 -nls +selinux 0 kB |
37 |
|
38 |
Total size of downloads: 0 kB |
39 |
|
40 |
I tried eliminating the policy: |
41 |
|
42 |
allow sysadm_su_t shadow_t:file { getattr read }; |
43 |
|
44 |
When I do so, the su command works normally. But, when I try to log in via |
45 |
SSH, I fail to get a command prompt. Instead, I get the message: |
46 |
|
47 |
Server refused to allocate pty |
48 |
|
49 |
This system was originally a non-SELinux system running devfs. Could I have |
50 |
screwed up by compiling something while devfs was still active, or |
51 |
otherwise have failed to perform some conversion step? I wonder.... |
52 |
|
53 |
|
54 |
>> I tried to investigate the auth type, but can't find where it's defined. |
55 |
> |
56 |
> It is an attribute, see attrib.te. |
57 |
|
58 |
Doh! Yes, I subsequently found this <g>. |
59 |
|
60 |
--------------------------------------------------- |
61 |
Bill McCarty, Ph.D. |
62 |
Professor of Information Technology |
63 |
Azusa Pacific University |
64 |
|
65 |
|
66 |
|
67 |
-- |
68 |
gentoo-hardened@g.o mailing list |