1 |
In the future please try to remember to prefix selinux threads with the |
2 |
subject line of (selinux) or the likes. The hardened project has many |
3 |
sub-projects and our developmnet time is a precious thing. |
4 |
|
5 |
The same would and should apply for the (grsec) & (rsbac) users. |
6 |
|
7 |
thanks in advance. |
8 |
|
9 |
On Thu, 2004-09-09 at 11:43, Peter Buettner wrote: |
10 |
> Hello, |
11 |
> |
12 |
> I performed a stage1 install from the hardened gentoo CD. Installation works fine and without problems. |
13 |
> |
14 |
> But with the loaded policy it is not possible to do newrole -r or su - from normal user account. |
15 |
> |
16 |
> |
17 |
> sysop@access sysop $ newrole -r sysadm_r |
18 |
> Authenticating sysop. |
19 |
> Password: |
20 |
> newrole: incorrect password for sysop |
21 |
> |
22 |
> sysop@access sysop $ su - |
23 |
> Password: |
24 |
> su: Authentication failure |
25 |
> Sorry. |
26 |
> |
27 |
> Is this the normal behavior of the policy or have i done something wrong? |
28 |
> |
29 |
> How can i change this behavior if all is right? |
30 |
> |
31 |
> I have tried a different default_contexts file, but the behavior did not change. |
32 |
> |
33 |
> I am used to disable root access in sshd so that i have to login as normal user and su to root for administration. |
34 |
> |
35 |
> Some settings: |
36 |
> |
37 |
> access policy # uname -a |
38 |
> Linux access 2.6.5-hardened-r5 #3 SMP Thu Jun 24 14:33:31 CEST 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux |
39 |
> |
40 |
> users: |
41 |
> |
42 |
> # seuser |
43 |
> # This file created automatically by seuser on Thu Jul 29 14:52:17 2004 |
44 |
> |
45 |
> # |
46 |
> # user file |
47 |
> |
48 |
> user system_u roles { system_r } ; |
49 |
> user user_u roles { user_r } ; |
50 |
> user root roles { sysadm_r staff_r } ; |
51 |
> user sysop roles { sysadm_r staff_r } ; |
52 |
> user sudevel roles { staff_r user_r } ; |
53 |
> user test roles { user_r staff_r } ; |
54 |
> user operator roles { user_r staff_r }; |
55 |
> |
56 |
> default_contexts: |
57 |
> |
58 |
> system_r:sulogin_t sysadm_r:sysadm_t |
59 |
> system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t |
60 |
> system_r:remote_login_t user_r:user_t staff_r:staff_t |
61 |
> system_r:sshd_t user_r:user_t staff_r:staff_t |
62 |
> system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mai$ |
63 |
> system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t |
64 |
> staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t |
65 |
> sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t |
66 |
> user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t |
67 |
> sysadm_r:sudo_t sysadm_r:sysadm_t |
68 |
> staff_r:sudo_t sysadm_r:sysadm_t staff_r:staff_t |
69 |
> user_r:sudo_t sysadm_r:sysadm_t user_r:user_t |
70 |
> |
71 |
> |
72 |
> sestatus -v: |
73 |
> |
74 |
> access security # sestatus -v |
75 |
> SELinux status: enabled |
76 |
> SELinuxfs mount: /selinux |
77 |
> Current mode: permissive |
78 |
> Policy version: 17 |
79 |
> |
80 |
> Policy booleans: |
81 |
> user_ping inactive |
82 |
> |
83 |
> Process contexts: |
84 |
> Current context: root:sysadm_r:sysadm_t |
85 |
> Init context: system_u:system_r:init_t |
86 |
> /sbin/agetty system_u:system_r:getty_t |
87 |
> /usr/sbin/sshd system_u:system_r:sshd_t |
88 |
> |
89 |
> File contexts: |
90 |
> Controlling term: root:object_r:sysadm_devpts_t |
91 |
> /etc/passwd system_u:object_r:etc_t |
92 |
> /etc/shadow system_u:object_r:shadow_t |
93 |
> /bin/bash system_u:object_r:shell_exec_t |
94 |
> /bin/login system_u:object_r:login_exec_t |
95 |
> /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t |
96 |
> /sbin/agetty system_u:object_r:getty_exec_t |
97 |
> /sbin/init system_u:object_r:init_exec_t |
98 |
> /usr/sbin/sshd system_u:object_r:sshd_exec_t |
99 |
> /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t |
100 |
> /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t |
101 |
> |
102 |
> |
103 |
> Thank you for any help. |
104 |
> |
105 |
> |
106 |
> |
107 |
> Mit freundlichen Grüßen |
108 |
> |
109 |
> Peter Büttner |
110 |
> |
111 |
> |
112 |
> ------------------------------------------------- |
113 |
> Personal WLAN GmbH http://www.personalwlan.de |
114 |
> Große Elbstraße 145a |
115 |
> 22767 Hamburg |
116 |
> |
117 |
> Tel.: 040/888855-25 |
118 |
> Fax : 040/888855-55 |
119 |
> Mail: pb@××××××××××××.de |
120 |
> ------------------------------------------------- |
121 |
> |
122 |
> |
123 |
> |
124 |
> |
125 |
> |
126 |
> |
127 |
> |
128 |
> |
129 |
> |
130 |
> -- |
131 |
> gentoo-hardened@g.o mailing list |
132 |
-- |
133 |
Ned Ludd <solar@g.o> |
134 |
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer |