List Archive: gentoo-hardened
Hi,
I converted my Gentoo installation to SELinux according to the manual
(hardened-kernel-2.6.22-r3, targeted). When I login as root with ssh
and public key auth, my active context is
"root:sysadm_r:system_chkpwd_t". In order to get full access, I have to
do "newrole -r sysadm_r -t sysadm_t", which changes me to context
"root:sysadm_r:unconfined_t".
Is there a way to have my shell directly enter this context, so I dont
have to do the "newrole" and enter my root password?
In the archive I found that adding this to the local policy could help,
but it did not work:
require {
type sshd_t;
}
unconfined_shell_domtrans(sshd_t);
Regards,
Jochen
sestatus -v:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted
Process contexts:
Current context: root:sysadm_r:system_chkpwd_t
Init context: system_u:system_r:init_t
/sbin/agetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:sshd_t
File contexts:
Controlling term: root:object_r:sshd_devpts_t
/sbin/init system_u:object_r:init_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/bin/login system_u:object_r:login_exec_t
/sbin/rc system_u:object_r:initrc_exec_t
/sbin/runscript.sh system_u:object_r:initrc_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/usr/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/sh system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/bin/bash system_u:object_r:shell_exec_t
/usr/bin/newrole system_u:object_r:newrole_exec_t
/lib/libc.so.6 system_u:object_r:lib_t ->
system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t ->
system_u:object_r:ld_so_t
--
gentoo-hardened@g.o mailing list
|
|
