1 |
I'm setting up a SELinux-based server, which I have done numerous times, |
2 |
but for some reason I cannot get OpenSSH to set the correct user |
3 |
contexts for staff logins. |
4 |
|
5 |
Note that logins work fine at the console, so this is definitely an |
6 |
OpenSSH problem. However, I've checked everything I can think of any |
7 |
nothing is set wrong. |
8 |
|
9 |
I have added myself as an SELinux login associated with the staff_u |
10 |
user, and indeed when I log in at the console it puts me into staff_r |
11 |
|
12 |
I've added myself as an SELinux login associated with staff_u: |
13 |
Login Name SELinux User |
14 |
|
15 |
__default__ user_u |
16 |
kutulu staff_u |
17 |
root root |
18 |
system_u system_u |
19 |
|
20 |
But when I log in via ssh, I'm in the user_r role, and sestatus gives me |
21 |
this: |
22 |
|
23 |
SELinux status: enabled |
24 |
SELinuxfs mount: /selinux |
25 |
Current mode: permissive |
26 |
Mode from config file: permissive |
27 |
Policy version: 21 |
28 |
Policy from config file: strict |
29 |
|
30 |
Process contexts: |
31 |
Current context: user_u:user_r:user_t |
32 |
Init context: system_u:system_r:init_t |
33 |
/sbin/agetty system_u:system_r:getty_t |
34 |
/usr/sbin/sshd system_u:system_r:sshd_t |
35 |
|
36 |
File contexts: |
37 |
Controlling term: user_u:object_r:user_devpts_t |
38 |
/sbin/init system_u:object_r:init_exec_t |
39 |
/sbin/agetty system_u:object_r:getty_exec_t |
40 |
/bin/login system_u:object_r:login_exec_t |
41 |
/sbin/rc system_u:object_r:initrc_exec_t |
42 |
/sbin/runscript.sh system_u:object_r:initrc_exec_t |
43 |
/usr/sbin/sshd system_u:object_r:sshd_exec_t |
44 |
/usr/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t |
45 |
/etc/passwd system_u:object_r:etc_t |
46 |
/etc/shadow system_u:object_r:shadow_t |
47 |
/bin/sh system_u:object_r:bin_t -> |
48 |
system_u:object_r:shell_exec_t |
49 |
/bin/bash system_u:object_r:shell_exec_t |
50 |
/usr/bin/newrole system_u:object_r:newrole_exec_t |
51 |
/lib/libc.so.6 system_u:object_r:lib_t -> |
52 |
system_u:object_r:shlib_t |
53 |
/lib/ld-linux.so.2 system_u:object_r:lib_t -> |
54 |
system_u:object_r:ld_so_t |
55 |
|
56 |
|
57 |
I get no errors from ssh itself that would indicate an inability to get |
58 |
the user context, and no audit messages that would indicate that |
59 |
something went wrong with SELinux. I dunno what else to check. Can |
60 |
anyone help me out here? |
61 |
|
62 |
--Mike |
63 |
-- |
64 |
gentoo-hardened@g.o mailing list |