[gentoo-hardened] Cannot get openssh to set correct user contexts... - gentoo-hardened

From:	Mike Edenfield <kutulu@××××××.org>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] Cannot get openssh to set correct user contexts...
Date:	Thu, 04 Oct 2007 21:46:07
Message-Id:	`47055CC1.9090309@kutulu.org`

1

I'm setting up a SELinux-based server, which I have done numerous times, 

2

but for some reason I cannot get OpenSSH to set the correct user 

3

contexts for staff logins.

4

5

Note that logins work fine at the console, so this is definitely an 

6

OpenSSH problem.  However, I've checked everything I can think of any 

7

nothing is set wrong.

8

9

I have added myself as an SELinux login associated with the staff_u 

10

user, and indeed when I log in at the console it puts me into staff_r

11

12

I've added myself as an SELinux login associated with staff_u:

13

Login Name                SELinux User

14

15

__default__               user_u

16

kutulu                    staff_u

17

root                      root

18

system_u                  system_u

19

20

But when I log in via ssh, I'm in the user_r role, and sestatus gives me 

21

this:

22

23

SELinux status:                 enabled

24

SELinuxfs mount:                /selinux

25

Current mode:                   permissive

26

Mode from config file:          permissive

27

Policy version:                 21

28

Policy from config file:        strict

29

30

Process contexts:

31

Current context:                user_u:user_r:user_t

32

Init context:                   system_u:system_r:init_t

33

/sbin/agetty                    system_u:system_r:getty_t

34

/usr/sbin/sshd                  system_u:system_r:sshd_t

35

36

File contexts:

37

Controlling term:               user_u:object_r:user_devpts_t

38

/sbin/init                      system_u:object_r:init_exec_t

39

/sbin/agetty                    system_u:object_r:getty_exec_t

40

/bin/login                      system_u:object_r:login_exec_t

41

/sbin/rc                        system_u:object_r:initrc_exec_t

42

/sbin/runscript.sh              system_u:object_r:initrc_exec_t

43

/usr/sbin/sshd                  system_u:object_r:sshd_exec_t

44

/usr/sbin/unix_chkpwd           system_u:object_r:chkpwd_exec_t

45

/etc/passwd                     system_u:object_r:etc_t

46

/etc/shadow                     system_u:object_r:shadow_t

47

/bin/sh                         system_u:object_r:bin_t -> 

48

system_u:object_r:shell_exec_t

49

/bin/bash                       system_u:object_r:shell_exec_t

50

/usr/bin/newrole                system_u:object_r:newrole_exec_t

51

/lib/libc.so.6                  system_u:object_r:lib_t -> 

52

system_u:object_r:shlib_t

53

/lib/ld-linux.so.2              system_u:object_r:lib_t -> 

54

system_u:object_r:ld_so_t

55

56

57

I get no errors from ssh itself that would indicate an inability to get 

58

the user context, and no audit messages that would indicate that 

59

something went wrong with SELinux.  I dunno what else to check.  Can 

60

anyone help me out here?

61

62

--Mike

63

--

64

gentoo-hardened@g.o mailing list

Subject	Author
Re: [gentoo-hardened] Cannot get openssh to set correct user contexts...	Chris PeBenito <pebenito@g.o>
Re: [gentoo-hardened] Cannot get openssh to set correct user contexts...	Adam James <atj@××××××××××××××.uk>

Gentoo Archives: gentoo-hardened

Replies

1	I'm setting up a SELinux-based server, which I have done numerous times,
2	but for some reason I cannot get OpenSSH to set the correct user
3	contexts for staff logins.
4
5	Note that logins work fine at the console, so this is definitely an
6	OpenSSH problem. However, I've checked everything I can think of any
7	nothing is set wrong.
8
9	I have added myself as an SELinux login associated with the staff_u
10	user, and indeed when I log in at the console it puts me into staff_r
11
12	I've added myself as an SELinux login associated with staff_u:
13	Login Name SELinux User
14
15	__default__ user_u
16	kutulu staff_u
17	root root
18	system_u system_u
19
20	But when I log in via ssh, I'm in the user_r role, and sestatus gives me
21	this:
22
23	SELinux status: enabled
24	SELinuxfs mount: /selinux
25	Current mode: permissive
26	Mode from config file: permissive
27	Policy version: 21
28	Policy from config file: strict
29
30	Process contexts:
31	Current context: user_u:user_r:user_t
32	Init context: system_u:system_r:init_t
33	/sbin/agetty system_u:system_r:getty_t
34	/usr/sbin/sshd system_u:system_r:sshd_t
35
36	File contexts:
37	Controlling term: user_u:object_r:user_devpts_t
38	/sbin/init system_u:object_r:init_exec_t
39	/sbin/agetty system_u:object_r:getty_exec_t
40	/bin/login system_u:object_r:login_exec_t
41	/sbin/rc system_u:object_r:initrc_exec_t
42	/sbin/runscript.sh system_u:object_r:initrc_exec_t
43	/usr/sbin/sshd system_u:object_r:sshd_exec_t
44	/usr/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
45	/etc/passwd system_u:object_r:etc_t
46	/etc/shadow system_u:object_r:shadow_t
47	/bin/sh system_u:object_r:bin_t ->
48	system_u:object_r:shell_exec_t
49	/bin/bash system_u:object_r:shell_exec_t
50	/usr/bin/newrole system_u:object_r:newrole_exec_t
51	/lib/libc.so.6 system_u:object_r:lib_t ->
52	system_u:object_r:shlib_t
53	/lib/ld-linux.so.2 system_u:object_r:lib_t ->
54	system_u:object_r:ld_so_t
55
56
57	I get no errors from ssh itself that would indicate an inability to get
58	the user context, and no audit messages that would indicate that
59	something went wrong with SELinux. I dunno what else to check. Can
60	anyone help me out here?
61
62	--Mike
63	--
64	gentoo-hardened@g.o mailing list