[gentoo-hardened] Problems with ssh and PubKeyAuthentication after conversion - gentoo-hardened

From:	Jochen Kuhnle <jochen@××××××.net>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] Problems with ssh and PubKeyAuthentication after conversion
Date:	Fri, 21 Sep 2007 14:00:21
Message-Id:	`fd0i5k$mgt$1@sea.gmane.org`

1

Hi,

2

3

I converted my Gentoo installation to SELinux according to the manual 

4

(hardened-kernel-2.6.22-r3, targeted). When I login as root with ssh 

5

and public key auth, my active context is 

6

"root:sysadm_r:system_chkpwd_t". In order to get full access, I have to 

7

do "newrole -r sysadm_r -t sysadm_t", which changes me to context 

8

"root:sysadm_r:unconfined_t".

9

10

Is there a way to have my shell directly enter this context, so I dont 

11

have to do the "newrole" and enter my root password?

12

13

In the archive I found that adding this to the local policy could help, 

14

but it did not work:

15

16

require {

17

        type sshd_t;

18

}

19

unconfined_shell_domtrans(sshd_t);

20

21

Regards,

22

Jochen

23

24

sestatus -v:

25

SELinux status:                 enabled

26

SELinuxfs mount:                /selinux

27

Current mode:                   permissive

28

Mode from config file:          permissive

29

Policy version:                 21

30

Policy from config file:        targeted

31

32

Process contexts:

33

Current context:                root:sysadm_r:system_chkpwd_t

34

Init context:                   system_u:system_r:init_t

35

/sbin/agetty                    system_u:system_r:getty_t

36

/usr/sbin/sshd                  system_u:system_r:sshd_t

37

38

File contexts:

39

Controlling term:               root:object_r:sshd_devpts_t

40

/sbin/init                      system_u:object_r:init_exec_t

41

/sbin/agetty                    system_u:object_r:getty_exec_t

42

/bin/login                      system_u:object_r:login_exec_t

43

/sbin/rc                        system_u:object_r:initrc_exec_t

44

/sbin/runscript.sh              system_u:object_r:initrc_exec_t

45

/usr/sbin/sshd                  system_u:object_r:sshd_exec_t

46

/usr/sbin/unix_chkpwd           system_u:object_r:chkpwd_exec_t

47

/etc/passwd                     system_u:object_r:etc_t

48

/etc/shadow                     system_u:object_r:shadow_t

49

/bin/sh                         system_u:object_r:bin_t -> 

50

system_u:object_r:shell_exec_t

51

/bin/bash                       system_u:object_r:shell_exec_t

52

/usr/bin/newrole                system_u:object_r:newrole_exec_t

53

/lib/libc.so.6                  system_u:object_r:lib_t -> 

54

system_u:object_r:lib_t

55

/lib/ld-linux.so.2              system_u:object_r:lib_t -> 

56

system_u:object_r:ld_so_t

57

58

59

--

60

gentoo-hardened@g.o mailing list

1	Hi,
2
3	I converted my Gentoo installation to SELinux according to the manual
4	(hardened-kernel-2.6.22-r3, targeted). When I login as root with ssh
5	and public key auth, my active context is
6	"root:sysadm_r:system_chkpwd_t". In order to get full access, I have to
7	do "newrole -r sysadm_r -t sysadm_t", which changes me to context
8	"root:sysadm_r:unconfined_t".
9
10	Is there a way to have my shell directly enter this context, so I dont
11	have to do the "newrole" and enter my root password?
12
13	In the archive I found that adding this to the local policy could help,
14	but it did not work:
15
16	require {
17	type sshd_t;
18	}
19	unconfined_shell_domtrans(sshd_t);
20
21	Regards,
22	Jochen
23
24	sestatus -v:
25	SELinux status: enabled
26	SELinuxfs mount: /selinux
27	Current mode: permissive
28	Mode from config file: permissive
29	Policy version: 21
30	Policy from config file: targeted
31
32	Process contexts:
33	Current context: root:sysadm_r:system_chkpwd_t
34	Init context: system_u:system_r:init_t
35	/sbin/agetty system_u:system_r:getty_t
36	/usr/sbin/sshd system_u:system_r:sshd_t
37
38	File contexts:
39	Controlling term: root:object_r:sshd_devpts_t
40	/sbin/init system_u:object_r:init_exec_t
41	/sbin/agetty system_u:object_r:getty_exec_t
42	/bin/login system_u:object_r:login_exec_t
43	/sbin/rc system_u:object_r:initrc_exec_t
44	/sbin/runscript.sh system_u:object_r:initrc_exec_t
45	/usr/sbin/sshd system_u:object_r:sshd_exec_t
46	/usr/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
47	/etc/passwd system_u:object_r:etc_t
48	/etc/shadow system_u:object_r:shadow_t
49	/bin/sh system_u:object_r:bin_t ->
50	system_u:object_r:shell_exec_t
51	/bin/bash system_u:object_r:shell_exec_t
52	/usr/bin/newrole system_u:object_r:newrole_exec_t
53	/lib/libc.so.6 system_u:object_r:lib_t ->
54	system_u:object_r:lib_t
55	/lib/ld-linux.so.2 system_u:object_r:lib_t ->
56	system_u:object_r:ld_so_t
57
58
59	--
60	gentoo-hardened@g.o mailing list

Gentoo Archives: gentoo-hardened