1 |
Hi, |
2 |
|
3 |
I converted my Gentoo installation to SELinux according to the manual |
4 |
(hardened-kernel-2.6.22-r3, targeted). When I login as root with ssh |
5 |
and public key auth, my active context is |
6 |
"root:sysadm_r:system_chkpwd_t". In order to get full access, I have to |
7 |
do "newrole -r sysadm_r -t sysadm_t", which changes me to context |
8 |
"root:sysadm_r:unconfined_t". |
9 |
|
10 |
Is there a way to have my shell directly enter this context, so I dont |
11 |
have to do the "newrole" and enter my root password? |
12 |
|
13 |
In the archive I found that adding this to the local policy could help, |
14 |
but it did not work: |
15 |
|
16 |
require { |
17 |
type sshd_t; |
18 |
} |
19 |
unconfined_shell_domtrans(sshd_t); |
20 |
|
21 |
Regards, |
22 |
Jochen |
23 |
|
24 |
sestatus -v: |
25 |
SELinux status: enabled |
26 |
SELinuxfs mount: /selinux |
27 |
Current mode: permissive |
28 |
Mode from config file: permissive |
29 |
Policy version: 21 |
30 |
Policy from config file: targeted |
31 |
|
32 |
Process contexts: |
33 |
Current context: root:sysadm_r:system_chkpwd_t |
34 |
Init context: system_u:system_r:init_t |
35 |
/sbin/agetty system_u:system_r:getty_t |
36 |
/usr/sbin/sshd system_u:system_r:sshd_t |
37 |
|
38 |
File contexts: |
39 |
Controlling term: root:object_r:sshd_devpts_t |
40 |
/sbin/init system_u:object_r:init_exec_t |
41 |
/sbin/agetty system_u:object_r:getty_exec_t |
42 |
/bin/login system_u:object_r:login_exec_t |
43 |
/sbin/rc system_u:object_r:initrc_exec_t |
44 |
/sbin/runscript.sh system_u:object_r:initrc_exec_t |
45 |
/usr/sbin/sshd system_u:object_r:sshd_exec_t |
46 |
/usr/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t |
47 |
/etc/passwd system_u:object_r:etc_t |
48 |
/etc/shadow system_u:object_r:shadow_t |
49 |
/bin/sh system_u:object_r:bin_t -> |
50 |
system_u:object_r:shell_exec_t |
51 |
/bin/bash system_u:object_r:shell_exec_t |
52 |
/usr/bin/newrole system_u:object_r:newrole_exec_t |
53 |
/lib/libc.so.6 system_u:object_r:lib_t -> |
54 |
system_u:object_r:lib_t |
55 |
/lib/ld-linux.so.2 system_u:object_r:lib_t -> |
56 |
system_u:object_r:ld_so_t |
57 |
|
58 |
|
59 |
-- |
60 |
gentoo-hardened@g.o mailing list |