1 |
Hello, |
2 |
|
3 |
I performed a stage1 install from the hardened gentoo CD. Installation works fine and without problems. |
4 |
|
5 |
But with the loaded policy it is not possible to do newrole -r or su - from normal user account. |
6 |
|
7 |
|
8 |
sysop@access sysop $ newrole -r sysadm_r |
9 |
Authenticating sysop. |
10 |
Password: |
11 |
newrole: incorrect password for sysop |
12 |
|
13 |
sysop@access sysop $ su - |
14 |
Password: |
15 |
su: Authentication failure |
16 |
Sorry. |
17 |
|
18 |
Is this the normal behavior of the policy or have i done something wrong? |
19 |
|
20 |
How can i change this behavior if all is right? |
21 |
|
22 |
I have tried a different default_contexts file, but the behavior did not change. |
23 |
|
24 |
I am used to disable root access in sshd so that i have to login as normal user and su to root for administration. |
25 |
|
26 |
Some settings: |
27 |
|
28 |
access policy # uname -a |
29 |
Linux access 2.6.5-hardened-r5 #3 SMP Thu Jun 24 14:33:31 CEST 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux |
30 |
|
31 |
users: |
32 |
|
33 |
# seuser |
34 |
# This file created automatically by seuser on Thu Jul 29 14:52:17 2004 |
35 |
|
36 |
# |
37 |
# user file |
38 |
|
39 |
user system_u roles { system_r } ; |
40 |
user user_u roles { user_r } ; |
41 |
user root roles { sysadm_r staff_r } ; |
42 |
user sysop roles { sysadm_r staff_r } ; |
43 |
user sudevel roles { staff_r user_r } ; |
44 |
user test roles { user_r staff_r } ; |
45 |
user operator roles { user_r staff_r }; |
46 |
|
47 |
default_contexts: |
48 |
|
49 |
system_r:sulogin_t sysadm_r:sysadm_t |
50 |
system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t |
51 |
system_r:remote_login_t user_r:user_t staff_r:staff_t |
52 |
system_r:sshd_t user_r:user_t staff_r:staff_t |
53 |
system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mai$ |
54 |
system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t |
55 |
staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t |
56 |
sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t |
57 |
user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t |
58 |
sysadm_r:sudo_t sysadm_r:sysadm_t |
59 |
staff_r:sudo_t sysadm_r:sysadm_t staff_r:staff_t |
60 |
user_r:sudo_t sysadm_r:sysadm_t user_r:user_t |
61 |
|
62 |
|
63 |
sestatus -v: |
64 |
|
65 |
access security # sestatus -v |
66 |
SELinux status: enabled |
67 |
SELinuxfs mount: /selinux |
68 |
Current mode: permissive |
69 |
Policy version: 17 |
70 |
|
71 |
Policy booleans: |
72 |
user_ping inactive |
73 |
|
74 |
Process contexts: |
75 |
Current context: root:sysadm_r:sysadm_t |
76 |
Init context: system_u:system_r:init_t |
77 |
/sbin/agetty system_u:system_r:getty_t |
78 |
/usr/sbin/sshd system_u:system_r:sshd_t |
79 |
|
80 |
File contexts: |
81 |
Controlling term: root:object_r:sysadm_devpts_t |
82 |
/etc/passwd system_u:object_r:etc_t |
83 |
/etc/shadow system_u:object_r:shadow_t |
84 |
/bin/bash system_u:object_r:shell_exec_t |
85 |
/bin/login system_u:object_r:login_exec_t |
86 |
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t |
87 |
/sbin/agetty system_u:object_r:getty_exec_t |
88 |
/sbin/init system_u:object_r:init_exec_t |
89 |
/usr/sbin/sshd system_u:object_r:sshd_exec_t |
90 |
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t |
91 |
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t |
92 |
|
93 |
|
94 |
Thank you for any help. |
95 |
|
96 |
|
97 |
|
98 |
Mit freundlichen Grüßen |
99 |
|
100 |
Peter Büttner |
101 |
|
102 |
|
103 |
------------------------------------------------- |
104 |
Personal WLAN GmbH http://www.personalwlan.de |
105 |
Große Elbstraße 145a |
106 |
22767 Hamburg |
107 |
|
108 |
Tel.: 040/888855-25 |
109 |
Fax : 040/888855-55 |
110 |
Mail: pb@××××××××××××.de |
111 |
------------------------------------------------- |
112 |
|
113 |
|
114 |
|
115 |
|
116 |
|
117 |
|
118 |
|
119 |
|
120 |
|
121 |
-- |
122 |
gentoo-hardened@g.o mailing list |