Gentoo Archives: gentoo-hardened

From: fanfan <fanfan@××××××××××××.fr>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Ssh client
Date: Fri, 02 Apr 2004 10:19:18
Message-Id: 406D3E13.9010200@etab.ac-caen.fr
In Reply to: Re: [gentoo-hardened] Ssh client by Bill McCarty
1
2
3
4
5
6
7
8
9

10
11
12 thx for your interest BILL :
13
14 I work with OLUVE I'm his "PADAWAN"
15
16 Bill McCarty wrote:
17
18
19
Hi 01uv3,
20
21 --On Friday, April 02, 2004 10:57 AM +0200 "01uv3." <oluve@××××.org>
22 wrote:
23
24
25
  got a strange problem.  Sshd access works
26 fine but once
27 connected
28 to the SELinux I can't establish any Ssh connection nor outside nor to
29 localhost :
30
31
32
33
34 What sort of AVC messages show up in syslog? More particularly, if you
35 do:
36
37     cd /etc/security/selinux/src/policy; make reload
38
39
40 Apr  2 09:37:55 selinux kernel:
41
42 Apr  2 09:37:55 selinux kernel: avc:  denied  { read write } for 
43 pid=24477 exe=/usr/bin/checkpolicy path=/dev/tty1 dev=08:03 ino=97974
44 scontext=root:sysadm_r:checkpolicy_t
45 tcontext=system_u:object_r:tty_device_t tclass=chr_file
46
47 Apr  2 09:37:55 selinux kernel:
48
49 Apr  2 09:37:55 selinux kernel: avc:  denied  { read } for  pid=24477
50 exe=/usr/bin/checkpolicy name=urandom dev=08:03 ino=99021
51 scontext=root:sysadm_r:checkpolicy_t
52 tcontext=system_u:object_r:random_device_t tclass=chr_file
53
54 Apr  2 09:37:58 selinux kernel:
55
56 Apr  2 09:37:58 selinux kernel: avc:  denied  { getattr } for 
57 pid=24484 exe=/usr/bin/checkpolicy name=tty1 dev=08:03 ino=97974
58 scontext=root:sysadm_r:checkpolicy_t
59 tcontext=system_u:object_r:tty_device_t tclass=chr_file
60
61 Apr  2 09:37:58 selinux kernel:
62
63 Apr  2 09:37:58 selinux kernel: avc:  denied  { ioctl } for  pid=24484
64 exe=/usr/bin/checkpolicy path=/dev/tty1 dev=08:03 ino=97974
65 scontext=root:sysadm_r:checkpolicy_t
66 tcontext=system_u:object_r:tty_device_t tclass=chr_file
67
68 Apr  2 09:38:00 selinux kernel:
69
70 Apr  2 09:38:00 selinux kernel: avc:  denied  { read write } for 
71 pid=24485 exe=/usr/sbin/load_policy path=/dev/tty1 dev=08:03 ino=97974
72 scontext=root:sysadm_r:load_policy_t
73 tcontext=system_u:object_r:tty_device_t tclass=chr_file
74
75 Apr  2 09:38:00 selinux kernel:
76
77 Apr  2 09:38:00 selinux kernel: avc:  denied  { read } for  pid=24485
78 exe=/usr/sbin/load_policy name=urandom dev=08:03 ino=99021
79 scontext=root:sysadm_r:load_policy_t
80 tcontext=system_u:object_r:random_device_t tclass=chr_file
81
82 Apr  2 09:38:00 selinux kernel:
83
84 Apr  2 09:38:00 selinux kernel: avc:  granted  { load_policy } for 
85 pid=24485 exe=/usr/sbin/load_policy
86 scontext=root:sysadm_r:load_policy_t
87 tcontext=system_u:object_r:security_t tclass=security
88
89 Apr  2 09:38:00 selinux kernel: security:  5 users, 5 roles, 360 types
90
91 Apr  2 09:38:00 selinux kernel: security:  31 classes, 21636 rules
92
93
94
and then try to establish an SSH connection,
95 what's the output of:
96
97     audit2allow -l -i /var/log/xxxxxxxx
98
99
100 allow getty_t getty_t:udp_socket { getattr };
101
102 allow getty_t random_device_t:chr_file { read };
103
104 allow ldconfig_t random_device_t:chr_file { read };
105
106 allow local_login_t mnt_t:dir { getattr };
107
108 allow local_login_t random_device_t:chr_file { read };
109
110 allow local_login_t scsi_generic_device_t:chr_file { getattr setattr };
111
112 allow setfiles_t random_device_t:chr_file { read };
113
114
115

116 where xxxxxxxx is the log file that holds AVC messages?
117
118 Cheers,
119
120 ---------------------------------------------------
121 Bill McCarty, Ph.D.
122 Professor of Information Technology
123 Azusa Pacific University
124
125
126
127 -- 
128 gentoo-hardened@g.o
129 mailing list
130
131 .
132
133
134 hope you will find something !!
135
136 THX fanfan, oluve's padawan
137
138
139
140 -- 
141 ***************************************
142
143 *       Francois NOEL IUT GTR         *
144
145 *                                    
146 *
147 *  mail : fanfan@××××××××××××.fr      *
148 * ou : francois.noel@××××××××××××.fr 
149 *
150
151 *       msn : adrena@××.st            *
152
153 *   actuellement en stage au CRDP     *
154
155 ***************************************
156
157
158
159
-- 
160 ***************************************
161 * Francois NOEL IUT GTR *
162 * *
163 * mail : fanfan@××××××××××××.fr *
164 * ou : francois.noel@××××××××××××.fr *
165 * msn : adrena@××.st *
166 * actuellement en stage au CRDP *
167 ***************************************
168
169
170
171

Replies

Subject Author
Re: [gentoo-hardened] Ssh client Bill McCarty <bmccarty@××××××.net>