Re: [gentoo-hardened] Ssh client - gentoo-hardened

From:	fanfan <fanfan@××××××××××××.fr>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] Ssh client
Date:	Fri, 02 Apr 2004 10:19:18
Message-Id:	`406D3E13.9010200@etab.ac-caen.fr`
In Reply to:	Re: [gentoo-hardened] Ssh client by Bill McCarty

1

2

3

thx for your interest BILL :

13

14

I work with OLUVE I'm his "PADAWAN"

15

16

Bill McCarty wrote:

17

18

19

Hi 01uv3, 

20

21

--On Friday, April 02, 2004 10:57 AM +0200 "01uv3." <oluve@××××.org>

22

wrote: 

23

24

25

      got a strange problem.  Sshd access works

26

fine  but once

27

connected 

28

to the SELinux I can't establish any Ssh connection nor outside nor to 

29

localhost : 

What sort of AVC messages show up in syslog? More particularly, if you

35

do:

36

37

    cd /etc/security/selinux/src/policy; make reload 

38

39

40

Apr  2 09:37:55 selinux kernel:

41

42

Apr  2 09:37:55 selinux kernel: avc:  denied  { read write } for 

43

pid=24477 exe=/usr/bin/checkpolicy path=/dev/tty1 dev=08:03 ino=97974

44

scontext=root:sysadm_r:checkpolicy_t

45

tcontext=system_u:object_r:tty_device_t tclass=chr_file

46

47

Apr  2 09:37:55 selinux kernel:

48

49

Apr  2 09:37:55 selinux kernel: avc:  denied  { read } for  pid=24477

50

exe=/usr/bin/checkpolicy name=urandom dev=08:03 ino=99021

51

scontext=root:sysadm_r:checkpolicy_t

52

tcontext=system_u:object_r:random_device_t tclass=chr_file

53

54

Apr  2 09:37:58 selinux kernel:

55

56

Apr  2 09:37:58 selinux kernel: avc:  denied  { getattr } for 

57

pid=24484 exe=/usr/bin/checkpolicy name=tty1 dev=08:03 ino=97974

58

scontext=root:sysadm_r:checkpolicy_t

59

tcontext=system_u:object_r:tty_device_t tclass=chr_file

60

61

Apr  2 09:37:58 selinux kernel:

62

63

Apr  2 09:37:58 selinux kernel: avc:  denied  { ioctl } for  pid=24484

64

exe=/usr/bin/checkpolicy path=/dev/tty1 dev=08:03 ino=97974

65

scontext=root:sysadm_r:checkpolicy_t

66

tcontext=system_u:object_r:tty_device_t tclass=chr_file

67

68

Apr  2 09:38:00 selinux kernel:

69

70

Apr  2 09:38:00 selinux kernel: avc:  denied  { read write } for 

71

pid=24485 exe=/usr/sbin/load_policy path=/dev/tty1 dev=08:03 ino=97974

72

scontext=root:sysadm_r:load_policy_t

73

tcontext=system_u:object_r:tty_device_t tclass=chr_file

74

75

Apr  2 09:38:00 selinux kernel:

76

77

Apr  2 09:38:00 selinux kernel: avc:  denied  { read } for  pid=24485

78

exe=/usr/sbin/load_policy name=urandom dev=08:03 ino=99021

79

scontext=root:sysadm_r:load_policy_t

80

tcontext=system_u:object_r:random_device_t tclass=chr_file

81

82

Apr  2 09:38:00 selinux kernel:

83

84

Apr  2 09:38:00 selinux kernel: avc:  granted  { load_policy } for 

85

pid=24485 exe=/usr/sbin/load_policy

86

scontext=root:sysadm_r:load_policy_t

87

tcontext=system_u:object_r:security_t tclass=security

88

89

Apr  2 09:38:00 selinux kernel: security:  5 users, 5 roles, 360 types

90

91

Apr  2 09:38:00 selinux kernel: security:  31 classes, 21636 rules

92

93

94

and then try to establish an SSH connection,

95

what's the output of: 

96

97

    audit2allow -l -i /var/log/xxxxxxxx 

98

99

100

allow getty_t getty_t:udp_socket { getattr };

101

102

allow getty_t random_device_t:chr_file { read };

103

104

allow ldconfig_t random_device_t:chr_file { read };

105

106

allow local_login_t mnt_t:dir { getattr };

107

108

allow local_login_t random_device_t:chr_file { read };

109

110

allow local_login_t scsi_generic_device_t:chr_file { getattr setattr };

111

112

allow setfiles_t random_device_t:chr_file { read };

where xxxxxxxx is the log file that holds AVC messages? 

117

118

Cheers, 

119

120

--------------------------------------------------- 

121

Bill McCarty, Ph.D. 

122

Professor of Information Technology 

123

Azusa Pacific University 

--

128

  gentoo-hardened@g.o

129

mailing list 

130

131

.

132

133

134

hope you will find something !!

135

136

THX fanfan, oluve's padawan

--

141

***************************************

142

143

*       Francois NOEL IUT GTR         *

144

145

*

146

*

147

*  mail : fanfan@××××××××××××.fr      *

148

* ou : francois.noel@××××××××××××.fr 

149

*

150

151

*       msn : adrena@××.st            *

152

153

*   actuellement en stage au CRDP     *

154

155

***************************************

--

160

***************************************

161

*       Francois NOEL IUT GTR         *

162

*                                     * 

163

*  mail : fanfan@××××××××××××.fr      *  

164

* ou : francois.noel@××××××××××××.fr  *

165

*       msn : adrena@××.st            *

166

*   actuellement en stage au CRDP     *

167

***************************************

Gentoo Archives: gentoo-hardened

Replies

1
2
3
4
5
6
7
8
9
10
11
12	thx for your interest BILL :
13
14	I work with OLUVE I'm his "PADAWAN"
15
16	Bill McCarty wrote:
17
18
19	Hi 01uv3,
20
21	--On Friday, April 02, 2004 10:57 AM +0200 "01uv3." <oluve@××××.org>
22	wrote:
23
24
25	got a strange problem. Sshd access works
26	fine but once
27	connected
28	to the SELinux I can't establish any Ssh connection nor outside nor to
29	localhost :
30
31
32
33
34	What sort of AVC messages show up in syslog? More particularly, if you
35	do:
36
37	cd /etc/security/selinux/src/policy; make reload
38
39
40	Apr 2 09:37:55 selinux kernel:
41
42	Apr 2 09:37:55 selinux kernel: avc: denied { read write } for
43	pid=24477 exe=/usr/bin/checkpolicy path=/dev/tty1 dev=08:03 ino=97974
44	scontext=root:sysadm_r:checkpolicy_t
45	tcontext=system_u:object_r:tty_device_t tclass=chr_file
46
47	Apr 2 09:37:55 selinux kernel:
48
49	Apr 2 09:37:55 selinux kernel: avc: denied { read } for pid=24477
50	exe=/usr/bin/checkpolicy name=urandom dev=08:03 ino=99021
51	scontext=root:sysadm_r:checkpolicy_t
52	tcontext=system_u:object_r:random_device_t tclass=chr_file
53
54	Apr 2 09:37:58 selinux kernel:
55
56	Apr 2 09:37:58 selinux kernel: avc: denied { getattr } for
57	pid=24484 exe=/usr/bin/checkpolicy name=tty1 dev=08:03 ino=97974
58	scontext=root:sysadm_r:checkpolicy_t
59	tcontext=system_u:object_r:tty_device_t tclass=chr_file
60
61	Apr 2 09:37:58 selinux kernel:
62
63	Apr 2 09:37:58 selinux kernel: avc: denied { ioctl } for pid=24484
64	exe=/usr/bin/checkpolicy path=/dev/tty1 dev=08:03 ino=97974
65	scontext=root:sysadm_r:checkpolicy_t
66	tcontext=system_u:object_r:tty_device_t tclass=chr_file
67
68	Apr 2 09:38:00 selinux kernel:
69
70	Apr 2 09:38:00 selinux kernel: avc: denied { read write } for
71	pid=24485 exe=/usr/sbin/load_policy path=/dev/tty1 dev=08:03 ino=97974
72	scontext=root:sysadm_r:load_policy_t
73	tcontext=system_u:object_r:tty_device_t tclass=chr_file
74
75	Apr 2 09:38:00 selinux kernel:
76
77	Apr 2 09:38:00 selinux kernel: avc: denied { read } for pid=24485
78	exe=/usr/sbin/load_policy name=urandom dev=08:03 ino=99021
79	scontext=root:sysadm_r:load_policy_t
80	tcontext=system_u:object_r:random_device_t tclass=chr_file
81
82	Apr 2 09:38:00 selinux kernel:
83
84	Apr 2 09:38:00 selinux kernel: avc: granted { load_policy } for
85	pid=24485 exe=/usr/sbin/load_policy
86	scontext=root:sysadm_r:load_policy_t
87	tcontext=system_u:object_r:security_t tclass=security
88
89	Apr 2 09:38:00 selinux kernel: security: 5 users, 5 roles, 360 types
90
91	Apr 2 09:38:00 selinux kernel: security: 31 classes, 21636 rules
92
93
94	and then try to establish an SSH connection,
95	what's the output of:
96
97	audit2allow -l -i /var/log/xxxxxxxx
98
99
100	allow getty_t getty_t:udp_socket { getattr };
101
102	allow getty_t random_device_t:chr_file { read };
103
104	allow ldconfig_t random_device_t:chr_file { read };
105
106	allow local_login_t mnt_t:dir { getattr };
107
108	allow local_login_t random_device_t:chr_file { read };
109
110	allow local_login_t scsi_generic_device_t:chr_file { getattr setattr };
111
112	allow setfiles_t random_device_t:chr_file { read };
113
114
115
116	where xxxxxxxx is the log file that holds AVC messages?
117
118	Cheers,
119
120	---------------------------------------------------
121	Bill McCarty, Ph.D.
122	Professor of Information Technology
123	Azusa Pacific University
124
125
126
127	--
128	gentoo-hardened@g.o
129	mailing list
130
131	.
132
133
134	hope you will find something !!
135
136	THX fanfan, oluve's padawan
137
138
139
140	--
141	***************************************
142
143	* Francois NOEL IUT GTR *
144
145	*
146	*
147	* mail : fanfan@××××××××××××.fr *
148	* ou : francois.noel@××××××××××××.fr
149	*
150
151	* msn : adrena@××.st *
152
153	* actuellement en stage au CRDP *
154
155	***************************************
156
157
158
159	--
160	***************************************
161	* Francois NOEL IUT GTR *
162	* *
163	* mail : fanfan@××××××××××××.fr *
164	* ou : francois.noel@××××××××××××.fr *
165	* msn : adrena@××.st *
166	* actuellement en stage au CRDP *
167	***************************************
168
169
170
171