1 |
|
2 |
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
|
9 |
|
10 |
|
11 |
|
12 |
thx for your interest BILL : |
13 |
|
14 |
I work with OLUVE I'm his "PADAWAN" |
15 |
|
16 |
Bill McCarty wrote: |
17 |
|
18 |
|
19 |
Hi 01uv3,
|
20 |
|
21 |
--On Friday, April 02, 2004 10:57 AM +0200 "01uv3." <oluve@××××.org> |
22 |
wrote:
|
23 |
|
24 |
|
25 |
got a strange problem. Sshd access works |
26 |
fine but once |
27 |
connected
|
28 |
to the SELinux I can't establish any Ssh connection nor outside nor to
|
29 |
localhost :
|
30 |
|
31 |
|
32 |
|
33 |
|
34 |
What sort of AVC messages show up in syslog? More particularly, if you |
35 |
do:
|
36 |
|
37 |
cd /etc/security/selinux/src/policy; make reload
|
38 |
|
39 |
|
40 |
Apr 2 09:37:55 selinux kernel: |
41 |
|
42 |
Apr 2 09:37:55 selinux kernel: avc: denied { read write } for |
43 |
pid=24477 exe=/usr/bin/checkpolicy path=/dev/tty1 dev=08:03 ino=97974 |
44 |
scontext=root:sysadm_r:checkpolicy_t |
45 |
tcontext=system_u:object_r:tty_device_t tclass=chr_file |
46 |
|
47 |
Apr 2 09:37:55 selinux kernel: |
48 |
|
49 |
Apr 2 09:37:55 selinux kernel: avc: denied { read } for pid=24477 |
50 |
exe=/usr/bin/checkpolicy name=urandom dev=08:03 ino=99021 |
51 |
scontext=root:sysadm_r:checkpolicy_t |
52 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
53 |
|
54 |
Apr 2 09:37:58 selinux kernel: |
55 |
|
56 |
Apr 2 09:37:58 selinux kernel: avc: denied { getattr } for |
57 |
pid=24484 exe=/usr/bin/checkpolicy name=tty1 dev=08:03 ino=97974 |
58 |
scontext=root:sysadm_r:checkpolicy_t |
59 |
tcontext=system_u:object_r:tty_device_t tclass=chr_file |
60 |
|
61 |
Apr 2 09:37:58 selinux kernel: |
62 |
|
63 |
Apr 2 09:37:58 selinux kernel: avc: denied { ioctl } for pid=24484 |
64 |
exe=/usr/bin/checkpolicy path=/dev/tty1 dev=08:03 ino=97974 |
65 |
scontext=root:sysadm_r:checkpolicy_t |
66 |
tcontext=system_u:object_r:tty_device_t tclass=chr_file |
67 |
|
68 |
Apr 2 09:38:00 selinux kernel: |
69 |
|
70 |
Apr 2 09:38:00 selinux kernel: avc: denied { read write } for |
71 |
pid=24485 exe=/usr/sbin/load_policy path=/dev/tty1 dev=08:03 ino=97974 |
72 |
scontext=root:sysadm_r:load_policy_t |
73 |
tcontext=system_u:object_r:tty_device_t tclass=chr_file |
74 |
|
75 |
Apr 2 09:38:00 selinux kernel: |
76 |
|
77 |
Apr 2 09:38:00 selinux kernel: avc: denied { read } for pid=24485 |
78 |
exe=/usr/sbin/load_policy name=urandom dev=08:03 ino=99021 |
79 |
scontext=root:sysadm_r:load_policy_t |
80 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
81 |
|
82 |
Apr 2 09:38:00 selinux kernel: |
83 |
|
84 |
Apr 2 09:38:00 selinux kernel: avc: granted { load_policy } for |
85 |
pid=24485 exe=/usr/sbin/load_policy |
86 |
scontext=root:sysadm_r:load_policy_t |
87 |
tcontext=system_u:object_r:security_t tclass=security |
88 |
|
89 |
Apr 2 09:38:00 selinux kernel: security: 5 users, 5 roles, 360 types |
90 |
|
91 |
Apr 2 09:38:00 selinux kernel: security: 31 classes, 21636 rules |
92 |
|
93 |
|
94 |
and then try to establish an SSH connection, |
95 |
what's the output of:
|
96 |
|
97 |
audit2allow -l -i /var/log/xxxxxxxx
|
98 |
|
99 |
|
100 |
allow getty_t getty_t:udp_socket { getattr }; |
101 |
|
102 |
allow getty_t random_device_t:chr_file { read }; |
103 |
|
104 |
allow ldconfig_t random_device_t:chr_file { read }; |
105 |
|
106 |
allow local_login_t mnt_t:dir { getattr }; |
107 |
|
108 |
allow local_login_t random_device_t:chr_file { read }; |
109 |
|
110 |
allow local_login_t scsi_generic_device_t:chr_file { getattr setattr }; |
111 |
|
112 |
allow setfiles_t random_device_t:chr_file { read }; |
113 |
|
114 |
|
115 |
|
116 |
where xxxxxxxx is the log file that holds AVC messages?
|
117 |
|
118 |
Cheers,
|
119 |
|
120 |
---------------------------------------------------
|
121 |
Bill McCarty, Ph.D.
|
122 |
Professor of Information Technology
|
123 |
Azusa Pacific University
|
124 |
|
125 |
|
126 |
|
127 |
--
|
128 |
gentoo-hardened@g.o |
129 |
mailing list
|
130 |
|
131 |
.
|
132 |
|
133 |
|
134 |
hope you will find something !! |
135 |
|
136 |
THX fanfan, oluve's padawan |
137 |
|
138 |
|
139 |
|
140 |
--
|
141 |
*************************************** |
142 |
|
143 |
* Francois NOEL IUT GTR * |
144 |
|
145 |
*
|
146 |
*
|
147 |
* mail : fanfan@××××××××××××.fr *
|
148 |
* ou : francois.noel@××××××××××××.fr |
149 |
* |
150 |
|
151 |
* msn : adrena@××.st * |
152 |
|
153 |
* actuellement en stage au CRDP * |
154 |
|
155 |
*************************************** |
156 |
|
157 |
|
158 |
|
159 |
-- |
160 |
*************************************** |
161 |
* Francois NOEL IUT GTR * |
162 |
* * |
163 |
* mail : fanfan@××××××××××××.fr * |
164 |
* ou : francois.noel@××××××××××××.fr * |
165 |
* msn : adrena@××.st * |
166 |
* actuellement en stage au CRDP * |
167 |
*************************************** |
168 |
|
169 |
|
170 |
|
171 |
|