| 1 |
On 11/14/2010 06:40 AM, luc nac wrote: |
| 2 |
> Is it right that I can still login (or switch to the sysadm_r role) |
| 3 |
> via ssh to that machine even if the boolean "ssh_sysadm_login" is set |
| 4 |
> "off"? |
| 5 |
Sven's reply is correct. ssh_sysadm_login doesn't PREVENT ssh users |
| 6 |
from changing to the sysadm_r role once they have logged in; it simply |
| 7 |
prevents them from logging directly in as sysadm_r. Essentially, it |
| 8 |
enforces the requirement to 'newrole -r' before you can access the |
| 9 |
sysadm role. |
| 10 |
|
| 11 |
A little bit more about this can be found here: |
| 12 |
http://www.nsa.gov/research/selinux/list-archive/0612/thread_body32.shtml |
| 13 |
|
| 14 |
> What tests can I do to confirm that SELinux is correctly working? |
| 15 |
> |
| 16 |
Not sure what you're after here? |
| 17 |
|
| 18 |
'sestatus' will give you some information regarding what mode |
| 19 |
(permissive, enforcing), what policy (strict, targeted), etc. you are |
| 20 |
using, and whether the system is running. 'ls -Z' will give you context |
| 21 |
information on a particular file, and you can use 'matchpathcon' to see |
| 22 |
what the context of a file should be. 'chcon' will allow you to force |
| 23 |
an arbitrary file to an arbitrary context (even one it's not supposed to |
| 24 |
have), while 'restorecon', 'setfiles', and 'rlpkg' can all be used to |
| 25 |
restore file contexts to their defaults (the different commands have |
| 26 |
different options and different effects). 'semodule -l' can be used to |
| 27 |
see what modules (other than the base capabilities provided by |
| 28 |
selinux-base-policy) are loaded. |
| 29 |
|
| 30 |
HTH |
| 31 |
|
| 32 |
Later, |
| 33 |
Gizmo |
Archives