1 |
On 11/14/2010 06:40 AM, luc nac wrote: |
2 |
> Is it right that I can still login (or switch to the sysadm_r role) |
3 |
> via ssh to that machine even if the boolean "ssh_sysadm_login" is set |
4 |
> "off"? |
5 |
Sven's reply is correct. ssh_sysadm_login doesn't PREVENT ssh users |
6 |
from changing to the sysadm_r role once they have logged in; it simply |
7 |
prevents them from logging directly in as sysadm_r. Essentially, it |
8 |
enforces the requirement to 'newrole -r' before you can access the |
9 |
sysadm role. |
10 |
|
11 |
A little bit more about this can be found here: |
12 |
http://www.nsa.gov/research/selinux/list-archive/0612/thread_body32.shtml |
13 |
|
14 |
> What tests can I do to confirm that SELinux is correctly working? |
15 |
> |
16 |
Not sure what you're after here? |
17 |
|
18 |
'sestatus' will give you some information regarding what mode |
19 |
(permissive, enforcing), what policy (strict, targeted), etc. you are |
20 |
using, and whether the system is running. 'ls -Z' will give you context |
21 |
information on a particular file, and you can use 'matchpathcon' to see |
22 |
what the context of a file should be. 'chcon' will allow you to force |
23 |
an arbitrary file to an arbitrary context (even one it's not supposed to |
24 |
have), while 'restorecon', 'setfiles', and 'rlpkg' can all be used to |
25 |
restore file contexts to their defaults (the different commands have |
26 |
different options and different effects). 'semodule -l' can be used to |
27 |
see what modules (other than the base capabilities provided by |
28 |
selinux-base-policy) are loaded. |
29 |
|
30 |
HTH |
31 |
|
32 |
Later, |
33 |
Gizmo |