| 1 |
Hi everybody, I'm learning how to use SELinux and I'm experiencing |
| 2 |
some difficulties. I write here hoping that someone can help me. |
| 3 |
|
| 4 |
I just installed SELinux (strict policy) in a Gentoo-based |
| 5 |
distribution (Linux kernel version 2.6.24) following the handbook's |
| 6 |
instructions http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml |
| 7 |
|
| 8 |
Is it right that I can still login (or switch to the sysadm_r role) |
| 9 |
via ssh to that machine even if the boolean "ssh_sysadm_login" is set |
| 10 |
"off"? |
| 11 |
What tests can I do to confirm that SELinux is correctly working? |
| 12 |
|
| 13 |
lucnac@plgd:~$ ssh root@192.168.1.203 |
| 14 |
Password: |
| 15 |
Last login: Sun Nov 14 13:54:26 2010 from unknown |
| 16 |
Could not chdir to home directory /root: Permission denied |
| 17 |
-bash: /root/.bash_profile: Permission denied |
| 18 |
localhost / # id -Z |
| 19 |
root:staff_r:staff_t |
| 20 |
localhost / # newrole -r sysadm_r |
| 21 |
Authenticating root. |
| 22 |
Password: |
| 23 |
localhost / # id -Z |
| 24 |
root:sysadm_r:sysadm_t |
| 25 |
|
| 26 |
|
| 27 |
This is the output of "sestatus -v": |
| 28 |
localhost / # sestatus -v |
| 29 |
SELinux status: enabled |
| 30 |
SELinuxfs mount: /selinux |
| 31 |
Current mode: enforcing |
| 32 |
Mode from config file: enforcing |
| 33 |
Policy version: 21 |
| 34 |
Policy from config file: strict |
| 35 |
|
| 36 |
Process contexts: |
| 37 |
Current context: root:staff_r:staff_t |
| 38 |
Init context: unknown (Permission denied) |
| 39 |
|
| 40 |
File contexts: |
| 41 |
Controlling term: root:object_r:staff_devpts_t |
| 42 |
/sbin/init system_u:object_r:init_exec_t |
| 43 |
/sbin/agetty system_u:object_r:getty_exec_t |
| 44 |
/bin/login system_u:object_r:login_exec_t |
| 45 |
/sbin/rc system_u:object_r:initrc_exec_t |
| 46 |
/sbin/runscript.sh system_u:object_r:initrc_exec_t |
| 47 |
/usr/sbin/sshd system_u:object_r:sshd_exec_t |
| 48 |
/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t |
| 49 |
/etc/passwd system_u:object_r:etc_t |
| 50 |
/bin/sh system_u:object_r:bin_t -> |
| 51 |
system_u:object_r:shell_exec_t |
| 52 |
/bin/bash system_u:object_r:shell_exec_t |
| 53 |
/usr/bin/newrole system_u:object_r:newrole_exec_t |
| 54 |
/lib/libc.so.6 system_u:object_r:lib_t -> |
| 55 |
system_u:object_r:shlib_t |
| 56 |
/lib/ld-linux.so.2 system_u:object_r:lib_t -> |
| 57 |
system_u:object_r:ld_so_t |
| 58 |
|
| 59 |
|
| 60 |
...and this is the output of "getsebool -a" (everything is off): |
| 61 |
localhost / # getsebool -a |
| 62 |
allow_execheap --> off |
| 63 |
allow_execmem --> off |
| 64 |
allow_execmod --> off |
| 65 |
allow_execstack --> off |
| 66 |
allow_java_execstack --> off |
| 67 |
allow_mplayer_execstack --> off |
| 68 |
allow_polyinstantiation --> off |
| 69 |
allow_ptrace --> off |
| 70 |
allow_rsync_anon_write --> off |
| 71 |
allow_ssh_keysign --> off |
| 72 |
allow_user_mysql_connect --> off |
| 73 |
allow_user_postgresql_connect --> off |
| 74 |
allow_write_xshm --> off |
| 75 |
allow_ypbind --> off |
| 76 |
cron_can_relabel --> off |
| 77 |
fcron_crond --> off |
| 78 |
global_ssp --> off |
| 79 |
mail_read_content --> off |
| 80 |
mozilla_read_content --> off |
| 81 |
nfs_export_all_ro --> off |
| 82 |
nfs_export_all_rw --> off |
| 83 |
read_default_t --> off |
| 84 |
read_untrusted_content --> off |
| 85 |
secure_mode --> off |
| 86 |
secure_mode_insmod --> off |
| 87 |
secure_mode_policyload --> off |
| 88 |
ssh_sysadm_login --> off |
| 89 |
use_nfs_home_dirs --> off |
| 90 |
use_samba_home_dirs --> off |
| 91 |
user_direct_mouse --> off |
| 92 |
user_dmesg --> off |
| 93 |
user_ping --> off |
| 94 |
user_rw_noexattrfile --> off |
| 95 |
user_tcp_server --> off |
| 96 |
user_ttyfile_stat --> off |
| 97 |
write_untrusted_content --> off |
| 98 |
xdm_sysadm_login --> off |
Archives