1 |
Hi everybody, I'm learning how to use SELinux and I'm experiencing |
2 |
some difficulties. I write here hoping that someone can help me. |
3 |
|
4 |
I just installed SELinux (strict policy) in a Gentoo-based |
5 |
distribution (Linux kernel version 2.6.24) following the handbook's |
6 |
instructions http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml |
7 |
|
8 |
Is it right that I can still login (or switch to the sysadm_r role) |
9 |
via ssh to that machine even if the boolean "ssh_sysadm_login" is set |
10 |
"off"? |
11 |
What tests can I do to confirm that SELinux is correctly working? |
12 |
|
13 |
lucnac@plgd:~$ ssh root@192.168.1.203 |
14 |
Password: |
15 |
Last login: Sun Nov 14 13:54:26 2010 from unknown |
16 |
Could not chdir to home directory /root: Permission denied |
17 |
-bash: /root/.bash_profile: Permission denied |
18 |
localhost / # id -Z |
19 |
root:staff_r:staff_t |
20 |
localhost / # newrole -r sysadm_r |
21 |
Authenticating root. |
22 |
Password: |
23 |
localhost / # id -Z |
24 |
root:sysadm_r:sysadm_t |
25 |
|
26 |
|
27 |
This is the output of "sestatus -v": |
28 |
localhost / # sestatus -v |
29 |
SELinux status: enabled |
30 |
SELinuxfs mount: /selinux |
31 |
Current mode: enforcing |
32 |
Mode from config file: enforcing |
33 |
Policy version: 21 |
34 |
Policy from config file: strict |
35 |
|
36 |
Process contexts: |
37 |
Current context: root:staff_r:staff_t |
38 |
Init context: unknown (Permission denied) |
39 |
|
40 |
File contexts: |
41 |
Controlling term: root:object_r:staff_devpts_t |
42 |
/sbin/init system_u:object_r:init_exec_t |
43 |
/sbin/agetty system_u:object_r:getty_exec_t |
44 |
/bin/login system_u:object_r:login_exec_t |
45 |
/sbin/rc system_u:object_r:initrc_exec_t |
46 |
/sbin/runscript.sh system_u:object_r:initrc_exec_t |
47 |
/usr/sbin/sshd system_u:object_r:sshd_exec_t |
48 |
/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t |
49 |
/etc/passwd system_u:object_r:etc_t |
50 |
/bin/sh system_u:object_r:bin_t -> |
51 |
system_u:object_r:shell_exec_t |
52 |
/bin/bash system_u:object_r:shell_exec_t |
53 |
/usr/bin/newrole system_u:object_r:newrole_exec_t |
54 |
/lib/libc.so.6 system_u:object_r:lib_t -> |
55 |
system_u:object_r:shlib_t |
56 |
/lib/ld-linux.so.2 system_u:object_r:lib_t -> |
57 |
system_u:object_r:ld_so_t |
58 |
|
59 |
|
60 |
...and this is the output of "getsebool -a" (everything is off): |
61 |
localhost / # getsebool -a |
62 |
allow_execheap --> off |
63 |
allow_execmem --> off |
64 |
allow_execmod --> off |
65 |
allow_execstack --> off |
66 |
allow_java_execstack --> off |
67 |
allow_mplayer_execstack --> off |
68 |
allow_polyinstantiation --> off |
69 |
allow_ptrace --> off |
70 |
allow_rsync_anon_write --> off |
71 |
allow_ssh_keysign --> off |
72 |
allow_user_mysql_connect --> off |
73 |
allow_user_postgresql_connect --> off |
74 |
allow_write_xshm --> off |
75 |
allow_ypbind --> off |
76 |
cron_can_relabel --> off |
77 |
fcron_crond --> off |
78 |
global_ssp --> off |
79 |
mail_read_content --> off |
80 |
mozilla_read_content --> off |
81 |
nfs_export_all_ro --> off |
82 |
nfs_export_all_rw --> off |
83 |
read_default_t --> off |
84 |
read_untrusted_content --> off |
85 |
secure_mode --> off |
86 |
secure_mode_insmod --> off |
87 |
secure_mode_policyload --> off |
88 |
ssh_sysadm_login --> off |
89 |
use_nfs_home_dirs --> off |
90 |
use_samba_home_dirs --> off |
91 |
user_direct_mouse --> off |
92 |
user_dmesg --> off |
93 |
user_ping --> off |
94 |
user_rw_noexattrfile --> off |
95 |
user_tcp_server --> off |
96 |
user_ttyfile_stat --> off |
97 |
write_untrusted_content --> off |
98 |
xdm_sysadm_login --> off |