1 |
Peter Hjalmarsson wrote: |
2 |
> You know Chris PeBenito did send a suggestion on the list the other day. |
3 |
can't find it - was it this year? |
4 |
|
5 |
> |
6 |
> By the way have you really done a 'rlpkg -ar' on your filesystem? |
7 |
Yep, done that, tried setfilecon/restorecon too |
8 |
(but it looked like everything is labeled correctly anyway) |
9 |
/lib is just missing from file_contexts |
10 |
|
11 |
> And if you (re)start any service by hand, remember to do it with |
12 |
> 'run_init /etc/init.d/servicename'. |
13 |
ssh is running in the right context: |
14 |
root:system_r:sshd_t root 27480 7767 0 02:53 ? |
15 |
00:00:00 sshd: root@pts/1 |
16 |
But bash isn't: |
17 |
root:system_r:system_chkpwd_t root 27482 27480 0 02:53 pts/1 |
18 |
00:00:00 -bash |
19 |
Even though it is started by sshd (parent pid 27840) and it has the |
20 |
right label: |
21 |
-rwxr-xr-x root root system_u:object_r:shell_exec_t /bin/bash |
22 |
|
23 |
Stumped |
24 |
Antoine |
25 |
|
26 |
|
27 |
> |
28 |
> |
29 |
> |
30 |
> On lör, 2008-01-26 at 13:12 +0000, Antoine Martin wrote: |
31 |
> Anyone? |
32 |
> |
33 |
> With 2005.1 soon removed, I would like to have these issues cleared up |
34 |
> sooner rather than later... |
35 |
> |
36 |
> Antoine Martin wrote: |
37 |
>>>> Hi, |
38 |
>>>> |
39 |
>>>> make.profile -> ../usr/portage/profiles/selinux/2007.0/amd64 |
40 |
>>>> Running 2.6.23.13 in non-enforcing mode, targetted policy. |
41 |
>>>> |
42 |
>>>> system_u:system_r:sshd_t root sshd: root@pts/0 |
43 |
>>>> root:system_r:system_chkpwd_t root pts/0 00:00:00 -bash |
44 |
>>>> |
45 |
>>>> The first denials: |
46 |
>>>> |
47 |
>>>> [ 140.780441] inode_doinit_with_dentry: |
48 |
>>>> context_to_sid(root:object_r:staff_tmpfs_t) returned 22 for dev=md2 |
49 |
>>>> ino=961000 |
50 |
>>>> [ 265.282465] audit(1200225126.688:46): avc: denied { entrypoint } |
51 |
>>>> for pid=6208 comm="sshd" path="/bin/bash" dev=md0 ino=49189 |
52 |
>>>> scontext=root:system_r:system_chkpwd_t |
53 |
>>>> tcontext=system_u:object_r:shell_exec_t tclass=file |
54 |
>>>> [ 265.282727] audit(1200225126.688:47): avc: denied { read write } |
55 |
>>>> for pid=6208 comm="bash" name="0" dev=devpts ino=2 |
56 |
>>>> scontext=root:system_r:system_chkpwd_t |
57 |
>>>> tcontext=root:object_r:sshd_devpts_t tclass=chr_file |
58 |
>>>> |
59 |
>>>> Any ideas? |
60 |
>>>> |
61 |
>>>> |
62 |
>>>> Also, was getting some denials because /lib was not labeled: |
63 |
>>>> lrwxrwxrwx root root system_u:object_r:default_t /lib -> lib64 |
64 |
>>>> I had to add this to file_contexts: |
65 |
>>>> /lib -l system_u:object_r:lib_t |
66 |
>>>> How come? |
67 |
>>>> |
68 |
>>>> Cheers |
69 |
>>>> Antoine |
70 |
>>>> |
71 |
-- |
72 |
gentoo-hardened@l.g.o mailing list |