| 1 |
Peter Hjalmarsson wrote: |
| 2 |
> You know Chris PeBenito did send a suggestion on the list the other day. |
| 3 |
can't find it - was it this year? |
| 4 |
|
| 5 |
> |
| 6 |
> By the way have you really done a 'rlpkg -ar' on your filesystem? |
| 7 |
Yep, done that, tried setfilecon/restorecon too |
| 8 |
(but it looked like everything is labeled correctly anyway) |
| 9 |
/lib is just missing from file_contexts |
| 10 |
|
| 11 |
> And if you (re)start any service by hand, remember to do it with |
| 12 |
> 'run_init /etc/init.d/servicename'. |
| 13 |
ssh is running in the right context: |
| 14 |
root:system_r:sshd_t root 27480 7767 0 02:53 ? |
| 15 |
00:00:00 sshd: root@pts/1 |
| 16 |
But bash isn't: |
| 17 |
root:system_r:system_chkpwd_t root 27482 27480 0 02:53 pts/1 |
| 18 |
00:00:00 -bash |
| 19 |
Even though it is started by sshd (parent pid 27840) and it has the |
| 20 |
right label: |
| 21 |
-rwxr-xr-x root root system_u:object_r:shell_exec_t /bin/bash |
| 22 |
|
| 23 |
Stumped |
| 24 |
Antoine |
| 25 |
|
| 26 |
|
| 27 |
> |
| 28 |
> |
| 29 |
> |
| 30 |
> On lör, 2008-01-26 at 13:12 +0000, Antoine Martin wrote: |
| 31 |
> Anyone? |
| 32 |
> |
| 33 |
> With 2005.1 soon removed, I would like to have these issues cleared up |
| 34 |
> sooner rather than later... |
| 35 |
> |
| 36 |
> Antoine Martin wrote: |
| 37 |
>>>> Hi, |
| 38 |
>>>> |
| 39 |
>>>> make.profile -> ../usr/portage/profiles/selinux/2007.0/amd64 |
| 40 |
>>>> Running 2.6.23.13 in non-enforcing mode, targetted policy. |
| 41 |
>>>> |
| 42 |
>>>> system_u:system_r:sshd_t root sshd: root@pts/0 |
| 43 |
>>>> root:system_r:system_chkpwd_t root pts/0 00:00:00 -bash |
| 44 |
>>>> |
| 45 |
>>>> The first denials: |
| 46 |
>>>> |
| 47 |
>>>> [ 140.780441] inode_doinit_with_dentry: |
| 48 |
>>>> context_to_sid(root:object_r:staff_tmpfs_t) returned 22 for dev=md2 |
| 49 |
>>>> ino=961000 |
| 50 |
>>>> [ 265.282465] audit(1200225126.688:46): avc: denied { entrypoint } |
| 51 |
>>>> for pid=6208 comm="sshd" path="/bin/bash" dev=md0 ino=49189 |
| 52 |
>>>> scontext=root:system_r:system_chkpwd_t |
| 53 |
>>>> tcontext=system_u:object_r:shell_exec_t tclass=file |
| 54 |
>>>> [ 265.282727] audit(1200225126.688:47): avc: denied { read write } |
| 55 |
>>>> for pid=6208 comm="bash" name="0" dev=devpts ino=2 |
| 56 |
>>>> scontext=root:system_r:system_chkpwd_t |
| 57 |
>>>> tcontext=root:object_r:sshd_devpts_t tclass=chr_file |
| 58 |
>>>> |
| 59 |
>>>> Any ideas? |
| 60 |
>>>> |
| 61 |
>>>> |
| 62 |
>>>> Also, was getting some denials because /lib was not labeled: |
| 63 |
>>>> lrwxrwxrwx root root system_u:object_r:default_t /lib -> lib64 |
| 64 |
>>>> I had to add this to file_contexts: |
| 65 |
>>>> /lib -l system_u:object_r:lib_t |
| 66 |
>>>> How come? |
| 67 |
>>>> |
| 68 |
>>>> Cheers |
| 69 |
>>>> Antoine |
| 70 |
>>>> |
| 71 |
-- |
| 72 |
gentoo-hardened@l.g.o mailing list |
Archives