Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: "Jan Dušek" <j.d@×××××××××.cz>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] sshd not working in enforcing mode
Date: Wed, 25 Feb 2004 14:21:06
Message-Id: 403CAF49.6000800@most.ujep.cz
1 OK, you were right about the logging stuff - now I'm getting the
2 following error (among others :)) just after restarting sshd:
3
4 ...
5 avc: denied { read write } for pid=11273 exe=/usr/sbin/sshd
6 path=/dev/tty2 dev=08:03 ino=325331 scontext=system_u:system_r:sshd_t
7 tcontext=root:object_r:sysadm_tty_device_t tclass=chr_file
8 ...
9
10 What is strange is the fact that I don't see any other errors related to
11 ssh if I login to this machine via ssh (still in permissive mode).
12
13 So is there anything I can do about this error message? E.g. can I
14 adjust the access rights somehow to make it accessible for the source
15 countext? (I repeat I'm new to SELinux so please tell me if I'm saying
16 something stupid.)
17
18
19 --jd
20
21 Michael Ihde wrote:
22 > Jan,
23 >
24 > I've had the same problem. However, I get quite a few dmesg outputs.
25 > ~From what I can tell SELinux caches the avc messages and only prints out
26 > unique ones. When I reload the policy it clears the cache and the
27 > messages are printed out again.
28 >
29 > I've been adding some policies to domains/misc/local.te to try and get
30 > it to work. With all the local.te policies removed these are the
31 > messages I get using these commands
32 >
33 > $ dmesg -c
34 > $ make reload
35 > $ run_init /etc/init.d/sshd restart
36 >
37 > (From remote machine)
38 > ssh <selinux_host>
39 >
40 > This was run in permissive mode so it did allow a log-in. I've added
41 >
42 >
43 > ~Michael
44 >
45 >
46 > avc: denied { read } for pid=1215 exe=/usr/bin/checkpolicy
47 > name=urandom dev=03:47 ino=575343 scontext=root:sysadm_r:checkpolicy_t
48 > tcontext=system_u:object_r:random_device_t tclass=chr_file
49 >
50 > avc: denied { read } for pid=1229 exe=/usr/sbin/load_policy
51 > name=urandom dev=03:47 ino=575343 scontext=root:sysadm_r:load_policy_t
52 > tcontext=system_u:object_r:random_device_t tclass=chr_file
53 >
54 > avc: granted { load_policy } for pid=1229 exe=/usr/sbin/load_policy
55 > scontext=root:sysadm_r:load_policy_t
56 > tcontext=system_u:object_r:security_t tclass=security
57 > security: 3 users, 6 roles, 356 types
58 > security: 30 classes, 21122 rules
59 >
60 > avc: denied { append } for pid=839 exe=/usr/sbin/syslog-ng
61 > path=/dev/tty12 dev=03:47 ino=575428
62 > scontext=system_u:system_r:syslogd_t
63 > tcontext=system_u:object_r:tty_device_t tclass=chr_file
64 >
65 > avc: denied { read } for pid=1232 exe=/usr/sbin/run_init name=urandom
66 > dev=03:47 ino=575343 scontext=root:sysadm_r:run_init_t
67 > tcontext=system_u:object_r:random_device_t tclass=chr_file
68 >
69 > avc: denied { read write } for pid=1281 exe=/usr/sbin/sshd
70 > path=/dev/tty1 dev=03:47 ino=575461 scontext=system_u:system_r:sshd_t
71 > tcontext=root:object_r:sysadm_tty_device_t tclass=chr_file
72 >
73 > avc: denied { read } for pid=1284 exe=/sbin/insmod name=urandom
74 > dev=03:47 ino=575343 scontext=system_u:system_r:insmod_t
75 > tcontext=system_u:object_r:random_device_t tclass=chr_file
76 >
77 > avc: denied { read write } for pid=1291 exe=/usr/sbin/sshd name=ptyp0
78 > dev=03:47 ino=575701 scontext=system_u:system_r:sshd_t
79 > tcontext=system_u:object_r:device_t tclass=chr_file
80 >
81 > avc: denied { ioctl } for pid=1291 exe=/usr/sbin/sshd path=/dev/ptyp0
82 > dev=03:47 ino=575701 scontext=system_u:system_r:sshd_t
83 > tcontext=system_u:object_r:device_t tclass=chr_file
84 >
85 > avc: denied { getattr } for pid=1291 exe=/usr/sbin/sshd name=ptyp0
86 > dev=03:47 ino=575701 scontext=system_u:system_r:sshd_t
87 > tcontext=system_u:object_r:device_t tclass=chr_file
88 >
89 > avc: denied { getattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0
90 > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t
91 > tcontext=root:object_r:staff_tty_device_t tclass=chr_file
92 >
93 > avc: denied { setattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0
94 > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t
95 > tcontext=root:object_r:staff_tty_device_t tclass=chr_file
96 >
97 > avc: denied { read write } for pid=1291 exe=/usr/sbin/sshd name=ttyp0
98 > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t
99 > tcontext=root:object_r:staff_tty_device_t tclass=chr_file
100 >
101 > avc: denied { ioctl } for pid=1291 exe=/usr/sbin/sshd path=/dev/ttyp0
102 > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t
103 > tcontext=root:object_r:staff_tty_device_t tclass=chr_file
104 >
105 > avc: denied { relabelfrom } for pid=1291 exe=/usr/sbin/sshd
106 > name=ttyp0 dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t
107 > tcontext=root:object_r:staff_tty_device_t tclass=chr_file
108 >
109 > avc: denied { relabelto } for pid=1291 exe=/usr/sbin/sshd name=ttyp0
110 > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t
111 > tcontext=user_u:object_r:user_tty_device_t tclass=chr_file
112 >
113 > avc: denied { getattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0
114 > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t
115 > tcontext=user_u:object_r:user_tty_device_t tclass=chr_file
116 >
117 > avc: denied { setattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0
118 > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t
119 > tcontext=user_u:object_r:user_tty_device_t tclass=chr_file
120 >
121 > avc: denied { read write } for pid=1293 exe=/usr/sbin/sshd
122 > path=/dev/ttyp0 dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t
123 > tcontext=user_u:object_r:user_tty_device_t tclass=chr_file
124 >
125 > avc: denied { ioctl } for pid=1293 exe=/usr/sbin/sshd path=/dev/ttyp0
126 > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t
127 > tcontext=user_u:object_r:user_tty_device_t tclass=chr_file
128
129 --
130 gentoo-hardened@g.o mailing list
131
132
133
134 --
135 gentoo-hardened@g.o mailing list
Report Message
Find on MARC Find on Google Groups