* login as sysadm_r remotely
@ 2004-10-23 11:23 Rene Cunningham
2004-10-24 19:57 ` Ryan Graham
2004-10-26 16:03 ` Russell Coker
0 siblings, 2 replies; 4+ messages in thread
From: Rene Cunningham @ 2004-10-23 11:23 UTC (permalink / raw)
To: SELinux
Gday,
Im trying to allow remote logins via ssh as root to use the sysadm_r role
by default. At the moment root logs in using staff_r and newrole -r needs
to be executed. I do want to force logins via tty's to default to
staff_r though.
Looking at /etc/selinux/context/root_default_contexts i just need to
unhash the following
system_r:sshd_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
I rebuild the policy, though root still logs in as staff_r via ssh.
Im running debian with selinux-policy-default 1.14-2.
How do i enable this?
--
Rene Cunningham
DCLabs Pty Ltd
http://www.dclabs.com.au
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: login as sysadm_r remotely
2004-10-23 11:23 login as sysadm_r remotely Rene Cunningham
@ 2004-10-24 19:57 ` Ryan Graham
2004-10-24 22:19 ` Rene Cunningham
2004-10-26 16:03 ` Russell Coker
1 sibling, 1 reply; 4+ messages in thread
From: Ryan Graham @ 2004-10-24 19:57 UTC (permalink / raw)
To: Rene Cunningham; +Cc: selinux
I think they built a toggle for this into tunable.te. At least it is
there in whatever version I am running on fedora.
On Sat, 23 Oct 2004 21:23:27 +1000, Rene Cunningham <rene@dclabs.com.au> wrote:
> Gday,
>
> Im trying to allow remote logins via ssh as root to use the sysadm_r role
> by default. At the moment root logs in using staff_r and newrole -r needs
> to be executed. I do want to force logins via tty's to default to
> staff_r though.
>
> Looking at /etc/selinux/context/root_default_contexts i just need to
> unhash the following
>
> system_r:sshd_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
>
> I rebuild the policy, though root still logs in as staff_r via ssh.
>
> Im running debian with selinux-policy-default 1.14-2.
>
> How do i enable this?
>
> --
>
> Rene Cunningham
> DCLabs Pty Ltd
> http://www.dclabs.com.au
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: login as sysadm_r remotely
2004-10-24 19:57 ` Ryan Graham
@ 2004-10-24 22:19 ` Rene Cunningham
0 siblings, 0 replies; 4+ messages in thread
From: Rene Cunningham @ 2004-10-24 22:19 UTC (permalink / raw)
To: ryan.graham+cr; +Cc: selinux
On Sun, Oct 24, 2004 at 12:57:58PM -0700, Ryan Graham wrote:
> I think they built a toggle for this into tunable.te. At least it is
> there in whatever version I am running on fedora.
Yes, i did see that option. tunables/tunable.te has the following
define(`ssh_sysadm_login')
Enabling that still doesnt allow me to login as sysadm_r via ssh. I also
tried setting the boolean option ssh_sysadm_login
# setsebool ssh_sysadm_login true
error setting boolean ssh_sysadm_login to value 1
# getsebool ssh_sysadm_login
Error getting active value for ssh_sysadm_login
--
Rene Cunningham
DCLabs Pty Ltd
http://www.dclabs.com.au
----------------------------------------
"Don't fear the pen. When in doubt, draw a pretty picture."
--Baker's Third Law of Design.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: login as sysadm_r remotely
2004-10-23 11:23 login as sysadm_r remotely Rene Cunningham
2004-10-24 19:57 ` Ryan Graham
@ 2004-10-26 16:03 ` Russell Coker
1 sibling, 0 replies; 4+ messages in thread
From: Russell Coker @ 2004-10-26 16:03 UTC (permalink / raw)
To: Rene Cunningham; +Cc: SELinux
On Sat, 23 Oct 2004 21:23, Rene Cunningham <rene@dclabs.com.au> wrote:
> Im trying to allow remote logins via ssh as root to use the sysadm_r role
> by default. At the moment root logs in using staff_r and newrole -r needs
> to be executed. I do want to force logins via tty's to default to
> staff_r though.
The new policy I have just uploaded to Debian and put on my site permits this.
But note that you also need the new checkpolicy to match.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-10-26 16:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-10-23 11:23 login as sysadm_r remotely Rene Cunningham
2004-10-24 19:57 ` Ryan Graham
2004-10-24 22:19 ` Rene Cunningham
2004-10-26 16:03 ` Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.