* Trouble logging in through SSH
@ 2011-02-04 23:22 Simon Peter Nicholls
2011-02-05 8:33 ` Simon Peter Nicholls
2011-02-05 13:37 ` Dominick Grift
0 siblings, 2 replies; 7+ messages in thread
From: Simon Peter Nicholls @ 2011-02-04 23:22 UTC (permalink / raw)
To: selinux
Hi All,
I'm having some trouble setting up SELinux using refpolicy, and am
unable to login my test user through ssh when in enforcing mode. Could
someone help me work out where the problem lies? I have some basic
experience with SELinux, but based on working Fedora systems that have
gone slightly awry.
Similar denial messages to the ssh one are seen when trying to run
software like Emacs in permissive mode. In each case it feels like I am
restricted by the consoletype_t, whilst I was expecting to gain an
unconfined_t type for my user (to match unconfined_u & unconfined_r).
I also expected to see the sshd_t type for the sshd process, but it is
using init_t. Are transitions failing for my startup services?
Some detailed info follows; Many thanks.
the denial when attempting ssh login
-------------------------------------------------
Feb 4 22:57:36 mailer kernel: type=1400 audit(1296856656.870:4): avc:
denied { entrypoint } for pid=1003 comm="sshd" path="/bin/bash"
dev=vda1 ino=1513 scontext=unconfined_u:unconfined_r:consoletype_t
tcontext=system_u:object_r:shell_exec_t tclass=file
some debug.log for boot
--------------------------------
Feb 4 22:57:13 mailer kernel: SELinux: 2048 avtab hash slots, 211693
rules.
Feb 4 22:57:13 mailer kernel: SELinux: 2048 avtab hash slots, 211693
rules.
Feb 4 22:57:13 mailer kernel: SELinux: 6 users, 15 roles, 3386 types,
143 bools
Feb 4 22:57:13 mailer kernel: SELinux: 77 classes, 211693 rules
Feb 4 22:57:13 mailer kernel: SELinux: Permission audit_access in
class file not defined in policy.
Feb 4 22:57:13 mailer kernel: SELinux: Permission audit_access in
class dir not defined in policy.
Feb 4 22:57:13 mailer kernel: SELinux: Permission execmod in class dir
not defined in policy.
Feb 4 22:57:13 mailer kernel: SELinux: Permission audit_access in
class lnk_file not defined in policy.
Feb 4 22:57:13 mailer kernel: SELinux: Permission open in class
lnk_file not defined in policy.
Feb 4 22:57:13 mailer kernel: SELinux: Permission execmod in class
lnk_file not defined in policy.
Feb 4 22:57:13 mailer kernel: SELinux: Permission audit_access in
class chr_file not defined in policy.
Feb 4 22:57:13 mailer kernel: SELinux: Permission audit_access in
class blk_file not defined in policy.
Feb 4 22:57:13 mailer kernel: SELinux: Permission execmod in class
blk_file not defined in policy.
Feb 4 22:57:13 mailer kernel: SELinux: Permission audit_access in
class sock_file not defined in policy.
Feb 4 22:57:13 mailer kernel: SELinux: Permission execmod in class
sock_file not defined in policy.
Feb 4 22:57:13 mailer kernel: SELinux: Permission audit_access in
class fifo_file not defined in policy.
Feb 4 22:57:13 mailer kernel: SELinux: Permission execmod in class
fifo_file not defined in policy.
Feb 4 22:57:13 mailer kernel: SELinux: the above unknown classes and
permissions will be allowed
Feb 4 22:57:13 mailer kernel: SELinux: Completing initialization.
Feb 4 22:57:13 mailer kernel: SELinux: Setting up existing superblocks.
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev bdev, type
bdev), uses genfs_contexts
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev proc, type
proc), uses genfs_contexts
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev tmpfs, type
tmpfs), uses transition SIDs
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev devtmpfs, type
devtmpfs), uses transition SIDs
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev sockfs, type
sockfs), uses task SIDs
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev debugfs, type
debugfs), uses genfs_contexts
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev pipefs, type
pipefs), uses task SIDs
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev anon_inodefs,
type anon_inodefs), uses genfs_contexts
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev devpts, type
devpts), uses transition SIDs
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev hugetlbfs, type
hugetlbfs), uses transition SIDs
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev mqueue, type
mqueue), uses transition SIDs
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev selinuxfs, type
selinuxfs), uses genfs_contexts
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev vda1, type
ext4), uses xattr
Feb 4 22:57:13 mailer kernel: type=1403 audit(1296856630.883:2): policy
loaded auid=4294967295 ses=4294967295
...
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev usbfs, type
usbfs), uses genfs_contexts
...
Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev tmpfs, type
tmpfs), uses transition SIDs
sestatus -v
---------------
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: sipolicy
Process contexts:
Current context: unconfined_u:unconfined_r:consoletype_t
Init context: system_u:system_r:init_t
/sbin/agetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:init_t
File contexts:
Controlling term: unconfined_u:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t ->
system_u:object_r:lib_t
semanage login -l output
---------------------------------
Login Name SELinux User
si unconfined_u
__default__ user_u
root root
system_u system_u
build.conf for policy
--------------------------
TYPE = standard
NAME = sipolicy
UNK_PERMS = allow #instead of deny, due to kernel boot complaints
DIRECT_INITRC = y
MONOLITHIC = n
UBAC = n
auth.log
-----------
Feb 4 22:57:54 mailer sshd[1005]: pam_selinux(sshd:session): pam:
default-context=unconfined_u:unconfined_r:consoletype_t
selected-context=(null) success 0
Feb 4 22:57:54 mailer sshd[1005]: pam_selinux(sshd:session): pam:
default-context=unconfined_u:unconfined_r:consoletype_t
selected-context=unconfined_u:unconfined_r:consoletype_t success 1
/etc/pam.d/sshd
--------------------
#%PAM-1.0
#auth required pam_securetty.so #Disable remote
root
auth required pam_unix.so
auth required pam_nologin.so
auth required pam_env.so
account required pam_unix.so
account required pam_time.so
password required pam_unix.so
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
# pam_selinux.so open should only be followed by sessions to be executed
in the user context
session required pam_selinux.so open env_params
session required pam_unix_session.so
session required pam_limits.so
installed packages
------------------------
local/kernel26-selinux 2.6.36.3-1 (selinux selinux-system-utilities)
The SELinux enabled Linux Kernel and modules
local/kernel26-selinux-headers 2.6.36.3-1 (selinux selinux-system-utilities)
Header files and scripts for building modules for kernel26-selinux
local/selinux-coreutils 8.9-1 (selinux selinux-system-utilities)
SELinux aware basic file, shell and text manipulation utilities of
the GNU operating system
local/selinux-cronie 1.4.4-4 (selinux selinux-system-utilities)
Fedora fork of vixie-cron with PAM and SELinux support
local/selinux-findutils 4.4.2-3 (selinux selinux-system-utilities)
GNU utilities to locate files with Gentoo SELinux patch
local/selinux-flex 2.5.4a-4 (selinux selinux-system-utilities)
A tool for generating text-scanning programs
local/selinux-logrotate 3.7.9-2 (selinux selinux-system-utilities)
Tool to rotate system logs automatically with SELinux support
local/selinux-openssh 5.6p1-1 (selinux selinux-system-utilities)
A Secure SHell server/client with SELinux support
local/selinux-pam 1.1.3-1 (selinux selinux-system-utilities)
SELinux aware PAM (Pluggable Authentication Modules) library
local/selinux-procps 3.2.8-3 (selinux selinux-system-utilities)
Utilities for monitoring your system and processes on your system
with SELinux patch
local/selinux-psmisc 22.13-1 (selinux selinux-system-utilities)
SELinux aware miscellaneous procfs tools
local/selinux-refpolicy 20101213-1 (selinux selinux-policies)
Modular SELinux reference policy including headers and docs
local/selinux-refpolicy-src 20101213-1 (selinux selinux-policies)
SELinux reference policy sources
local/selinux-setools 3.3.7-4 (selinux selinux-extras)
SELinux SETools GUI and CLI tools and libraries for SELinux policy
analysis
local/selinux-shadow 4.1.4.2-5 (selinux selinux-system-utilities)
Shadow password file utilities with SELinux support
local/selinux-sudo 1.7.4p5-1 (selinux selinux-system-utilities)
Give certain users the ability to run some commands as root with
SELinux support
local/selinux-sysvinit 2.88-2 (selinux selinux-system-utilities)
SELinux aware Linux System V Init
local/selinux-udev 165-1 (selinux selinux-system-utilities)
The userspace dev tools (udev) with SELinux support
local/selinux-usr-checkpolicy 2.0.23-1 (selinux selinux-userspace)
SELinux userspace (checkpolicy)
local/selinux-usr-libselinux 2.0.98-1 (selinux selinux-userspace)
SELinux userspace (libselinux including python bindings)
local/selinux-usr-libsemanage 2.0.46-1 (selinux selinux-userspace)
SELinux userspace (libsemanage including python bindings)
local/selinux-usr-libsepol 2.0.42-1 (selinux selinux-userspace)
SELinux userspace (libsepol)
local/selinux-usr-policycoreutils 2.0.85-2 (selinux selinux-userspace)
SELinux userspace (policycoreutils)
local/selinux-usr-sepolgen 1.0.23-4 (selinux selinux-userspace)
SELinux userspace (sepolgen)
local/selinux-util-linux-ng 2.18-4 (selinux selinux-system-utilities)
SELinux aware miscellaneous system utilities for Linux
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Trouble logging in through SSH
2011-02-04 23:22 Trouble logging in through SSH Simon Peter Nicholls
@ 2011-02-05 8:33 ` Simon Peter Nicholls
2011-02-05 13:26 ` Dominick Grift
2011-02-05 13:27 ` Dominick Grift
2011-02-05 13:37 ` Dominick Grift
1 sibling, 2 replies; 7+ messages in thread
From: Simon Peter Nicholls @ 2011-02-05 8:33 UTC (permalink / raw)
To: selinux
On 05/02/11 00:22, Simon Peter Nicholls wrote:
> Hi All,
>
> I'm having some trouble setting up SELinux using refpolicy, and am
> unable to login my test user through ssh when in enforcing mode. Could
> someone help me work out where the problem lies? I have some basic
> experience with SELinux, but based on working Fedora systems that have
> gone slightly awry.
>
> Similar denial messages to the ssh one are seen when trying to run
> software like Emacs in permissive mode. In each case it feels like I
> am restricted by the consoletype_t, whilst I was expecting to gain an
> unconfined_t type for my user (to match unconfined_u & unconfined_r).
>
> I also expected to see the sshd_t type for the sshd process, but it is
> using init_t. Are transitions failing for my startup services?
Typical. The act of writing this gave substance to my suspicions. I
checked the type for the the SSH init script and it was incorrectly set
to etc_t, the underlying reason being that Arch Linux uses the
non-standard /etc/rc.d directory for it's startup scripts.
As a quick test to confirm, I used chcon to set the sshd script to
initrc_exec_t, rebooted, and I find I can login under enforcing mode.
The sshd process now has the sshd_t type, and my user also has the
unconfined_u:unconfined_r:unconfined_t context, as I previously
expected. The subsequent running of programs like Emacs are now no problem.
I have some log related denials however, which I'll look into. Any
pointers would be appreciated.
Feb 5 09:13:41 mailer kernel: type=1400 audit(1296893621.240:3): avc:
denied \
{ write } for pid=945 comm="sshd" name="log" dev=devtmpfs ino=4929
scontext=s\
ystem_u:system_r:sshd_t tcontext=system_u:object_r:device_t
tclass=sock_file
Feb 5 09:13:41 mailer kernel: type=1400 audit(1296893621.240:4): avc:
denied \
{ connectto } for pid=945 comm="sshd" path="/dev/log"
scontext=system_u:syste\
m_r:sshd_t tcontext=system_u:system_r:init_t tclass=unix_stream_socket
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Trouble logging in through SSH
2011-02-05 8:33 ` Simon Peter Nicholls
@ 2011-02-05 13:26 ` Dominick Grift
2011-02-05 13:27 ` Dominick Grift
1 sibling, 0 replies; 7+ messages in thread
From: Dominick Grift @ 2011-02-05 13:26 UTC (permalink / raw)
To: Simon Peter Nicholls; +Cc: selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/05/2011 09:33 AM, Simon Peter Nicholls wrote:
> On 05/02/11 00:22, Simon Peter Nicholls wrote:
>> Hi All,
>>
>> I'm having some trouble setting up SELinux using refpolicy, and am
>> unable to login my test user through ssh when in enforcing mode. Could
>> someone help me work out where the problem lies? I have some basic
>> experience with SELinux, but based on working Fedora systems that have
>> gone slightly awry.
>>
>> Similar denial messages to the ssh one are seen when trying to run
>> software like Emacs in permissive mode. In each case it feels like I
>> am restricted by the consoletype_t, whilst I was expecting to gain an
>> unconfined_t type for my user (to match unconfined_u & unconfined_r).
>>
>> I also expected to see the sshd_t type for the sshd process, but it is
>> using init_t. Are transitions failing for my startup services?
>
> Typical. The act of writing this gave substance to my suspicions. I
> checked the type for the the SSH init script and it was incorrectly set
> to etc_t, the underlying reason being that Arch Linux uses the
> non-standard /etc/rc.d directory for it's startup scripts.
>
> As a quick test to confirm, I used chcon to set the sshd script to
> initrc_exec_t, rebooted, and I find I can login under enforcing mode.
> The sshd process now has the sshd_t type, and my user also has the
> unconfined_u:unconfined_r:unconfined_t context, as I previously
> expected. The subsequent running of programs like Emacs are now no problem.
>
> I have some log related denials however, which I'll look into. Any
> pointers would be appreciated.
Looks like /dev/log is mislabelled for some reason.
Does syslog run in the proper domain?
> Feb 5 09:13:41 mailer kernel: type=1400 audit(1296893621.240:3): avc:
> denied \
> { write } for pid=945 comm="sshd" name="log" dev=devtmpfs ino=4929
> scontext=s\
> ystem_u:system_r:sshd_t tcontext=system_u:object_r:device_t
> tclass=sock_file
> Feb 5 09:13:41 mailer kernel: type=1400 audit(1296893621.240:4): avc:
> denied \
> { connectto } for pid=945 comm="sshd" path="/dev/log"
> scontext=system_u:syste\
> m_r:sshd_t tcontext=system_u:system_r:init_t tclass=unix_stream_socket
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1NT/UACgkQMlxVo39jgT8mxQCg0se84g3dMmc89cQy/aY6i0+L
aLoAnjp5NaoR2OsHVGPdxPkHU7nG8sxL
=GXdW
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Trouble logging in through SSH
2011-02-05 8:33 ` Simon Peter Nicholls
2011-02-05 13:26 ` Dominick Grift
@ 2011-02-05 13:27 ` Dominick Grift
2011-02-06 9:28 ` Simon Peter Nicholls
1 sibling, 1 reply; 7+ messages in thread
From: Dominick Grift @ 2011-02-05 13:27 UTC (permalink / raw)
To: Simon Peter Nicholls; +Cc: selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/05/2011 09:33 AM, Simon Peter Nicholls wrote:
> On 05/02/11 00:22, Simon Peter Nicholls wrote:
>> Hi All,
>>
>> I'm having some trouble setting up SELinux using refpolicy, and am
>> unable to login my test user through ssh when in enforcing mode. Could
>> someone help me work out where the problem lies? I have some basic
>> experience with SELinux, but based on working Fedora systems that have
>> gone slightly awry.
>>
>> Similar denial messages to the ssh one are seen when trying to run
>> software like Emacs in permissive mode. In each case it feels like I
>> am restricted by the consoletype_t, whilst I was expecting to gain an
>> unconfined_t type for my user (to match unconfined_u & unconfined_r).
>>
>> I also expected to see the sshd_t type for the sshd process, but it is
>> using init_t. Are transitions failing for my startup services?
>
> Typical. The act of writing this gave substance to my suspicions. I
> checked the type for the the SSH init script and it was incorrectly set
> to etc_t, the underlying reason being that Arch Linux uses the
> non-standard /etc/rc.d directory for it's startup scripts.
>
> As a quick test to confirm, I used chcon to set the sshd script to
> initrc_exec_t, rebooted, and I find I can login under enforcing mode.
> The sshd process now has the sshd_t type, and my user also has the
> unconfined_u:unconfined_r:unconfined_t context, as I previously
> expected. The subsequent running of programs like Emacs are now no problem.
>
> I have some log related denials however, which I'll look into. Any
> pointers would be appreciated.
>
By the way, these policy related questions should go to
refpolicy@oss.tresys.com maillist.
> Feb 5 09:13:41 mailer kernel: type=1400 audit(1296893621.240:3): avc:
> denied \
> { write } for pid=945 comm="sshd" name="log" dev=devtmpfs ino=4929
> scontext=s\
> ystem_u:system_r:sshd_t tcontext=system_u:object_r:device_t
> tclass=sock_file
> Feb 5 09:13:41 mailer kernel: type=1400 audit(1296893621.240:4): avc:
> denied \
> { connectto } for pid=945 comm="sshd" path="/dev/log"
> scontext=system_u:syste\
> m_r:sshd_t tcontext=system_u:system_r:init_t tclass=unix_stream_socket
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1NUDgACgkQMlxVo39jgT8vlwCfZKJ+O+h3Wv+6CnehqfclR1z6
XfwAn0/mtPNd5lXUnCiIX5/GlBWDkUrO
=oAYm
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Trouble logging in through SSH
2011-02-04 23:22 Trouble logging in through SSH Simon Peter Nicholls
2011-02-05 8:33 ` Simon Peter Nicholls
@ 2011-02-05 13:37 ` Dominick Grift
1 sibling, 0 replies; 7+ messages in thread
From: Dominick Grift @ 2011-02-05 13:37 UTC (permalink / raw)
To: Simon Peter Nicholls; +Cc: selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/05/2011 12:22 AM, Simon Peter Nicholls wrote:
> Hi All,
>
> I'm having some trouble setting up SELinux using refpolicy, and am
> unable to login my test user through ssh when in enforcing mode. Could
> someone help me work out where the problem lies? I have some basic
> experience with SELinux, but based on working Fedora systems that have
> gone slightly awry.
>
> Similar denial messages to the ssh one are seen when trying to run
> software like Emacs in permissive mode. In each case it feels like I am
> restricted by the consoletype_t, whilst I was expecting to gain an
> unconfined_t type for my user (to match unconfined_u & unconfined_r).
>
> I also expected to see the sshd_t type for the sshd process, but it is
> using init_t. Are transitions failing for my startup services?
>
> Some detailed info follows; Many thanks.
>
> the denial when attempting ssh login
> -------------------------------------------------
> Feb 4 22:57:36 mailer kernel: type=1400 audit(1296856656.870:4): avc:
> denied { entrypoint } for pid=1003 comm="sshd" path="/bin/bash"
> dev=vda1 ino=1513 scontext=unconfined_u:unconfined_r:consoletype_t
> tcontext=system_u:object_r:shell_exec_t tclass=file
>
> some debug.log for boot
> --------------------------------
> Feb 4 22:57:13 mailer kernel: SELinux: 2048 avtab hash slots, 211693
> rules.
> Feb 4 22:57:13 mailer kernel: SELinux: 2048 avtab hash slots, 211693
> rules.
> Feb 4 22:57:13 mailer kernel: SELinux: 6 users, 15 roles, 3386 types,
> 143 bools
> Feb 4 22:57:13 mailer kernel: SELinux: 77 classes, 211693 rules
> Feb 4 22:57:13 mailer kernel: SELinux: Permission audit_access in
> class file not defined in policy.
> Feb 4 22:57:13 mailer kernel: SELinux: Permission audit_access in
> class dir not defined in policy.
> Feb 4 22:57:13 mailer kernel: SELinux: Permission execmod in class dir
> not defined in policy.
> Feb 4 22:57:13 mailer kernel: SELinux: Permission audit_access in
> class lnk_file not defined in policy.
> Feb 4 22:57:13 mailer kernel: SELinux: Permission open in class
> lnk_file not defined in policy.
> Feb 4 22:57:13 mailer kernel: SELinux: Permission execmod in class
> lnk_file not defined in policy.
> Feb 4 22:57:13 mailer kernel: SELinux: Permission audit_access in
> class chr_file not defined in policy.
> Feb 4 22:57:13 mailer kernel: SELinux: Permission audit_access in
> class blk_file not defined in policy.
> Feb 4 22:57:13 mailer kernel: SELinux: Permission execmod in class
> blk_file not defined in policy.
> Feb 4 22:57:13 mailer kernel: SELinux: Permission audit_access in
> class sock_file not defined in policy.
> Feb 4 22:57:13 mailer kernel: SELinux: Permission execmod in class
> sock_file not defined in policy.
> Feb 4 22:57:13 mailer kernel: SELinux: Permission audit_access in
> class fifo_file not defined in policy.
> Feb 4 22:57:13 mailer kernel: SELinux: Permission execmod in class
> fifo_file not defined in policy.
> Feb 4 22:57:13 mailer kernel: SELinux: the above unknown classes and
> permissions will be allowed
Looks like you may have some issue in your flask/access_vectors file.
As far as i can tell these should all be defined in reference policy.
> Feb 4 22:57:13 mailer kernel: SELinux: Completing initialization.
> Feb 4 22:57:13 mailer kernel: SELinux: Setting up existing superblocks.
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev sysfs, type
> sysfs), uses genfs_contexts
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev rootfs, type
> rootfs), uses genfs_contexts
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev bdev, type
> bdev), uses genfs_contexts
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev proc, type
> proc), uses genfs_contexts
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev tmpfs, type
> tmpfs), uses transition SIDs
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev devtmpfs, type
> devtmpfs), uses transition SIDs
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev sockfs, type
> sockfs), uses task SIDs
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev debugfs, type
> debugfs), uses genfs_contexts
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev pipefs, type
> pipefs), uses task SIDs
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev anon_inodefs,
> type anon_inodefs), uses genfs_contexts
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev devpts, type
> devpts), uses transition SIDs
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev hugetlbfs, type
> hugetlbfs), uses transition SIDs
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev mqueue, type
> mqueue), uses transition SIDs
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev selinuxfs, type
> selinuxfs), uses genfs_contexts
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev sysfs, type
> sysfs), uses genfs_contexts
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev vda1, type
> ext4), uses xattr
> Feb 4 22:57:13 mailer kernel: type=1403 audit(1296856630.883:2): policy
> loaded auid=4294967295 ses=4294967295
> ...
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev usbfs, type
> usbfs), uses genfs_contexts
> ...
> Feb 4 22:57:13 mailer kernel: SELinux: initialized (dev tmpfs, type
> tmpfs), uses transition SIDs
>
> sestatus -v
> ---------------
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: permissive
> Policy version: 24
> Policy from config file: sipolicy
>
> Process contexts:
> Current context: unconfined_u:unconfined_r:consoletype_t
> Init context: system_u:system_r:init_t
> /sbin/agetty system_u:system_r:getty_t
> /usr/sbin/sshd system_u:system_r:init_t
>
> File contexts:
> Controlling term: unconfined_u:object_r:devpts_t
> /etc/passwd system_u:object_r:etc_t
> /etc/shadow system_u:object_r:shadow_t
> /bin/bash system_u:object_r:shell_exec_t
> /bin/login system_u:object_r:login_exec_t
> /bin/sh system_u:object_r:bin_t ->
> system_u:object_r:shell_exec_t
> /sbin/agetty system_u:object_r:getty_exec_t
> /sbin/init system_u:object_r:init_exec_t
> /usr/sbin/sshd system_u:object_r:sshd_exec_t
> /lib/libc.so.6 system_u:object_r:lib_t ->
> system_u:object_r:lib_t
>
> semanage login -l output
> ---------------------------------
> Login Name SELinux User
>
> si unconfined_u
> __default__ user_u
> root root
> system_u system_u
>
> build.conf for policy
> --------------------------
> TYPE = standard
> NAME = sipolicy
> UNK_PERMS = allow #instead of deny, due to kernel boot complaints
> DIRECT_INITRC = y
> MONOLITHIC = n
> UBAC = n
>
> auth.log
> -----------
> Feb 4 22:57:54 mailer sshd[1005]: pam_selinux(sshd:session): pam:
> default-context=unconfined_u:unconfined_r:consoletype_t
> selected-context=(null) success 0
> Feb 4 22:57:54 mailer sshd[1005]: pam_selinux(sshd:session): pam:
> default-context=unconfined_u:unconfined_r:consoletype_t
> selected-context=unconfined_u:unconfined_r:consoletype_t success 1
>
> /etc/pam.d/sshd
> --------------------
> #%PAM-1.0
> #auth required pam_securetty.so #Disable remote
> root
> auth required pam_unix.so
> auth required pam_nologin.so
> auth required pam_env.so
> account required pam_unix.so
> account required pam_time.so
> password required pam_unix.so
> # pam_selinux.so close should be the first session rule
> session required pam_selinux.so close
> # pam_selinux.so open should only be followed by sessions to be executed
> in the user context
> session required pam_selinux.so open env_params
> session required pam_unix_session.so
> session required pam_limits.so
>
> installed packages
> ------------------------
> local/kernel26-selinux 2.6.36.3-1 (selinux selinux-system-utilities)
> The SELinux enabled Linux Kernel and modules
> local/kernel26-selinux-headers 2.6.36.3-1 (selinux
> selinux-system-utilities)
> Header files and scripts for building modules for kernel26-selinux
> local/selinux-coreutils 8.9-1 (selinux selinux-system-utilities)
> SELinux aware basic file, shell and text manipulation utilities of
> the GNU operating system
> local/selinux-cronie 1.4.4-4 (selinux selinux-system-utilities)
> Fedora fork of vixie-cron with PAM and SELinux support
> local/selinux-findutils 4.4.2-3 (selinux selinux-system-utilities)
> GNU utilities to locate files with Gentoo SELinux patch
> local/selinux-flex 2.5.4a-4 (selinux selinux-system-utilities)
> A tool for generating text-scanning programs
> local/selinux-logrotate 3.7.9-2 (selinux selinux-system-utilities)
> Tool to rotate system logs automatically with SELinux support
> local/selinux-openssh 5.6p1-1 (selinux selinux-system-utilities)
> A Secure SHell server/client with SELinux support
> local/selinux-pam 1.1.3-1 (selinux selinux-system-utilities)
> SELinux aware PAM (Pluggable Authentication Modules) library
> local/selinux-procps 3.2.8-3 (selinux selinux-system-utilities)
> Utilities for monitoring your system and processes on your system
> with SELinux patch
> local/selinux-psmisc 22.13-1 (selinux selinux-system-utilities)
> SELinux aware miscellaneous procfs tools
> local/selinux-refpolicy 20101213-1 (selinux selinux-policies)
> Modular SELinux reference policy including headers and docs
> local/selinux-refpolicy-src 20101213-1 (selinux selinux-policies)
> SELinux reference policy sources
> local/selinux-setools 3.3.7-4 (selinux selinux-extras)
> SELinux SETools GUI and CLI tools and libraries for SELinux policy
> analysis
> local/selinux-shadow 4.1.4.2-5 (selinux selinux-system-utilities)
> Shadow password file utilities with SELinux support
> local/selinux-sudo 1.7.4p5-1 (selinux selinux-system-utilities)
> Give certain users the ability to run some commands as root with
> SELinux support
> local/selinux-sysvinit 2.88-2 (selinux selinux-system-utilities)
> SELinux aware Linux System V Init
> local/selinux-udev 165-1 (selinux selinux-system-utilities)
> The userspace dev tools (udev) with SELinux support
> local/selinux-usr-checkpolicy 2.0.23-1 (selinux selinux-userspace)
> SELinux userspace (checkpolicy)
> local/selinux-usr-libselinux 2.0.98-1 (selinux selinux-userspace)
> SELinux userspace (libselinux including python bindings)
> local/selinux-usr-libsemanage 2.0.46-1 (selinux selinux-userspace)
> SELinux userspace (libsemanage including python bindings)
> local/selinux-usr-libsepol 2.0.42-1 (selinux selinux-userspace)
> SELinux userspace (libsepol)
> local/selinux-usr-policycoreutils 2.0.85-2 (selinux selinux-userspace)
> SELinux userspace (policycoreutils)
> local/selinux-usr-sepolgen 1.0.23-4 (selinux selinux-userspace)
> SELinux userspace (sepolgen)
> local/selinux-util-linux-ng 2.18-4 (selinux selinux-system-utilities)
> SELinux aware miscellaneous system utilities for Linux
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1NUqMACgkQMlxVo39jgT/TkwCfabvIlbI96uQW46D8HoirOm+w
ZS4AoI1KRrwyOpC7IIRIH/SV+D9uCI3g
=BLKt
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Trouble logging in through SSH
2011-02-05 13:27 ` Dominick Grift
@ 2011-02-06 9:28 ` Simon Peter Nicholls
2011-02-06 10:52 ` Dominick Grift
0 siblings, 1 reply; 7+ messages in thread
From: Simon Peter Nicholls @ 2011-02-06 9:28 UTC (permalink / raw)
To: Dominick Grift; +Cc: selinux
On 05/02/11 14:27, Dominick Grift wrote:
> By the way, these policy related questions should go to
> refpolicy@oss.tresys.com maillist.
Hi Dominick, thanks for your replies to my issues.
When I hit trouble, I thought I had hit something other than regular
policy issues, but this was incorrect. I have missing access_vectors,
and face some other issues (due to a combination of recent software and
non-standard file locations), but all appear to be surmountable through
a custom policy build.
I've learned a lot in a short time, thanks in large part to reading some
key posts in this mailing list, and my system is firmly in the realm of
policy tweaking now. Mostly I'm twiddling booleans and changing file
contexts to match Arch Linux at this point, with cron and syslog-ng the
only services with issues. My "semanage permissive -a" functionality is
broken, as the "/var/lib/selinux" path I see hardcoded into semanage
does not exist on my system, but it was no bother to hand code a
permissive module to get my logging working for now. So I can run
enforcing from boot whilst I finish up, no problem.
It looks like Fedora have already addressed some of the core refpolicy
issues I've faced (problems unrelated to Arch file locations), but
patches had not made it upstream the last time I checked. I'd also like
to see a passenger module make it into refpolicy. So, I still have some
outstanding refpolicy queries, which I'll take over to the mailing list
you mention.
Thanks again.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Trouble logging in through SSH
2011-02-06 9:28 ` Simon Peter Nicholls
@ 2011-02-06 10:52 ` Dominick Grift
0 siblings, 0 replies; 7+ messages in thread
From: Dominick Grift @ 2011-02-06 10:52 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 2777 bytes --]
On Sun, Feb 06, 2011 at 10:28:48AM +0100, Simon Peter Nicholls wrote:
> On 05/02/11 14:27, Dominick Grift wrote:
> >By the way, these policy related questions should go to
> >refpolicy@oss.tresys.com maillist.
>
> Hi Dominick, thanks for your replies to my issues.
>
> When I hit trouble, I thought I had hit something other than regular
> policy issues, but this was incorrect. I have missing
> access_vectors, and face some other issues (due to a combination of
> recent software and non-standard file locations), but all appear to
> be surmountable through a custom policy build.
Agreed, Implementation of reference policy always requires modification to some extend.
Although i believe that the access vectors that you seem to be missing should have been included with the refrence policy you are using.
>
> I've learned a lot in a short time, thanks in large part to reading
> some key posts in this mailing list, and my system is firmly in the
> realm of policy tweaking now. Mostly I'm twiddling booleans and
> changing file contexts to match Arch Linux at this point, with cron
> and syslog-ng the only services with issues. My "semanage permissive
> -a" functionality is broken, as the "/var/lib/selinux" path I see
> hardcoded into semanage does not exist on my system, but it was no
> bother to hand code a permissive module to get my logging working
> for now. So I can run enforcing from boot whilst I finish up, no
> problem.
>
Yes maillist archives ave much information. Also agree that most work is modifying the labelling specifation to match your distros requirements,
As for semanage permissive -a. This requires that policy for semanage is modified to allow semanage these permissions. Redhat has this semanage policy modified but it is, i believe, not done in a acceptable way to reference policy, and so reference policy has not adopted redhats solution for this. The /var/lib/selinux issue may be a packaging issue.
> It looks like Fedora have already addressed some of the core
> refpolicy issues I've faced (problems unrelated to Arch file
> locations), but patches had not made it upstream the last time I
> checked. I'd also like to see a passenger module make it into
> refpolicy. So, I still have some outstanding refpolicy queries,
> which I'll take over to the mailing list you mention.
You can indeed borrow some of redhats solutions. Some of it is not acceptable for reference policy though because it breaks policy/toolchain.
As for passenger, i started work on a module for ruby on rails and passenger but i was not able to finish it. Redhat is using what i have for inspiration for a passenger policy that they are working on. So that might show up in the near future.
> Thanks again.
[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-02-06 10:52 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-02-04 23:22 Trouble logging in through SSH Simon Peter Nicholls
2011-02-05 8:33 ` Simon Peter Nicholls
2011-02-05 13:26 ` Dominick Grift
2011-02-05 13:27 ` Dominick Grift
2011-02-06 9:28 ` Simon Peter Nicholls
2011-02-06 10:52 ` Dominick Grift
2011-02-05 13:37 ` Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.