RE: can't log into machine w/ ssh

From: Dean Anderson <dean@av8.com>
To: Michael Luu <mluu@cougaarsoftware.com>
Cc: "'Russell Coker'" <russell@coker.com.au>, <selinux@tycho.nsa.gov>
Subject: RE: can't log into machine w/ ssh
Date: Thu, 24 Jul 2003 15:51:27 -0400 (EDT)	[thread overview]
Message-ID: <Pine.LNX.4.44.0307241531570.23576-100000@vista.av8.net> (raw)
In-Reply-To: <000901c35213$a6ce2590$ef0111ac@mluudt>

Actaully, you can only use run_init to run the rc scripts, and things run
directly by init. Only the RC scripts can start daemons. I also tried to
use run_init to directly start daemons, but it misses the transition from
init_t to initrc_t to sshd_t followed by init running the scripts:

domain_auto_trans(init_t, initrc_exec_t, initrc_t)
domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)

The correct way to restart daemons is to use run_init to run the
/etc/rc.d/init.d/<svc> restart script.  This is problematic for things
that are started out of rc.local. Possibly, separate rules could be made
for rc.local programs along the lines of  doamin_auto_trans(init_t,
sshd_exec_t, sshd_t)  or perhaps a run_initrc program.

Though, probably, its better to create a separate rc script for its admin
benefits...

		--Dean

On Thu, 24 Jul 2003, Michael Luu wrote:

> thanks for your help!
>
> mike
>
> -----Original Message-----
> From: Russell Coker [mailto:russell@coker.com.au]
> Sent: Thursday, July 24, 2003 11:11 AM
> To: Michael Luu; selinux@tycho.nsa.gov
> Subject: Re: can't log into machine w/ ssh
>
>
> On Thu, 24 Jul 2003 13:54, Michael Luu wrote:
> > when all else fails, rebooting the machine will make things work. :)
> > anyways, would you happen to know which services needs to be restarted
>
> > when i do add users and perform policy updates?
>
> Nothing needs to be restarted.
>
> I guess that you had sshd running in the wrong domain, and that when you
>
> rebooted it was started in the right domain.
>
> You have to use run_init to start daemons...
>
> --
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux
> packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page
>
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.