On 12/31/2009 05:06 AM, Grzegorz Nosek wrote:
Hi all,
I have a problem trying to run sshd via xinetd on a CentOS 5.4 system (I want to slap a tcpwrappers-style wrapper before sshd, so I need it that way).
In permissive mode I can log in/out with the following failures reported by audit2allow:
allow amanda_t consoletype_exec_t:file { execute execute_no_trans }; allow amanda_t devpts_t:chr_file { write ioctl }; allow amanda_t hostname_exec_t:file { execute execute_no_trans }; allow amanda_t shell_exec_t:file entrypoint;
I don't even have amanda installed, so the context is clearly bogus.
After a chat on #fedora-selinux it seems that sshd cannot find its default context, so falls back to the first available one, which happens to be something:something:amanda_t (the list is read from /selinux/user). This operation is performed by sshd itself (as verified by strace).
I don't need Fort Knox type security but I'd like to use SELinux to tighten down other parts of the system, so I'd really like to use the enforcing mode.
Any hints? A good TFM to R will hopefully do.
Best regards, Grzegorz Nosek
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This looks like you have a very screwed up system.
What domain is sshd running with?
ps -eZ | grep sshd
You could try a relabel
touch /.autorelabel; reboot
Which should get all the processes running in the correct domain.