Hi Dan,
Thanks for you response.
We attempted to set ssh_sysadm_login to 1 in the booleans file for our strict policy. We also did an setsebool -P to turn on ssh_sysadm_login. We also modified the security context of root user to root:sysadm_r:sysadm_t. We see a couple of issues now
1. The value for ssh_sysadm_login is not persistent across reboots 2. Even when the ssh_sysadm_login is turned on we cannot login as root user
The sealert messaged seem to indicate the following . What else do we need to do to get it working?
[root@vos-cm98 ~]# sealert -l e7c8894d-a508-430a-a594-da2a693e585f
Summary:
SELinux is preventing sshd (sshd_t) "execute" to /lib/libdl-2.5.so (lib_t).
Detailed Description:
SELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /lib/libdl-2.5.so,
restorecon -v '/lib/libdl-2.5.so'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:sshd_t:s0 Target Context system_u:object_r:lib_t:s0 Target Objects /lib/libdl-2.5.so [ file ] Source sshd Source Path /usr/sbin/sshd Port <Unknown> Host vos-cm98.cisco.com Source RPM Packages openssh-server-4.3p2-36.el5 Target RPM Packages glibc-2.5-42 Policy RPM selinux-policy-2.4.6-255.el5 Selinux Enabled True Policy Type strict MLS Enabled False Enforcing Mode Enforcing Plugin Name catchall_file Host Name vos-cm98.cisco.com Platform Linux vos-cm98.cisco.com 2.6.18-160.el5PAE #1 SMP Mon Jul 27 17:45:11 EDT 2009 i686 i686 Alert Count 3 First Seen Tue Sep 15 16:02:26 2009 Last Seen Tue Sep 15 17:51:19 2009 Local ID e7c8894d-a508-430a-a594-da2a693e585f Line Numbers
Raw Audit Messages
host=vos-cm98.cisco.com type=AVC msg=audit(1253062279.960:406): avc: denied { execute } for pid=4261 comm="sshd" path="/lib/libdl-2.5.so" dev=dm-0 ino=51413920 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:lib_t tclass=file
host=vos-cm98.cisco.com type=SYSCALL msg=audit(1253062279.960:406): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=3078 a2=5 a3=802 items=0 ppid=3119 pid=4261 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t key=(null)
Thanks Anamitra
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, September 11, 2009 1:49 PM To: Anamitra Dutta Majumdar (anmajumd) Subject: Re: Unconfining root user in strict policy mode
On 09/11/2009 04:34 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
We need a way to unconfine the root user with the strict policy being loaded in RHEL5.4. Currently with the strict policy the security context for root user is root:staff_r:staff_t. Is there a way to do so.
Thanks Anamitra & Radha
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
There is no unconfined_t for Strict policy but you can set the root account to login as sysadm_t which is very close
You have to turn on the ssh_sysadm_login if you want to login via ssh as sysadm_t
And I think remove staff_r from root account will set it up to login as sysadm_r
something like
# semanage user -m -R"sysadm_r system_r" root
On 09/15/2009 08:58 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Dan,
Thanks for you response.
We attempted to set ssh_sysadm_login to 1 in the booleans file for our strict policy. We also did an setsebool -P to turn on ssh_sysadm_login. We also modified the security context of root user to root:sysadm_r:sysadm_t. We see a couple of issues now
- The value for ssh_sysadm_login is not persistent across reboots
setsebool -P should persist
From the looks of it, you never relabeled when you switched to the strict policy.
touch /.autorelabel reboot Make sure you boot in permissive mode (Kernel option "enforcing=0")
- Even when the ssh_sysadm_login is turned on we cannot login as root
user
The sealert messaged seem to indicate the following . What else do we need to do to get it working?
[root@vos-cm98 ~]# sealert -l e7c8894d-a508-430a-a594-da2a693e585f
Summary:
SELinux is preventing sshd (sshd_t) "execute" to /lib/libdl-2.5.so (lib_t).
Detailed Description:
SELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /lib/libdl-2.5.so,
restorecon -v '/lib/libdl-2.5.so'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:sshd_t:s0 Target Context system_u:object_r:lib_t:s0 Target Objects /lib/libdl-2.5.so [ file ] Source sshd Source Path /usr/sbin/sshd Port <Unknown> Host vos-cm98.cisco.com Source RPM Packages openssh-server-4.3p2-36.el5 Target RPM Packages glibc-2.5-42 Policy RPM selinux-policy-2.4.6-255.el5 Selinux Enabled True Policy Type strict MLS Enabled False Enforcing Mode Enforcing Plugin Name catchall_file Host Name vos-cm98.cisco.com Platform Linux vos-cm98.cisco.com 2.6.18-160.el5PAE #1 SMP Mon Jul 27 17:45:11 EDT 2009 i686 i686 Alert Count 3 First Seen Tue Sep 15 16:02:26 2009 Last Seen Tue Sep 15 17:51:19 2009 Local ID e7c8894d-a508-430a-a594-da2a693e585f Line Numbers
Raw Audit Messages
host=vos-cm98.cisco.com type=AVC msg=audit(1253062279.960:406): avc: denied { execute } for pid=4261 comm="sshd" path="/lib/libdl-2.5.so" dev=dm-0 ino=51413920 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:lib_t tclass=file
host=vos-cm98.cisco.com type=SYSCALL msg=audit(1253062279.960:406): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=3078 a2=5 a3=802 items=0 ppid=3119 pid=4261 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t key=(null)
Thanks Anamitra
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, September 11, 2009 1:49 PM To: Anamitra Dutta Majumdar (anmajumd) Subject: Re: Unconfining root user in strict policy mode
On 09/11/2009 04:34 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
We need a way to unconfine the root user with the strict policy being loaded in RHEL5.4. Currently with the strict policy the security context for root user is root:staff_r:staff_t. Is there a way to do so.
Thanks Anamitra & Radha
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
There is no unconfined_t for Strict policy but you can set the root account to login as sysadm_t which is very close
You have to turn on the ssh_sysadm_login if you want to login via ssh as sysadm_t
And I think remove staff_r from root account will set it up to login as sysadm_r
something like
# semanage user -m -R"sysadm_r system_r" root
selinux@lists.fedoraproject.org