quick question.. just set up sshd as a test with ipsec
(everything seems to be running o.k. with the latest policy).
the question I have is how do I run run_init to turn this service on and
off?
right now the current role is staff_r
any link's pointing to the right direction would be appreciated..
cheers,
Justin P. Mattock
On 06/24/2010 04:43 PM, Justin P. Mattock wrote:
> quick question.. just set up sshd as a test with ipsec
> (everything seems to be running o.k. with the latest policy).
> the question I have is how do I run run_init to turn this service on and
> off?
> right now the current role is staff_r
> any link's pointing to the right direction would be appreciated..
newrole -r sysadm_r
su
run_init /etc/rc.d/init.d/sshd start
Does that work?
> cheers,
>
> Justin P. Mattock
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100624/c5e33d4a/attachment.bin
On 06/24/2010 09:04 AM, Dominick Grift wrote:
> On 06/24/2010 04:43 PM, Justin P. Mattock wrote:
>> quick question.. just set up sshd as a test with ipsec
>> (everything seems to be running o.k. with the latest policy).
>> the question I have is how do I run run_init to turn this service on and
>> off?
>> right now the current role is staff_r
>> any link's pointing to the right direction would be appreciated..
>
> newrole -r sysadm_r
> su
> run_init /etc/rc.d/init.d/sshd start
>
> Does that work?
I'll try that out and see.. last I remember though staff_r cant go into
sysadm_r(but this was about a year ago I tried). I'll see and post back.
Justin P. Mattock
On 06/24/2010 06:10 PM, Justin P. Mattock wrote:
> On 06/24/2010 09:04 AM, Dominick Grift wrote:
>> On 06/24/2010 04:43 PM, Justin P. Mattock wrote:
>>> quick question.. just set up sshd as a test with ipsec
>>> (everything seems to be running o.k. with the latest policy).
>>> the question I have is how do I run run_init to turn this service on and
>>> off?
>>> right now the current role is staff_r
>>> any link's pointing to the right direction would be appreciated..
>>
>> newrole -r sysadm_r
>> su
>> run_init /etc/rc.d/init.d/sshd start
>>
>> Does that work?
>
> I'll try that out and see.. last I remember though staff_r cant go into
> sysadm_r(but this was about a year ago I tried). I'll see and post back.
so map sysadm_r to staff_u or do newrole -r unconfined_r instead.
> Justin P. Mattock
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100624/64d6fe6c/attachment.bin
On 06/24/2010 09:16 AM, Dominick Grift wrote:
> On 06/24/2010 06:10 PM, Justin P. Mattock wrote:
>> On 06/24/2010 09:04 AM, Dominick Grift wrote:
>>> On 06/24/2010 04:43 PM, Justin P. Mattock wrote:
>>>> quick question.. just set up sshd as a test with ipsec
>>>> (everything seems to be running o.k. with the latest policy).
>>>> the question I have is how do I run run_init to turn this service on and
>>>> off?
>>>> right now the current role is staff_r
>>>> any link's pointing to the right direction would be appreciated..
>>>
>>> newrole -r sysadm_r
>>> su
>>> run_init /etc/rc.d/init.d/sshd start
>>>
>>> Does that work?
>>
>> I'll try that out and see.. last I remember though staff_r cant go into
>> sysadm_r(but this was about a year ago I tried). I'll see and post back.
>
> so map sysadm_r to staff_u or do newrole -r unconfined_r instead.
>
>> Justin P. Mattock
>
>
maybe I have a mislabel, and/or polyinstantiation is messd up somewhere
on this machine. seems I keep getting the same avc generated even after
allowing. using the above proceedure gives me these allow rules:
#============= sysadm_su_t ==============
allow sysadm_su_t user_home_dir_t:dir { write search add_name };
#============= xauth_t ==============
allow xauth_t user_home_dir_t:dir { write search add_name };
(maybe a boolean needs to be enabled?!!)
and the avc's are as is:
[ 51.954501] type=1100 audit(1277399132.954:12): user pid=2291
uid=1000 auid=1000 ses=1 subj=name:staff_r:chkpwd_t:s0
msg='op=PAM:unix_chkpwd acct="name" exe="/lib/security/unix_chkpwd"
hostname=? addr=? terminal=? res=succ s'
[ 85.796478] type=1100 audit(1277399166.795:13): user pid=2329
uid=1000 auid=1000 ses=1 subj=name:staff_r:chkpwd_t:s0
msg='op=PAM:unix_chkpwd acct="name" exe="/lib/security/unix_chkpwd"
hostname=? addr=? terminal=? res=succ s'
[ 90.515361] type=1100 audit(1277399171.514:14): user pid=2336
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0
msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=?
terminal=/dev/pts/0 res=success'
[ 90.523846] type=1101 audit(1277399171.522:15): user pid=2336
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0
msg='op=PAM:accounting acct="root" exe="/bin/su" hostname=? addr=?
terminal=/dev/pts/0 res=success'
[ 90.526476] type=1400 audit(1277399171.525:16): avc: denied {
search } for pid=2336 comm="su" name="root" dev=sda3 ino=3447
scontext=name:sysadm_r:sysadm_su_t:s0
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[ 90.526639] type=1300 audit(1277399171.525:16): arch=c000003e
syscall=4 success=no exit=-2 a0=616b90 a1=7fff7e52abc0 a2=7fff7e52abc0
a3=20 items=0 ppid=2331 pid=2336 auid=1000 uid=1000 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 sgid=0 tty=pts0 ses=1 comm="su" exe="/bin/su"
subj=name:sysadm_r:sysadm_su_t:s0 key=(null)
[ 90.526850] type=1103 audit(1277399171.525:17): user pid=2336
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0
msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=? addr=?
terminal=/dev/pts/0 res=success'
[ 92.344367] type=1400 audit(1277399173.344:18): avc: denied { write
} for pid=2336 comm="su" name="root" dev=sda3 ino=3447
scontext=name:sysadm_r:sysadm_su_t:s0
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[ 92.344411] type=1400 audit(1277399173.344:18): avc: denied {
add_name } for pid=2336 comm="su" name=".xauthzzG3Kx"
scontext=name:sysadm_r:sysadm_su_t:s0
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[ 92.344736] type=1300 audit(1277399173.344:18): arch=c000003e
syscall=2 success=yes exit=4 a0=619d3b a1=c2 a2=180 a3=132b1 items=0
ppid=2331 pid=2336 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts ses=1 comm="su" exe="/bin/su"
subj=name:sysadm_r:sysadm_su_t:s0 key=(null)
[ 92.349846] type=1400 audit(1277399173.349:19): avc: denied {
search } for pid=2343 comm="xauth" name="root" dev=sda3 ino=3447
scontext=name:sysadm_r:xauth_t:s0
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[ 92.350105] type=1300 audit(1277399173.349:19): arch=c000003e
syscall=4 success=no exit=-2 a0=7fff2223b7e0 a1=7fff2223bbf0
a2=7fff2223bbf0 a3=0 items=0 ppid=2336 pid=2343 auid=1000 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid fsgid=0 tty=pts0 ses=1 comm="xauth"
exe="/usr/bin/xauth" subj=name:sysadm_r:xauth_t:s0 key=(null)
[ 92.350215] type=1400 audit(1277399173.349:20): avc: denied { write
} for pid=2343 comm="xauth" name="root" dev=sda3 ino=3447
scontext=name:sysadm_r:xauth_t:s0
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[ 92.350267] type=1400 audit(1277399173.349:20): avc: denied {
add_name } for pid=2343 comm="xauth" name=".xauthzzG3Kx-c"
scontext=name:sysadm_r:xauth_t:s0
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[ 92.350526] type=1300 audit(1277399173.349:20): arch=c000003e
syscall=2 success=yes exit=2 a0=7fff2223b7e0 a1=c1 a2=180 a3=0 items=0
ppid=2336 pid=2343 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 es=1 comm="xauth" exe="/usr/bin/xauth"
subj=name:sysadm_r:xauth_t:s0 key=(null)
[ 92.351503] type=1400 audit(1277399173.351:21): avc: denied {
remove_name } for pid=2343 comm="xauth" name=".xauthzzG3Kx" dev=sda3
ino=592 scontext=name:sysadm_r:xauth_t:s0
tcontext=root:object_r:user_home_dir_t:s0 tclass ir
[ 92.351704] type=1300 audit(1277399173.351:21): arch=c000003e
syscall=87 success=yes exit=0 a0=609010 a1=7f79faa5ae60 a2=ecf
a3=7f79faa5aeb0 items=0 ppid=2336 pid=2343 auid=1000 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 gid=0 tty=pts0 ses=1 comm="xauth"
exe="/usr/bin/xauth" subj=name:sysadm_r:xauth_t:s0 key=(null)
[ 92.352825] type=1105 audit(1277399173.352:22): user pid=2336
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0
msg='op=PAM:session_open acct="root" exe="/bin/su" hostname=? addr=?
terminal=/dev/pts/0 res=success'
[ 98.353197] type=1100 audit(1277399179.352:23): user pid=2348 uid=0
auid=1000 ses=1 subj=name:sysadm_r:run_init_t:s0
msg='op=PAM:authentication acct="name" exe="/usr/sbin/run_init"
hostname=? addr=? terminal=pts/0 res=succ s'
[ 98.359986] type=1101 audit(1277399179.358:24): user pid=2348 uid=0
auid=1000 ses=1 subj=name:sysadm_r:run_init_t:s0 msg='op=PAM:accounting
acct="name" exe="/usr/sbin/run_init" hostname=? addr=? terminal=pts/0
res=success'
[ 105.288236] type=1400 audit(1277399186.287:25): avc: denied {
remove_name } for pid=2336 comm="su" name=".xauthzzG3Kx" dev=sda3
ino=594 scontext=name:sysadm_r:sysadm_su_t:s0
tcontext=root:object_r:user_home_dir_t:s0 tclas dir
[ 105.288511] type=1300 audit(1277399186.287:25): arch=c000003e
syscall=87 success=yes exit=0 a0=617f50 a1=7f8ee314aa6a a2=619d60
a3=7f8ee5316cb0 items=0 ppid=2331 pid=2336 auid=1000 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid fsgid=0 tty=pts0 ses=1 comm="su"
exe="/bin/su" subj=name:sysadm_r:sysadm_su_t:s0 key=(null)
[ 105.288750] type=1106 audit(1277399186.288:26): user pid=2336 uid=0
auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0
msg='op=PAM:session_close acct="root" exe="/bin/su" hostname=? addr=?
terminal=/dev/pts/0 res=success'
[ 115.032652] type=1100 audit(1277399196.031:27): user pid=2392
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:chkpwd_t:s0
msg='op=PAM:unix_chkpwd acct="name" exe="/lib/security/unix_chkpwd"
hostname=? addr=? terminal=? res=suc ss'
worst case scenario is I just boot into permissive mode disable sshd
and not even worry about su/sudo...
(just being a lazy admin...)
Justin P. Mattock