From: vaclav.ovsik@i.cz (=?iso-8859-1?Q?V=E1clav_Ovs=EDk?=)
Date: Thu, 11 Sep 2008 14:50:25 +0200
Subject: [refpolicy] ssh issue with latest policy
In-Reply-To: <dd18b0c30809101232la13c43mee3d9ab0bfe2f509@mail.gmail.com>
References: <dd18b0c30809101232la13c43mee3d9ab0bfe2f509@mail.gmail.com>
Message-ID: <20080911125025.GA5448@bobek.pm.i.cz>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, Sep 10, 2008 at 12:32:31PM -0700, Justin Mattock wrote:
> Hong,
> I cant seem to locate the post you sent a few days ago
> about logging into ssh. anyways I finally got around to logging into
> my machines with both the latest kernel and refpolicy;
> there was difficulty due to having /etc/host and /etc/sysctl.conf
> variables in these files preventing me from logging in.
> So with that in mind check and make sure those files
> are cleared of anything that might cause an error.
> As for the policy itself they were both in permissive mode
> via boot param, so having /etc/selinux/config in enforcing
> didnt cause an ubstruction for me.
> hope this helps.

May be. And Hong not replied yet if he did relabel the file system. :)

I have tried to restart sshd with nonsense context to show the problem
even with PERMISSIVE mode of SE Linux!

sid:~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 23
Policy from config file:        default

sid:~# runcon sysadm_u:sysadm_r:sysadm_t:s0 /etc/init.d/ssh restart

sid:~# ps -H -Z -C sshd
LABEL                             PID TTY          TIME CMD
sysadm_u:sysadm_r:sysadm_t:s0    1944 ?        00:00:00 sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 1808 ? 00:00:00 sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 1810 ? 00:00:00   sshd

That is the new parent process sshd running with sysadm_u:sysadm_r:sysadm_t:s0.

zito at bobek:~$ ssh sid
Read from remote host sid: Connection reset by peer
Connection to sid closed.

sid:~# tail -2 /var/log/syslog
Sep 11 14:32:18 sid kernel: [  649.880210] sshd[1954]: segfault at 2 ip b7ad5cea sp bfc2b04c error 4 in libc-2.7.so[b7a60000+155000]
Sep 11 14:32:18 sid kernel: [  649.883080] type=1701 audit(1221136338.451:27): auid=4294967295 uid=1000 gid=1000 ses=4294967295 subj=sysadm_u:sysadm_r:sysadm_t:s0 pid=1954 comm="sshd" sig=11


This is mature for bug report on openssh.
Conclusion: Running SE Linux in permissive mode can't prevent you from
all SE Linux problems every time! (in most cases yes of course :)

-- 
Zito