From: vaclav.ovsik@i.cz (=?iso-8859-1?Q?V=E1clav_Ovs=EDk?=) Date: Thu, 11 Sep 2008 14:50:25 +0200 Subject: [refpolicy] ssh issue with latest policy In-Reply-To: References: Message-ID: <20080911125025.GA5448@bobek.pm.i.cz> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Sep 10, 2008 at 12:32:31PM -0700, Justin Mattock wrote: > Hong, > I cant seem to locate the post you sent a few days ago > about logging into ssh. anyways I finally got around to logging into > my machines with both the latest kernel and refpolicy; > there was difficulty due to having /etc/host and /etc/sysctl.conf > variables in these files preventing me from logging in. > So with that in mind check and make sure those files > are cleared of anything that might cause an error. > As for the policy itself they were both in permissive mode > via boot param, so having /etc/selinux/config in enforcing > didnt cause an ubstruction for me. > hope this helps. May be. And Hong not replied yet if he did relabel the file system. :) I have tried to restart sshd with nonsense context to show the problem even with PERMISSIVE mode of SE Linux! sid:~# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 23 Policy from config file: default sid:~# runcon sysadm_u:sysadm_r:sysadm_t:s0 /etc/init.d/ssh restart sid:~# ps -H -Z -C sshd LABEL PID TTY TIME CMD sysadm_u:sysadm_r:sysadm_t:s0 1944 ? 00:00:00 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 1808 ? 00:00:00 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 1810 ? 00:00:00 sshd That is the new parent process sshd running with sysadm_u:sysadm_r:sysadm_t:s0. zito at bobek:~$ ssh sid Read from remote host sid: Connection reset by peer Connection to sid closed. sid:~# tail -2 /var/log/syslog Sep 11 14:32:18 sid kernel: [ 649.880210] sshd[1954]: segfault at 2 ip b7ad5cea sp bfc2b04c error 4 in libc-2.7.so[b7a60000+155000] Sep 11 14:32:18 sid kernel: [ 649.883080] type=1701 audit(1221136338.451:27): auid=4294967295 uid=1000 gid=1000 ses=4294967295 subj=sysadm_u:sysadm_r:sysadm_t:s0 pid=1954 comm="sshd" sig=11 This is mature for bug report on openssh. Conclusion: Running SE Linux in permissive mode can't prevent you from all SE Linux problems every time! (in most cases yes of course :) -- Zito