From: justinmattock@gmail.com (Justin Mattock) Date: Fri, 12 Sep 2008 05:39:29 -0700 Subject: [refpolicy] ssh issue with latest policy In-Reply-To: <20080912102512.GA17901@bobek.pm.i.cz> References: <20080911125025.GA5448@bobek.pm.i.cz> <37499.145.64.134.222.1221206972.squirrel@www.hardeman.nu> <20080912102512.GA17901@bobek.pm.i.cz> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Sep 12, 2008 at 3:25 AM, V?clav Ovs?k wrote: > On Thu, Sep 11, 2008 at 02:01:08PM -0700, Justin Mattock wrote: >>... >> appologize for the latency with getting back to you; >> you might have the ssh version from sid, if so >> do /etc/init.d/ssh stop and start if you notice [fail] then thats the issue, >> esspecially if people are booting up and not even manually starting the daemon. >> As for the policy and ssh I'm in the process of >> having two machines in full enforcing mode, having the ability >> to do a ssh transaction(need to configure some things); As well >> as vncviewer, and shoutcast; all with ipsec. (AH and ESP) >> right now I've been able to run all three applications on the machine >> that is in full enforcement, but it seems im having issues with ipsec >> and shoutcast. >> on the server side. >> I'll get back to you on this. >> >> -- >> Justin P. Mattock > > I just reported the bug in sshd > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498684 > This is upstream OpenSSH problem too. > > On Fri, Sep 12, 2008 at 10:09:32AM +0200, David H?rdeman wrote: >> On Thu, September 11, 2008 14:50, V?clav Ovs?k wrote: >> > Conclusion: Running SE Linux in permissive mode can't prevent you from >> > all SE Linux problems every time! (in most cases yes of course :) >> >> Another example of that is that dbus seems to do SELinux permission checks >> even after permissive mode is enabled. >> >> -- >> David H?rdeman > > It should be reported if it is true, IMO. > > Regards > -- > Zito > Cool; I ended up downgrading to a random pick of ssh_4.3p2-9etch2_all.deb works good from here. Just make sure you start in sysadm_r role or you won't be able to do much to the other system while in enforcement mode.(made the mistake of using ssh in user_r role.) regards; -- Justin P. Mattock