From: justinmattock@gmail.com (Justin P. Mattock)
Date: Thu, 24 Jun 2010 10:19:28 -0700
Subject: [refpolicy] sshd and run_init
In-Reply-To: <4C2384C4.9020602@gmail.com>
References: <4C236F03.9050401@gmail.com> <4C238200.2090305@gmail.com>
	<4C238384.3070207@gmail.com> <4C2384C4.9020602@gmail.com>
Message-ID: <4C2393A0.2000605@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/24/2010 09:16 AM, Dominick Grift wrote:
> On 06/24/2010 06:10 PM, Justin P. Mattock wrote:
>> On 06/24/2010 09:04 AM, Dominick Grift wrote:
>>> On 06/24/2010 04:43 PM, Justin P. Mattock wrote:
>>>> quick question.. just set up sshd as a test with ipsec
>>>> (everything seems to be running o.k. with the latest policy).
>>>> the question I have is how do I run run_init to turn this service on and
>>>> off?
>>>> right now the current role is staff_r
>>>> any link's pointing to the right direction would be appreciated..
>>>
>>> newrole -r sysadm_r
>>> su
>>> run_init /etc/rc.d/init.d/sshd start
>>>
>>> Does that work?
>>
>> I'll try that out and see.. last I remember though staff_r cant go into
>> sysadm_r(but this was about a year ago I tried). I'll see and post back.
>
> so map sysadm_r to staff_u or do newrole -r unconfined_r instead.
>
>> Justin P. Mattock
>
>

maybe I have a mislabel, and/or polyinstantiation is messd up somewhere 
on this machine. seems I keep getting the same avc generated even after 
allowing. using the above proceedure gives me these allow rules:

#============= sysadm_su_t ==============
allow sysadm_su_t user_home_dir_t:dir { write search add_name };

#============= xauth_t ==============
allow xauth_t user_home_dir_t:dir { write search add_name };

(maybe a boolean needs to be enabled?!!)


and the avc's are as is:


[   51.954501] type=1100 audit(1277399132.954:12): user pid=2291 
uid=1000 auid=1000 ses=1 subj=name:staff_r:chkpwd_t:s0 
msg='op=PAM:unix_chkpwd acct="name" exe="/lib/security/unix_chkpwd" 
hostname=? addr=? terminal=? res=succ  s'
[   85.796478] type=1100 audit(1277399166.795:13): user pid=2329 
uid=1000 auid=1000 ses=1 subj=name:staff_r:chkpwd_t:s0 
msg='op=PAM:unix_chkpwd acct="name" exe="/lib/security/unix_chkpwd" 
hostname=? addr=? terminal=? res=succ  s'
[   90.515361] type=1100 audit(1277399171.514:14): user pid=2336 
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0 
msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
[   90.523846] type=1101 audit(1277399171.522:15): user pid=2336 
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0 
msg='op=PAM:accounting acct="root" exe="/bin/su" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
[   90.526476] type=1400 audit(1277399171.525:16): avc:  denied  { 
search } for  pid=2336 comm="su" name="root" dev=sda3 ino=3447 
scontext=name:sysadm_r:sysadm_su_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   90.526639] type=1300 audit(1277399171.525:16): arch=c000003e 
syscall=4 success=no exit=-2 a0=616b90 a1=7fff7e52abc0 a2=7fff7e52abc0 
a3=20 items=0 ppid=2331 pid=2336 auid=1000 uid=1000 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0  sgid=0 tty=pts0 ses=1 comm="su" exe="/bin/su" 
subj=name:sysadm_r:sysadm_su_t:s0 key=(null)
[   90.526850] type=1103 audit(1277399171.525:17): user pid=2336 
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0 
msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
[   92.344367] type=1400 audit(1277399173.344:18): avc:  denied  { write 
} for  pid=2336 comm="su" name="root" dev=sda3 ino=3447 
scontext=name:sysadm_r:sysadm_su_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   92.344411] type=1400 audit(1277399173.344:18): avc:  denied  { 
add_name } for  pid=2336 comm="su" name=".xauthzzG3Kx" 
scontext=name:sysadm_r:sysadm_su_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   92.344736] type=1300 audit(1277399173.344:18): arch=c000003e 
syscall=2 success=yes exit=4 a0=619d3b a1=c2 a2=180 a3=132b1 items=0 
ppid=2331 pid=2336 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=pts  ses=1 comm="su" exe="/bin/su" 
subj=name:sysadm_r:sysadm_su_t:s0 key=(null)
[   92.349846] type=1400 audit(1277399173.349:19): avc:  denied  { 
search } for  pid=2343 comm="xauth" name="root" dev=sda3 ino=3447 
scontext=name:sysadm_r:xauth_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   92.350105] type=1300 audit(1277399173.349:19): arch=c000003e 
syscall=4 success=no exit=-2 a0=7fff2223b7e0 a1=7fff2223bbf0 
a2=7fff2223bbf0 a3=0 items=0 ppid=2336 pid=2343 auid=1000 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid   fsgid=0 tty=pts0 ses=1 comm="xauth" 
exe="/usr/bin/xauth" subj=name:sysadm_r:xauth_t:s0 key=(null)
[   92.350215] type=1400 audit(1277399173.349:20): avc:  denied  { write 
} for  pid=2343 comm="xauth" name="root" dev=sda3 ino=3447 
scontext=name:sysadm_r:xauth_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   92.350267] type=1400 audit(1277399173.349:20): avc:  denied  { 
add_name } for  pid=2343 comm="xauth" name=".xauthzzG3Kx-c" 
scontext=name:sysadm_r:xauth_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   92.350526] type=1300 audit(1277399173.349:20): arch=c000003e 
syscall=2 success=yes exit=2 a0=7fff2223b7e0 a1=c1 a2=180 a3=0 items=0 
ppid=2336 pid=2343 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=pts0  es=1 comm="xauth" exe="/usr/bin/xauth" 
subj=name:sysadm_r:xauth_t:s0 key=(null)
[   92.351503] type=1400 audit(1277399173.351:21): avc:  denied  { 
remove_name } for  pid=2343 comm="xauth" name=".xauthzzG3Kx" dev=sda3 
ino=592 scontext=name:sysadm_r:xauth_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass  ir
[   92.351704] type=1300 audit(1277399173.351:21): arch=c000003e 
syscall=87 success=yes exit=0 a0=609010 a1=7f79faa5ae60 a2=ecf 
a3=7f79faa5aeb0 items=0 ppid=2336 pid=2343 auid=1000 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid=0   gid=0 tty=pts0 ses=1 comm="xauth" 
exe="/usr/bin/xauth" subj=name:sysadm_r:xauth_t:s0 key=(null)
[   92.352825] type=1105 audit(1277399173.352:22): user pid=2336 
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0 
msg='op=PAM:session_open acct="root" exe="/bin/su" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
[   98.353197] type=1100 audit(1277399179.352:23): user pid=2348 uid=0 
auid=1000 ses=1 subj=name:sysadm_r:run_init_t:s0 
msg='op=PAM:authentication acct="name" exe="/usr/sbin/run_init" 
hostname=? addr=? terminal=pts/0 res=succ  s'
[   98.359986] type=1101 audit(1277399179.358:24): user pid=2348 uid=0 
auid=1000 ses=1 subj=name:sysadm_r:run_init_t:s0 msg='op=PAM:accounting 
acct="name" exe="/usr/sbin/run_init" hostname=? addr=? terminal=pts/0 
res=success'
[  105.288236] type=1400 audit(1277399186.287:25): avc:  denied  { 
remove_name } for  pid=2336 comm="su" name=".xauthzzG3Kx" dev=sda3 
ino=594 scontext=name:sysadm_r:sysadm_su_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclas  dir
[  105.288511] type=1300 audit(1277399186.287:25): arch=c000003e 
syscall=87 success=yes exit=0 a0=617f50 a1=7f8ee314aa6a a2=619d60 
a3=7f8ee5316cb0 items=0 ppid=2331 pid=2336 auid=1000 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid   fsgid=0 tty=pts0 ses=1 comm="su" 
exe="/bin/su" subj=name:sysadm_r:sysadm_su_t:s0 key=(null)
[  105.288750] type=1106 audit(1277399186.288:26): user pid=2336 uid=0 
auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0 
msg='op=PAM:session_close acct="root" exe="/bin/su" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
[  115.032652] type=1100 audit(1277399196.031:27): user pid=2392 
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:chkpwd_t:s0 
msg='op=PAM:unix_chkpwd acct="name" exe="/lib/security/unix_chkpwd" 
hostname=? addr=? terminal=? res=suc  ss'


worst case scenario is I just boot into permissive mode disable 	sshd 
and not even worry about su/sudo...
(just being a lazy admin...)

Justin P. Mattock