how to add a user with rights to login via ssh on selinux?

how to add a user with rights to login via ssh on selinux?

[Romix]

Hi,

i have seen that a similar problem has been discussed on this list some
months ago, but that didn´t help me... :-/

im running selinux und want to create a user that has the right to login 
via ssh.
i created a user called setest:
# suseradd -m setest

i gave him a password:  
# sadminpasswd setest
...

i added the line "user setest roles { user_r sysadm_r };" to 
/etc/security/selinux/src/policy/users 

i applied the changes: 
# make -C /etc/security/selinux/src/policy load

and my /etc/security/default_contexts looks like this:

system_r:local_login_t  staff_r:staff_t user_r:user_t
system_r:sshd_t         staff_r:staff_t user_r:user_t 
system_r:crond_t        staff_r:staff_crond_t user_r:user_crond_t 
system_r:system_crond_t

if i right understand this should be enough, but my user setest can´t 
login, after typing in the password i get the message:
Connection to 10.0.0.11 closed by remote host.
Connection to 10.0.0.11 closed.

in the sshd-log i have the following lines:
Sep  8 20:45:17 [sshd] Accepted password for setest from 10.0.0.23 port 
33571 ssh2
Sep  8 20:45:17 [sshd] fatal: Could not obtain SID for user setest
Sep  8 20:45:17 [sshd] syslogin_perform_logout: logout() returned an 
error


what did i forgot or what do i wrong? can someone help me? thx.

cu, Romain



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: how to add a user with rights to login via ssh on selinux?

[Russell Coker]

On Tue, 9 Sep 2003 20:15, Romix wrote:
> Sep  8 20:45:17 [sshd] Accepted password for setest from 10.0.0.23 port
> 33571 ssh2
> Sep  8 20:45:17 [sshd] fatal: Could not obtain SID for user setest
> Sep  8 20:45:17 [sshd] syslogin_perform_logout: logout() returned an
> error

>From your description it seems that you correctly added the user and 
configured your system.

Does "dmesg" display any avc messages concerning the login?

Is sshd running in the correct context?  "ps --context | grep sshd" will show 
you the context.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: how to add a user with rights to login via ssh on selinux?

[Romix]

Hi,

> From your description it seems that you correctly added the user and 
> configured your system.
> 
> Does "dmesg" display any avc messages concerning the login?

yes there are some messages, but i don´t understand them (is that explained
somewhere?):

avc:  denied  { read } for  pid=23997 exe=/usr/sbin/sshd
path=socket:[257597] dev=00:00 ino=257597
scontext=root:sysadm_r:sysadm_chkpwd_t
tcontext=root:sysadm_r:sysadm_chkpwd_t tclass=unix_stream_socket
avc:  denied  { write } for  pid=23998 exe=/usr/sbin/sshd
path=socket:[257596] dev=00:00 ino=257596
scontext=root:sysadm_r:sysadm_chkpwd_t
tcontext=root:sysadm_r:sysadm_chkpwd_t tclass=unix_stream_socket
avc:  denied  { getattr } for  pid=23997 exe=/usr/sbin/sshd
path=socket:[257601] dev=00:00 ino=257601
scontext=root:sysadm_r:sysadm_chkpwd_t
tcontext=root:sysadm_r:sysadm_chkpwd_t tclass=udp_socket
avc:  denied  { getattr } for  pid=23997 exe=/usr/sbin/sshd
scontext=root:sysadm_r:sysadm_chkpwd_t tcontext=system_u:object_r:devpts_t
tclass=filesystem
avc:  denied  { search } for  pid=23997 exe=/usr/sbin/sshd dev=00:08 ino=1
scontext=root:sysadm_r:sysadm_chkpwd_t tcontext=system_u:object_r:devpts_t
tclass=dir

> Is sshd running in the correct context?  "ps --context | grep 
> sshd" will show 
> you the context.

23994    243 root:sysadm_r:sysadm_chkpwd_t            grep sshd

is sysadm_chkpwd_t the right domain?

cu, Romain



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: how to add a user with rights to login via ssh on selinux?

[Russell Coker]

On Tue, 9 Sep 2003 22:16, Romix wrote:
> > Does "dmesg" display any avc messages concerning the login?
>
> yes there are some messages, but i don´t understand them (is that explained
> somewhere?):
>
> avc:  denied  { read } for  pid=23997 exe=/usr/sbin/sshd
> path=socket:[257597] dev=00:00 ino=257597
> scontext=root:sysadm_r:sysadm_chkpwd_t
> tcontext=root:sysadm_r:sysadm_chkpwd_t tclass=unix_stream_socket

This is wrong.  Either sshd has the wrong type or you started it in the wrong 
manner.

Run "ls --context /usr/sbin/sshd" to see the type of the file, it should be 
sshd_exec_t.

> > Is sshd running in the correct context?  "ps --context | grep
> > sshd" will show
> > you the context.
>
> 23994    243 root:sysadm_r:sysadm_chkpwd_t            grep sshd
>
> is sysadm_chkpwd_t the right domain?

That's the context of the "grep" process, and it's not the right domain for 
sshd or for grep.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: how to add a user with rights to login via ssh on selinux?

[Romix]

first thanks for your help :)

> > yes there are some messages, but i don´t understand them (is that 
> > explained somewhere?):
> >
> > avc:  denied  { read } for  pid=23997 exe=/usr/sbin/sshd 
> > path=socket:[257597] dev=00:00 ino=257597 
> > scontext=root:sysadm_r:sysadm_chkpwd_t
> > tcontext=root:sysadm_r:sysadm_chkpwd_t tclass=unix_stream_socket
> 
> This is wrong.  Either sshd has the wrong type or you started 
> it in the wrong manner.
> 
> Run "ls --context /usr/sbin/sshd" to see the type of the 
> file, it should be sshd_exec_t.

yes it is:
-rwxr-xr-x  root     root     system_u:object_r:sshd_exec_t
/usr/sbin/sshd


> > > Is sshd running in the correct context?  "ps --context | 
> > > grep sshd" 
> > > will show you the context.
> >
> > 23994    243 root:sysadm_r:sysadm_chkpwd_t            grep sshd
> >
> > is sysadm_chkpwd_t the right domain?
> 
> That's the context of the "grep" process, and it's not the 
> right domain for sshd or for grep.

sorry, i posted the wrong line, but sshd was running in the same context:
23618    243 root:sysadm_r:sysadm_chkpwd_t            /usr/sbin/sshd

so i changed it (i executed "/etc/init.d/sshd start" as root from a local
login and not via ssh):
24176    195 root:staff_r:staff_t                     /usr/sbin/sshd

but my user setest still can´t login...

and i still have a lot of avc messages:

avc:  denied  { search } for  pid=24197 exe=/bin/bash path=/sbin dev=03:03
ino=11151 scontext=root:staff_r:staff_chkpwd_t
tcontext=system_u:object_r:sbin_t tclass=dir
avc:  denied  { search } for  pid=24197 exe=/bin/bash path=/opt dev=03:03
ino=11148 scontext=root:staff_r:staff_chkpwd_t
tcontext=system_u:object_r:opt_t tclass=dir
avc:  denied  { syslog_read } for  pid=24205 exe=/bin/dmesg
scontext=root:staff_r:staff_chkpwd_t tcontext=system_u:system_r:kernel_t
tclass=system
avc:  denied  { append } for  pid=24992 exe=/usr/bin/ntpd
path=/var/log/ntpd.log dev=03:03 ino=110570 scontext=root:staff_r:staff_t
tcontext=root:object_r:var_log_t tclass=file
avc:  denied  { getattr } for  pid=24197 exe=/bin/bash path=/bin/ls
dev=03:03 ino=91418 scontext=root:staff_r:staff_chkpwd_t
tcontext=system_u:object_r:ls_exec_t tclass=file
avc:  denied  { execute } for  pid=24208 exe=/bin/bash path=/bin/ls
dev=03:03 ino=91418 scontext=root:staff_r:staff_chkpwd_t
tcontext=system_u:object_r:ls_exec_t tclass=file
avc:  denied  { execute_no_trans } for  pid=24208 exe=/bin/bash path=/bin/ls
dev=03:03 ino=91418 scontext=root:staff_r:staff_chkpwd_t
tcontext=system_u:object_r:ls_exec_t tclass=file
avc:  denied  { read } for  pid=24208 path=/bin/ls dev=03:03 ino=91418
scontext=root:staff_r:staff_chkpwd_t tcontext=system_u:object_r:ls_exec_t
tclass=file
avc:  denied  { read } for  pid=24208 exe=/bin/ls
scontext=root:staff_r:staff_chkpwd_t
tcontext=system_u:object_r:sysctl_kernel_t tclass=file

how do i solve/change this? does someone know a good book/documentation for
selinux? all what i found was not really helpful for someone who is new to
selinux...

regards,
Romain



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: how to add a user with rights to login via ssh on selinux?

[Russell Coker]

On Tue, 9 Sep 2003 23:47, Romix wrote:
> sorry, i posted the wrong line, but sshd was running in the same context:
> 23618    243 root:sysadm_r:sysadm_chkpwd_t            /usr/sbin/sshd
>
> so i changed it (i executed "/etc/init.d/sshd start" as root from a local
> login and not via ssh):
> 24176    195 root:staff_r:staff_t                     /usr/sbin/sshd

Firstly you should be sysadm_r:sysadm_t when you start daemons.  Secondly you 
should use "run_init".

Do the following:
newrole -r sysadm_r
run_init /etc/init.d/sshd start

Then things should be fine.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: how to add a user with rights to login via ssh on selinux?

[Faye Coker]

On Tue, Sep 09, 2003 at 03:47:55PM +0200, Romix wrote:
 
> how do i solve/change this? does someone know a good book/documentation for
> selinux? all what i found was not really helpful for someone who is new to
> selinux...

I have started working on documentation covering editing policies in
more detail.  I've also started working on an SE Linux book.  No ETA at
this point however :)

faye
-- 
Faye Coker			faye@lurking-grue.org

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: how to add a user with rights to login via ssh on selinux?

[Romix]

> I have started working on documentation covering editing 
> policies in more detail.  I've also started working on an SE 
> Linux book.  No ETA at this point however :)

let me know when your documentation or your book is finished and i´ll be the
first to buy it :)

Romain



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: how to add a user with rights to login via ssh on selinux?

[Romix]

> On Tue, 9 Sep 2003 23:47, Romix wrote:
> > sorry, i posted the wrong line, but sshd was running in the 
> same context:
> > 23618    243 root:sysadm_r:sysadm_chkpwd_t            /usr/sbin/sshd
> >
> > so i changed it (i executed "/etc/init.d/sshd start" as root from a 
> > local login and not via ssh):
> > 24176    195 root:staff_r:staff_t                     /usr/sbin/sshd
> 
> Firstly you should be sysadm_r:sysadm_t when you start 
> daemons.  Secondly you 
> should use "run_init".
> 
> Do the following:
> newrole -r sysadm_r
> run_init /etc/init.d/sshd start
> 
> Then things should be fine.

ok, i think i understand now, that was the information missing :) 
now sshd is running in system_u:system_r:sshd_t context and my user can
login :D

thanks a lot for your help.

cu, Romain


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: how to add a user with rights to login via ssh on selinux?

[Tom]

On Tue, Sep 09, 2003 at 03:47:55PM +0200, Romix wrote:
> so i changed it (i executed "/etc/init.d/sshd start" as root from a local
> login and not via ssh):
> 24176    195 root:staff_r:staff_t                     /usr/sbin/sshd

you need to run

run_init /etc/init.d/sshd start

in order to get it into the correct domain, instead of running the start 
script directly.


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.