Re: Trouble logging in through SSH

[Dominick Grift <domg472@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2777 bytes --]

On Sun, Feb 06, 2011 at 10:28:48AM +0100, Simon Peter Nicholls wrote:
> On 05/02/11 14:27, Dominick Grift wrote:
> >By the way, these policy related questions should go to
> >refpolicy@oss.tresys.com maillist.
> 
> Hi Dominick, thanks for your replies to my issues.
> 
> When I hit trouble, I thought I had hit something other than regular
> policy issues, but this was incorrect. I have missing
> access_vectors, and face some other issues (due to a combination of
> recent software and non-standard file locations), but all appear to
> be surmountable through a custom policy build.

Agreed, Implementation of reference policy always requires modification to some extend.
Although i believe that the access vectors that you seem to be missing should have been included with the refrence policy you are using.

> 
> I've learned a lot in a short time, thanks in large part to reading
> some key posts in this mailing list, and my system is firmly in the
> realm of policy tweaking now. Mostly I'm twiddling booleans and
> changing file contexts to match Arch Linux at this point, with cron
> and syslog-ng the only services with issues. My "semanage permissive
> -a" functionality is broken, as the "/var/lib/selinux" path I see
> hardcoded into semanage does not exist on my system, but it was no
> bother to hand code a permissive module to get my logging working
> for now. So I can run enforcing from boot whilst I finish up, no
> problem.
> 

Yes maillist archives ave much information. Also agree that most work is modifying the labelling specifation to match your distros requirements,

As for semanage permissive -a. This requires that policy for semanage is modified to allow semanage these permissions. Redhat has this semanage policy modified but it is, i believe, not done in a acceptable way to reference policy, and so reference policy has not adopted redhats solution for this. The /var/lib/selinux issue may be a packaging issue. 

> It looks like Fedora have already addressed some of the core
> refpolicy issues I've faced (problems unrelated to Arch file
> locations), but patches had not made it upstream the last time I
> checked. I'd also like to see a passenger module make it into
> refpolicy. So, I still have some outstanding refpolicy queries,
> which I'll take over to the mailing list you mention.

You can indeed borrow some of redhats solutions. Some of it is not acceptable for reference policy though because it breaks policy/toolchain.
As for passenger, i started work on a module for ruby on rails and passenger but i was not able to finish it. Redhat is using what i have for inspiration for a passenger policy that they are working on. So that might show up in the near future.

> Thanks again.

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]