* MLS Policy (rawhide)
@ 2006-09-07 21:34 Michael C Thompson
2006-09-07 21:51 ` Michael C Thompson
2006-09-08 18:08 ` Daniel J Walsh
0 siblings, 2 replies; 9+ messages in thread
From: Michael C Thompson @ 2006-09-07 21:34 UTC (permalink / raw)
To: Daniel J Walsh, lspp-list, selinux
Hey all,
It seems that ssh is unable to add entries to known_hosts for the root
user as sysadm_t. Is this a known issue? And if so, who can add entries
to /root/.ssh/known_hosts ?
Thanks,
Mike
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: MLS Policy (rawhide)
2006-09-07 21:34 MLS Policy (rawhide) Michael C Thompson
@ 2006-09-07 21:51 ` Michael C Thompson
2006-09-08 18:08 ` Daniel J Walsh
1 sibling, 0 replies; 9+ messages in thread
From: Michael C Thompson @ 2006-09-07 21:51 UTC (permalink / raw)
To: Michael C Thompson; +Cc: Daniel J Walsh, lspp-list, selinux
Michael C Thompson wrote:
> Hey all,
>
> It seems that ssh is unable to add entries to known_hosts for the root
> user as sysadm_t. Is this a known issue? And if so, who can add entries
> to /root/.ssh/known_hosts ?
I think I should point out that this isn't as the user, but when
executing ssh as root.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: MLS Policy (rawhide)
2006-09-07 21:34 MLS Policy (rawhide) Michael C Thompson
2006-09-07 21:51 ` Michael C Thompson
@ 2006-09-08 18:08 ` Daniel J Walsh
2006-09-08 19:28 ` [redhat-lspp] " Michael C Thompson
1 sibling, 1 reply; 9+ messages in thread
From: Daniel J Walsh @ 2006-09-08 18:08 UTC (permalink / raw)
To: Michael C Thompson; +Cc: lspp-list, selinux
Michael C Thompson wrote:
> Hey all,
>
> It seems that ssh is unable to add entries to known_hosts for the root
> user as sysadm_t. Is this a known issue? And if so, who can add
> entries to /root/.ssh/known_hosts ?
>
> Thanks,
> Mike
>
This works for me. How is the file labeled?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [redhat-lspp] Re: MLS Policy (rawhide)
2006-09-08 18:08 ` Daniel J Walsh
@ 2006-09-08 19:28 ` Michael C Thompson
2006-09-08 19:40 ` Stephen Smalley
0 siblings, 1 reply; 9+ messages in thread
From: Michael C Thompson @ 2006-09-08 19:28 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: lspp-list, selinux
Daniel J Walsh wrote:
> Michael C Thompson wrote:
>> Hey all,
>>
>> It seems that ssh is unable to add entries to known_hosts for the root
>> user as sysadm_t. Is this a known issue? And if so, who can add
>> entries to /root/.ssh/known_hosts ?
>>
>> Thanks,
>> Mike
>>
> This works for me. How is the file labeled?
# ls -alZ /root/.ssh
drwx------ root root root:object_r:user_home_ssh_t:SystemLow .
drwxr-x--- root root
root:object_r:sysadm_home_dir_t:SystemLow-SystemHigh ..
-rw------- root root root:object_r:bin_t:SystemLow id_rsa
-rw-r--r-- root root root:object_r:bin_t:SystemLow id_rsa.pub
-rw-r--r-- root root root:object_r:user_home_ssh_t:SystemLow known_hosts
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [redhat-lspp] Re: MLS Policy (rawhide)
2006-09-08 19:28 ` [redhat-lspp] " Michael C Thompson
@ 2006-09-08 19:40 ` Stephen Smalley
2006-09-08 19:47 ` Michael C Thompson
0 siblings, 1 reply; 9+ messages in thread
From: Stephen Smalley @ 2006-09-08 19:40 UTC (permalink / raw)
To: Michael C Thompson; +Cc: Daniel J Walsh, lspp-list, selinux
On Fri, 2006-09-08 at 14:28 -0500, Michael C Thompson wrote:
> Daniel J Walsh wrote:
> > Michael C Thompson wrote:
> >> Hey all,
> >>
> >> It seems that ssh is unable to add entries to known_hosts for the root
> >> user as sysadm_t. Is this a known issue? And if so, who can add
> >> entries to /root/.ssh/known_hosts ?
> >>
> >> Thanks,
> >> Mike
> >>
> > This works for me. How is the file labeled?
>
> # ls -alZ /root/.ssh
> drwx------ root root root:object_r:user_home_ssh_t:SystemLow .
> drwxr-x--- root root
> root:object_r:sysadm_home_dir_t:SystemLow-SystemHigh ..
> -rw------- root root root:object_r:bin_t:SystemLow id_rsa
> -rw-r--r-- root root root:object_r:bin_t:SystemLow id_rsa.pub
> -rw-r--r-- root root root:object_r:user_home_ssh_t:SystemLow known_hosts
/sbin/restorecon -R /root/.ssh
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [redhat-lspp] Re: MLS Policy (rawhide)
2006-09-08 19:40 ` Stephen Smalley
@ 2006-09-08 19:47 ` Michael C Thompson
2006-09-08 20:03 ` Stephen Smalley
0 siblings, 1 reply; 9+ messages in thread
From: Michael C Thompson @ 2006-09-08 19:47 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Daniel J Walsh, lspp-list, selinux
Stephen Smalley wrote:
> On Fri, 2006-09-08 at 14:28 -0500, Michael C Thompson wrote:
>> Daniel J Walsh wrote:
>>> Michael C Thompson wrote:
>>>> Hey all,
>>>>
>>>> It seems that ssh is unable to add entries to known_hosts for the root
>>>> user as sysadm_t. Is this a known issue? And if so, who can add
>>>> entries to /root/.ssh/known_hosts ?
>>>>
>>>> Thanks,
>>>> Mike
>>>>
>>> This works for me. How is the file labeled?
>> # ls -alZ /root/.ssh
>> drwx------ root root root:object_r:user_home_ssh_t:SystemLow .
>> drwxr-x--- root root
>> root:object_r:sysadm_home_dir_t:SystemLow-SystemHigh ..
>> -rw------- root root root:object_r:bin_t:SystemLow id_rsa
>> -rw-r--r-- root root root:object_r:bin_t:SystemLow id_rsa.pub
>> -rw-r--r-- root root root:object_r:user_home_ssh_t:SystemLow known_hosts
>
> /sbin/restorecon -R /root/.ssh
I have relabeled this system numerous times with touch /.autorelabel...
why wasn't this picked up?
Mike
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [redhat-lspp] Re: MLS Policy (rawhide)
2006-09-08 19:47 ` Michael C Thompson
@ 2006-09-08 20:03 ` Stephen Smalley
2006-09-08 20:07 ` Michael C Thompson
0 siblings, 1 reply; 9+ messages in thread
From: Stephen Smalley @ 2006-09-08 20:03 UTC (permalink / raw)
To: Michael C Thompson; +Cc: Daniel J Walsh, lspp-list, selinux
On Fri, 2006-09-08 at 14:47 -0500, Michael C Thompson wrote:
> Stephen Smalley wrote:
> > On Fri, 2006-09-08 at 14:28 -0500, Michael C Thompson wrote:
> >> Daniel J Walsh wrote:
> >>> Michael C Thompson wrote:
> >>>> Hey all,
> >>>>
> >>>> It seems that ssh is unable to add entries to known_hosts for the root
> >>>> user as sysadm_t. Is this a known issue? And if so, who can add
> >>>> entries to /root/.ssh/known_hosts ?
> >>>>
> >>>> Thanks,
> >>>> Mike
> >>>>
> >>> This works for me. How is the file labeled?
> >> # ls -alZ /root/.ssh
> >> drwx------ root root root:object_r:user_home_ssh_t:SystemLow .
> >> drwxr-x--- root root
> >> root:object_r:sysadm_home_dir_t:SystemLow-SystemHigh ..
> >> -rw------- root root root:object_r:bin_t:SystemLow id_rsa
> >> -rw-r--r-- root root root:object_r:bin_t:SystemLow id_rsa.pub
> >> -rw-r--r-- root root root:object_r:user_home_ssh_t:SystemLow known_hosts
> >
> > /sbin/restorecon -R /root/.ssh
>
> I have relabeled this system numerous times with touch /.autorelabel...
> why wasn't this picked up?
Not sure, not a big fan of autorelabeling myself. Is /home on a
separate partition? Would it be mounted when the relabel runs from
rc.sysinit?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [redhat-lspp] Re: MLS Policy (rawhide)
2006-09-08 20:03 ` Stephen Smalley
@ 2006-09-08 20:07 ` Michael C Thompson
2006-09-19 14:04 ` Daniel J Walsh
0 siblings, 1 reply; 9+ messages in thread
From: Michael C Thompson @ 2006-09-08 20:07 UTC (permalink / raw)
To: Stephen Smalley; +Cc: lspp-list, Daniel J Walsh, selinux
Stephen Smalley wrote:
> On Fri, 2006-09-08 at 14:47 -0500, Michael C Thompson wrote:
>> Stephen Smalley wrote:
>>> On Fri, 2006-09-08 at 14:28 -0500, Michael C Thompson wrote:
>>>> Daniel J Walsh wrote:
>>>>> Michael C Thompson wrote:
>>>>>> Hey all,
>>>>>>
>>>>>> It seems that ssh is unable to add entries to known_hosts for the root
>>>>>> user as sysadm_t. Is this a known issue? And if so, who can add
>>>>>> entries to /root/.ssh/known_hosts ?
>>>>>>
>>>>>> Thanks,
>>>>>> Mike
>>>>>>
>>>>> This works for me. How is the file labeled?
>>>> # ls -alZ /root/.ssh
>>>> drwx------ root root root:object_r:user_home_ssh_t:SystemLow .
>>>> drwxr-x--- root root
>>>> root:object_r:sysadm_home_dir_t:SystemLow-SystemHigh ..
>>>> -rw------- root root root:object_r:bin_t:SystemLow id_rsa
>>>> -rw-r--r-- root root root:object_r:bin_t:SystemLow id_rsa.pub
>>>> -rw-r--r-- root root root:object_r:user_home_ssh_t:SystemLow known_hosts
>>> /sbin/restorecon -R /root/.ssh
>> I have relabeled this system numerous times with touch /.autorelabel...
>> why wasn't this picked up?
>
> Not sure, not a big fan of autorelabeling myself.
Me either, not sure how it got some messed up though.
> Is /home on a
> separate partition? Would it be mounted when the relabel runs from
> rc.sysinit?
Well, it wasn't in /home, but even then that isn't the case. But it
works now, so thanks Stephen :)
Mike
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [redhat-lspp] Re: MLS Policy (rawhide)
2006-09-08 20:07 ` Michael C Thompson
@ 2006-09-19 14:04 ` Daniel J Walsh
0 siblings, 0 replies; 9+ messages in thread
From: Daniel J Walsh @ 2006-09-19 14:04 UTC (permalink / raw)
To: Michael C Thompson; +Cc: Stephen Smalley, lspp-list, selinux
Michael C Thompson wrote:
> Stephen Smalley wrote:
>> On Fri, 2006-09-08 at 14:47 -0500, Michael C Thompson wrote:
>>> Stephen Smalley wrote:
>>>> On Fri, 2006-09-08 at 14:28 -0500, Michael C Thompson wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> Michael C Thompson wrote:
>>>>>>> Hey all,
>>>>>>>
>>>>>>> It seems that ssh is unable to add entries to known_hosts for
>>>>>>> the root user as sysadm_t. Is this a known issue? And if so, who
>>>>>>> can add entries to /root/.ssh/known_hosts ?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Mike
>>>>>>>
>>>>>> This works for me. How is the file labeled?
>>>>> # ls -alZ /root/.ssh
>>>>> drwx------ root root root:object_r:user_home_ssh_t:SystemLow .
>>>>> drwxr-x--- root root
>>>>> root:object_r:sysadm_home_dir_t:SystemLow-SystemHigh ..
>>>>> -rw------- root root root:object_r:bin_t:SystemLow id_rsa
>>>>> -rw-r--r-- root root root:object_r:bin_t:SystemLow id_rsa.pub
>>>>> -rw-r--r-- root root root:object_r:user_home_ssh_t:SystemLow
>>>>> known_hosts
>>>> /sbin/restorecon -R /root/.ssh
>>> I have relabeled this system numerous times with touch
>>> /.autorelabel... why wasn't this picked up?
>>
>> Not sure, not a big fan of autorelabeling myself.
>
> Me either, not sure how it got some messed up though.
>
> > Is /home on a
>> separate partition? Would it be mounted when the relabel runs from
>> rc.sysinit?
>
> Well, it wasn't in /home, but even then that isn't the case. But it
> works now, so thanks Stephen :)
>
> Mike
>
touch /.autorelabel should only be used when you have a serious labeling
problem (file_t, selinux=0, changing policy types).
This should seldom be done. I have not done it in over a year.
The file system should not be getting badly mislabeled at this point.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2006-09-19 14:04 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-07 21:34 MLS Policy (rawhide) Michael C Thompson
2006-09-07 21:51 ` Michael C Thompson
2006-09-08 18:08 ` Daniel J Walsh
2006-09-08 19:28 ` [redhat-lspp] " Michael C Thompson
2006-09-08 19:40 ` Stephen Smalley
2006-09-08 19:47 ` Michael C Thompson
2006-09-08 20:03 ` Stephen Smalley
2006-09-08 20:07 ` Michael C Thompson
2006-09-19 14:04 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.