MLS Policy (rawhide)

All of lore.kernel.org
 help / color / mirror / Atom feed

* MLS Policy (rawhide)
@ 2006-09-07 21:34 Michael C Thompson
  2006-09-07 21:51 ` Michael C Thompson
  2006-09-08 18:08 ` Daniel J Walsh
  0 siblings, 2 replies; 9+ messages in thread
From: Michael C Thompson @ 2006-09-07 21:34 UTC (permalink / raw)
  To: Daniel J Walsh, lspp-list, selinux

Hey all,

It seems that ssh is unable to add entries to known_hosts for the root 
user as sysadm_t. Is this a known issue? And if so, who can add entries 
to /root/.ssh/known_hosts ?

Thanks,
Mike


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: MLS Policy (rawhide)
  2006-09-07 21:34 MLS Policy (rawhide) Michael C Thompson
@ 2006-09-07 21:51 ` Michael C Thompson
  2006-09-08 18:08 ` Daniel J Walsh
  1 sibling, 0 replies; 9+ messages in thread
From: Michael C Thompson @ 2006-09-07 21:51 UTC (permalink / raw)
  To: Michael C Thompson; +Cc: Daniel J Walsh, lspp-list, selinux

Michael C Thompson wrote:
> Hey all,
> 
> It seems that ssh is unable to add entries to known_hosts for the root 
> user as sysadm_t. Is this a known issue? And if so, who can add entries 
> to /root/.ssh/known_hosts ?

I think I should point out that this isn't as the user, but when 
executing ssh as root.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: MLS Policy (rawhide)
  2006-09-07 21:34 MLS Policy (rawhide) Michael C Thompson
  2006-09-07 21:51 ` Michael C Thompson
@ 2006-09-08 18:08 ` Daniel J Walsh
  2006-09-08 19:28   ` [redhat-lspp] " Michael C Thompson
  1 sibling, 1 reply; 9+ messages in thread
From: Daniel J Walsh @ 2006-09-08 18:08 UTC (permalink / raw)
  To: Michael C Thompson; +Cc: lspp-list, selinux

Michael C Thompson wrote:
> Hey all,
>
> It seems that ssh is unable to add entries to known_hosts for the root 
> user as sysadm_t. Is this a known issue? And if so, who can add 
> entries to /root/.ssh/known_hosts ?
>
> Thanks,
> Mike
>
This works for me.  How is the file labeled?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [redhat-lspp] Re: MLS Policy (rawhide)
  2006-09-08 18:08 ` Daniel J Walsh
@ 2006-09-08 19:28   ` Michael C Thompson
  2006-09-08 19:40     ` Stephen Smalley
  0 siblings, 1 reply; 9+ messages in thread
From: Michael C Thompson @ 2006-09-08 19:28 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: lspp-list, selinux

Daniel J Walsh wrote:
> Michael C Thompson wrote:
>> Hey all,
>>
>> It seems that ssh is unable to add entries to known_hosts for the root 
>> user as sysadm_t. Is this a known issue? And if so, who can add 
>> entries to /root/.ssh/known_hosts ?
>>
>> Thanks,
>> Mike
>>
> This works for me.  How is the file labeled?

# ls -alZ /root/.ssh
drwx------  root root root:object_r:user_home_ssh_t:SystemLow .
drwxr-x---  root root 
root:object_r:sysadm_home_dir_t:SystemLow-SystemHigh ..
-rw-------  root root root:object_r:bin_t:SystemLow    id_rsa
-rw-r--r--  root root root:object_r:bin_t:SystemLow    id_rsa.pub
-rw-r--r--  root root root:object_r:user_home_ssh_t:SystemLow known_hosts


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [redhat-lspp] Re: MLS Policy (rawhide)
  2006-09-08 19:28   ` [redhat-lspp] " Michael C Thompson
@ 2006-09-08 19:40     ` Stephen Smalley
  2006-09-08 19:47       ` Michael C Thompson
  0 siblings, 1 reply; 9+ messages in thread
From: Stephen Smalley @ 2006-09-08 19:40 UTC (permalink / raw)
  To: Michael C Thompson; +Cc: Daniel J Walsh, lspp-list, selinux

On Fri, 2006-09-08 at 14:28 -0500, Michael C Thompson wrote:
> Daniel J Walsh wrote:
> > Michael C Thompson wrote:
> >> Hey all,
> >>
> >> It seems that ssh is unable to add entries to known_hosts for the root 
> >> user as sysadm_t. Is this a known issue? And if so, who can add 
> >> entries to /root/.ssh/known_hosts ?
> >>
> >> Thanks,
> >> Mike
> >>
> > This works for me.  How is the file labeled?
> 
> # ls -alZ /root/.ssh
> drwx------  root root root:object_r:user_home_ssh_t:SystemLow .
> drwxr-x---  root root 
> root:object_r:sysadm_home_dir_t:SystemLow-SystemHigh ..
> -rw-------  root root root:object_r:bin_t:SystemLow    id_rsa
> -rw-r--r--  root root root:object_r:bin_t:SystemLow    id_rsa.pub
> -rw-r--r--  root root root:object_r:user_home_ssh_t:SystemLow known_hosts

/sbin/restorecon -R /root/.ssh

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [redhat-lspp] Re: MLS Policy (rawhide)
  2006-09-08 19:40     ` Stephen Smalley
@ 2006-09-08 19:47       ` Michael C Thompson
  2006-09-08 20:03         ` Stephen Smalley
  0 siblings, 1 reply; 9+ messages in thread
From: Michael C Thompson @ 2006-09-08 19:47 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: Daniel J Walsh, lspp-list, selinux

Stephen Smalley wrote:
> On Fri, 2006-09-08 at 14:28 -0500, Michael C Thompson wrote:
>> Daniel J Walsh wrote:
>>> Michael C Thompson wrote:
>>>> Hey all,
>>>>
>>>> It seems that ssh is unable to add entries to known_hosts for the root 
>>>> user as sysadm_t. Is this a known issue? And if so, who can add 
>>>> entries to /root/.ssh/known_hosts ?
>>>>
>>>> Thanks,
>>>> Mike
>>>>
>>> This works for me.  How is the file labeled?
>> # ls -alZ /root/.ssh
>> drwx------  root root root:object_r:user_home_ssh_t:SystemLow .
>> drwxr-x---  root root 
>> root:object_r:sysadm_home_dir_t:SystemLow-SystemHigh ..
>> -rw-------  root root root:object_r:bin_t:SystemLow    id_rsa
>> -rw-r--r--  root root root:object_r:bin_t:SystemLow    id_rsa.pub
>> -rw-r--r--  root root root:object_r:user_home_ssh_t:SystemLow known_hosts
> 
> /sbin/restorecon -R /root/.ssh

I have relabeled this system numerous times with touch /.autorelabel... 
why wasn't this picked up?

Mike



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [redhat-lspp] Re: MLS Policy (rawhide)
  2006-09-08 19:47       ` Michael C Thompson
@ 2006-09-08 20:03         ` Stephen Smalley
  2006-09-08 20:07           ` Michael C Thompson
  0 siblings, 1 reply; 9+ messages in thread
From: Stephen Smalley @ 2006-09-08 20:03 UTC (permalink / raw)
  To: Michael C Thompson; +Cc: Daniel J Walsh, lspp-list, selinux

On Fri, 2006-09-08 at 14:47 -0500, Michael C Thompson wrote:
> Stephen Smalley wrote:
> > On Fri, 2006-09-08 at 14:28 -0500, Michael C Thompson wrote:
> >> Daniel J Walsh wrote:
> >>> Michael C Thompson wrote:
> >>>> Hey all,
> >>>>
> >>>> It seems that ssh is unable to add entries to known_hosts for the root 
> >>>> user as sysadm_t. Is this a known issue? And if so, who can add 
> >>>> entries to /root/.ssh/known_hosts ?
> >>>>
> >>>> Thanks,
> >>>> Mike
> >>>>
> >>> This works for me.  How is the file labeled?
> >> # ls -alZ /root/.ssh
> >> drwx------  root root root:object_r:user_home_ssh_t:SystemLow .
> >> drwxr-x---  root root 
> >> root:object_r:sysadm_home_dir_t:SystemLow-SystemHigh ..
> >> -rw-------  root root root:object_r:bin_t:SystemLow    id_rsa
> >> -rw-r--r--  root root root:object_r:bin_t:SystemLow    id_rsa.pub
> >> -rw-r--r--  root root root:object_r:user_home_ssh_t:SystemLow known_hosts
> > 
> > /sbin/restorecon -R /root/.ssh
> 
> I have relabeled this system numerous times with touch /.autorelabel... 
> why wasn't this picked up?

Not sure, not a big fan of autorelabeling myself.  Is /home on a
separate partition?  Would it be mounted when the relabel runs from
rc.sysinit?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [redhat-lspp] Re: MLS Policy (rawhide)
  2006-09-08 20:03         ` Stephen Smalley
@ 2006-09-08 20:07           ` Michael C Thompson
  2006-09-19 14:04             ` Daniel J Walsh
  0 siblings, 1 reply; 9+ messages in thread
From: Michael C Thompson @ 2006-09-08 20:07 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: lspp-list, Daniel J Walsh, selinux

Stephen Smalley wrote:
> On Fri, 2006-09-08 at 14:47 -0500, Michael C Thompson wrote:
>> Stephen Smalley wrote:
>>> On Fri, 2006-09-08 at 14:28 -0500, Michael C Thompson wrote:
>>>> Daniel J Walsh wrote:
>>>>> Michael C Thompson wrote:
>>>>>> Hey all,
>>>>>>
>>>>>> It seems that ssh is unable to add entries to known_hosts for the root 
>>>>>> user as sysadm_t. Is this a known issue? And if so, who can add 
>>>>>> entries to /root/.ssh/known_hosts ?
>>>>>>
>>>>>> Thanks,
>>>>>> Mike
>>>>>>
>>>>> This works for me.  How is the file labeled?
>>>> # ls -alZ /root/.ssh
>>>> drwx------  root root root:object_r:user_home_ssh_t:SystemLow .
>>>> drwxr-x---  root root 
>>>> root:object_r:sysadm_home_dir_t:SystemLow-SystemHigh ..
>>>> -rw-------  root root root:object_r:bin_t:SystemLow    id_rsa
>>>> -rw-r--r--  root root root:object_r:bin_t:SystemLow    id_rsa.pub
>>>> -rw-r--r--  root root root:object_r:user_home_ssh_t:SystemLow known_hosts
>>> /sbin/restorecon -R /root/.ssh
>> I have relabeled this system numerous times with touch /.autorelabel... 
>> why wasn't this picked up?
> 
> Not sure, not a big fan of autorelabeling myself.

Me either, not sure how it got some messed up though.

 > Is /home on a
> separate partition?  Would it be mounted when the relabel runs from
> rc.sysinit?

Well, it wasn't in /home, but even then that isn't the case. But it 
works now, so thanks Stephen :)

Mike


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [redhat-lspp] Re: MLS Policy (rawhide)
  2006-09-08 20:07           ` Michael C Thompson
@ 2006-09-19 14:04             ` Daniel J Walsh
  0 siblings, 0 replies; 9+ messages in thread
From: Daniel J Walsh @ 2006-09-19 14:04 UTC (permalink / raw)
  To: Michael C Thompson; +Cc: Stephen Smalley, lspp-list, selinux

Michael C Thompson wrote:
> Stephen Smalley wrote:
>> On Fri, 2006-09-08 at 14:47 -0500, Michael C Thompson wrote:
>>> Stephen Smalley wrote:
>>>> On Fri, 2006-09-08 at 14:28 -0500, Michael C Thompson wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> Michael C Thompson wrote:
>>>>>>> Hey all,
>>>>>>>
>>>>>>> It seems that ssh is unable to add entries to known_hosts for 
>>>>>>> the root user as sysadm_t. Is this a known issue? And if so, who 
>>>>>>> can add entries to /root/.ssh/known_hosts ?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Mike
>>>>>>>
>>>>>> This works for me.  How is the file labeled?
>>>>> # ls -alZ /root/.ssh
>>>>> drwx------  root root root:object_r:user_home_ssh_t:SystemLow .
>>>>> drwxr-x---  root root 
>>>>> root:object_r:sysadm_home_dir_t:SystemLow-SystemHigh ..
>>>>> -rw-------  root root root:object_r:bin_t:SystemLow    id_rsa
>>>>> -rw-r--r--  root root root:object_r:bin_t:SystemLow    id_rsa.pub
>>>>> -rw-r--r--  root root root:object_r:user_home_ssh_t:SystemLow 
>>>>> known_hosts
>>>> /sbin/restorecon -R /root/.ssh
>>> I have relabeled this system numerous times with touch 
>>> /.autorelabel... why wasn't this picked up?
>>
>> Not sure, not a big fan of autorelabeling myself.
>
> Me either, not sure how it got some messed up though.
>
> > Is /home on a
>> separate partition?  Would it be mounted when the relabel runs from
>> rc.sysinit?
>
> Well, it wasn't in /home, but even then that isn't the case. But it 
> works now, so thanks Stephen :)
>
> Mike
>
touch /.autorelabel should only be used when you have a serious labeling 
problem (file_t, selinux=0, changing policy types).

This should seldom be done.  I have not done it in over a year. 

The file system should not be getting badly mislabeled at this point.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2006-09-19 14:04 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-07 21:34 MLS Policy (rawhide) Michael C Thompson
2006-09-07 21:51 ` Michael C Thompson
2006-09-08 18:08 ` Daniel J Walsh
2006-09-08 19:28   ` [redhat-lspp] " Michael C Thompson
2006-09-08 19:40     ` Stephen Smalley
2006-09-08 19:47       ` Michael C Thompson
2006-09-08 20:03         ` Stephen Smalley
2006-09-08 20:07           ` Michael C Thompson
2006-09-19 14:04             ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.