* Re: [redhat-lspp] Problem SSH-ing into LSPP system with multiple categories [not found] <1169842300.6956.129.camel@localhost.localdomain> @ 2007-01-26 20:27 ` Tomas Mraz [not found] ` <1169844372.6956.130.camel@localhost.localdomain> [not found] ` <1169844884.6956.132.camel@localhost.localdomain> 0 siblings, 2 replies; 5+ messages in thread From: Tomas Mraz @ 2007-01-26 20:27 UTC (permalink / raw) To: Kylene Jo Hall; +Cc: dwalsh, redhat-lspp, selinux On Fri, 2007-01-26 at 12:11 -0800, Kylene Jo Hall wrote: > I have been unable to ssh into an LSPP system with multiple categories. > > For example the following work: > ssh testuser/user_r/s2@localhost > ssh testuser/user_r/s2:c0@localhost > ssh testuser/user_r/s2:c1@localhost > > But these do not: > ssh testuser/user_r/s2:c0.c1@localhost > ssh testuser/user_r/s2:c0,c1@localhost > > Policy version: selinux-policy-mls-2.4.6-28.el5 > Kernel version: kernel-2.6.18-1.3015.2.1.el5.lspp.63 > > We have tested this on multiple architectures to no avail. Any > suggestions? Could you modify LogLevel in /etc/ssh/sshd_config to DEBUG3 and look into the /var/log/secure what messages are there when the login fails? -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <1169844372.6956.130.camel@localhost.localdomain>]
* Re: [redhat-lspp] Problem SSH-ing into LSPP system with multiple categories [not found] ` <1169844372.6956.130.camel@localhost.localdomain> @ 2007-01-26 21:10 ` Tomas Mraz 0 siblings, 0 replies; 5+ messages in thread From: Tomas Mraz @ 2007-01-26 21:10 UTC (permalink / raw) To: Kylene Jo Hall; +Cc: redhat-lspp, dwalsh, selinux On Fri, 2007-01-26 at 12:46 -0800, Kylene Jo Hall wrote: > I couldn't find anything in /var/log/secure but here is what was > in /var/log/messages from the following attempts: > ssh testuser/user_r/s2:c0.c1@localhost > ssh testuser/user_r/s2:c0,c1@localhost > ssh testuser/user_r/s2:c0-c1@localhost > > Jan 26 14:41:40 rheal3a sshd[2646]: Postponed keyboard-interactive for > testuser from 127.0.0.1 port 39420 ssh2 > Jan 26 14:41:44 rheal3a sshd[2646]: Postponed keyboard-interactive/pam > for testuser from 127.0.0.1 port 39 420 ssh2 > Jan 26 14:41:44 rheal3a sshd[2645]: Accepted keyboard-interactive/pam > for testuser from 127.0.0.1 port 394 20 ssh2 > Jan 26 14:41:44 rheal3a sshd[2645]: fatal: deny MLS level s2:c0,c1 (user > range s0-s15:c0.c1023) > Jan 26 14:42:11 rheal3a sshd[2653]: Connection from 127.0.0.1 port 39421 > Jan 26 14:42:11 rheal3a sshd[2654]: Postponed keyboard-interactive for > testuser from 127.0.0.1 port 39421 ssh2 > Jan 26 14:42:15 rheal3a sshd[2654]: Postponed keyboard-interactive/pam > for testuser from 127.0.0.1 port 39 421 ssh2 > Jan 26 14:42:15 rheal3a sshd[2653]: Accepted keyboard-interactive/pam > for testuser from 127.0.0.1 port 394 21 ssh2 > Jan 26 14:42:15 rheal3a sshd[2653]: fatal: Failed to get default > security context for testuser. > Jan 26 14:43:35 rheal3a sshd[2662]: Connection from 127.0.0.1 port 39422 > Jan 26 14:43:35 rheal3a sshd[2663]: Postponed keyboard-interactive for > testuser from 127.0.0.1 port 39422 ssh2 > Jan 26 14:43:39 rheal3a sshd[2663]: Postponed keyboard-interactive/pam > for testuser from 127.0.0.1 port 39 422 ssh2 > Jan 26 14:43:39 rheal3a sshd[2662]: Accepted keyboard-interactive/pam > for testuser from 127.0.0.1 port 394 22 ssh2 > Jan 26 14:43:39 rheal3a sshd[2662]: fatal: deny MLS level s2:c0.c1 (user > range s0-s15:c0.c1023) > Jan 26 14:44:30 rheal3a sshd[2670]: Connection from 127.0.0.1 port 39423 > Jan 26 14:44:31 rheal3a sshd[2671]: Postponed keyboard-interactive for > testuser from 127.0.0.1 port 39423 ssh2 > Jan 26 14:44:34 rheal3a sshd[2671]: Postponed keyboard-interactive/pam > for testuser from 127.0.0.1 port 39 423 ssh2 > Jan 26 14:44:34 rheal3a sshd[2670]: Accepted keyboard-interactive/pam > for testuser from 127.0.0.1 port 394 23 ssh2 > Jan 26 14:44:34 rheal3a sshd[2670]: fatal: Failed to get default > security context for testuser. It seems that s2:c0,c1 and s2:c0.c1 logins are denied by policy. I don't know why the s2:c0-c1 case fails on getting the default context - seems like s2:c0-c1 is not a valid context. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <1169844884.6956.132.camel@localhost.localdomain>]
[parent not found: <1169845275.6956.134.camel@localhost.localdomain>]
* Re: [redhat-lspp] Problem SSH-ing into LSPP system with multiple categories [not found] ` <1169845275.6956.134.camel@localhost.localdomain> @ 2007-01-26 22:31 ` Daniel J Walsh 0 siblings, 0 replies; 5+ messages in thread From: Daniel J Walsh @ 2007-01-26 22:31 UTC (permalink / raw) To: Kylene Jo Hall; +Cc: Tomas Mraz, redhat-lspp, selinux Kylene Jo Hall wrote: > More test data: > > > [root@rheal3a ~]# ssh testuser/user_r/s2:c0@localhost > Password: > Last login: Fri Jan 26 14:55:13 2007 from rheal3a.endicott.ibm.com > -bash-3.1$ id > uid=501(testuser) gid=501(testuser) groups=501(testuser) > context=testuser_u:user_r:user_t:A > -bash-3.1$ exit > logout > Connection to localhost closed. > [root@rheal3a ~]# ssh testuser/user_r/s2:c1@localhost > Password: > Last login: Fri Jan 26 14:55:29 2007 from rheal3a.endicott.ibm.com > -bash-3.1$ id > uid=501(testuser) gid=501(testuser) groups=501(testuser) > context=testuser_u:user_r:user_t:B > -bash-3.1$ exit > logout > Connection to localhost closed. > [root@rheal3a ~]# ssh testuser/user_r/s2:c3@localhost > Password: > Last login: Fri Jan 26 14:55:40 2007 from rheal3a.endicott.ibm.com > -bash-3.1$ id > uid=501(testuser) gid=501(testuser) groups=501(testuser) > context=testuser_u:user_r:user_t:s2:c3 > -bash-3.1$ quit > -bash: quit: command not found > -bash-3.1$ exit > logout > Connection to localhost closed. > [root@rheal3a ~]# ssh testuser/user_r/s2:c2@localhost > Password: > Last login: Fri Jan 26 14:56:05 2007 from rheal3a.endicott.ibm.com > -bash-3.1$ ls > -bash-3.1$ id > uid=501(testuser) gid=501(testuser) groups=501(testuser) > context=testuser_u:user_r:user_t:s2:c2 > -bash-3.1$ quit > -bash: quit: command not found > -bash-3.1$ exit > logout > Connection to localhost closed. > [root@rheal3a ~]# ssh testuser/user_r/s2:c2,c3@localhost > Password: > Last login: Fri Jan 26 14:56:22 2007 from rheal3a.endicott.ibm.com > -bash-3.1$ id > uid=501(testuser) gid=501(testuser) groups=501(testuser) > context=testuser_u:user_r:user_t:s2:c2,c3 > -bash-3.1$ exit > logout > Connection to localhost closed. > [root@rheal3a ~]# > > > > On Fri, 2007-01-26 at 12:54 -0800, Kylene Jo Hall wrote: > >> More test data: >> >> ssh testuer/user_r/s#:c0,c1@localhost works for every value of # between >> 0 and 15 except 2. >> >> Thanks, >> Kylie >> >> On Fri, 2007-01-26 at 21:27 +0100, Tomas Mraz wrote: >> >>> On Fri, 2007-01-26 at 12:11 -0800, Kylene Jo Hall wrote: >>> >>>> I have been unable to ssh into an LSPP system with multiple categories. >>>> >>>> For example the following work: >>>> ssh testuser/user_r/s2@localhost >>>> ssh testuser/user_r/s2:c0@localhost >>>> ssh testuser/user_r/s2:c1@localhost >>>> >>>> But these do not: >>>> ssh testuser/user_r/s2:c0.c1@localhost >>>> ssh testuser/user_r/s2:c0,c1@localhost >>>> >>>> Policy version: selinux-policy-mls-2.4.6-28.el5 >>>> Kernel version: kernel-2.6.18-1.3015.2.1.el5.lspp.63 >>>> >>>> We have tested this on multiple architectures to no avail. Any >>>> suggestions? >>>> >>> Could you modify LogLevel in /etc/ssh/sshd_config to DEBUG3 and look >>> into the /var/log/secure what messages are there when the login fails? >>> >>> > > I am not able to recreate this here. semanage user -l semanage login -l ps -eZ | grep ssh -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [redhat-lspp] Problem SSH-ing into LSPP system with multiple categories [not found] ` <1169844884.6956.132.camel@localhost.localdomain> [not found] ` <1169845275.6956.134.camel@localhost.localdomain> @ 2007-01-29 17:42 ` Klaus Weidner 2007-01-30 2:47 ` Klaus Weidner 1 sibling, 1 reply; 5+ messages in thread From: Klaus Weidner @ 2007-01-29 17:42 UTC (permalink / raw) To: Kylene Jo Hall; +Cc: Tomas Mraz, redhat-lspp, dwalsh, selinux On Fri, Jan 26, 2007 at 12:54:44PM -0800, Kylene Jo Hall wrote: > More test data: > > ssh testuer/user_r/s#:c0,c1@localhost works for every value of # between > 0 and 15 except 2. I can reproduce this, and it appears to be related to label translations. This is in the /etc/selinux/mls/setrans.conf file: # Secret level with compartments s2=Secret s2:c0=A s2:c1=B Commenting out these entries makes login work again. Failed login: type=USER_ROLE_CHANGE msg=audit(1170092360.977:951): user pid=2498 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='sshd: default-context=staff_u:staff_r:staff_t:s0-s15:c0.c1023 selected-context=staff_u:staff_r:staff_t:Secret:A,B: exe="/usr/sbin/sshd" (hostname=?, addr=?, terminal=? res=failed)' Successful login (translation commented out): type=USER_ROLE_CHANGE msg=audit(1170092403.742:991): user pid=2553 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='sshd: default-context=staff_u:staff_r:staff_t:s0-s15:c0.c1023 selected-context=staff_u:staff_r:staff_t:s2:c0,c1: exe="/usr/sbin/sshd" (hostname=?, addr=?, terminal=? res=success)' Is "Secret:A,B" correct syntax? -Klaus -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [redhat-lspp] Problem SSH-ing into LSPP system with multiple categories 2007-01-29 17:42 ` Klaus Weidner @ 2007-01-30 2:47 ` Klaus Weidner 0 siblings, 0 replies; 5+ messages in thread From: Klaus Weidner @ 2007-01-30 2:47 UTC (permalink / raw) To: Kylene Jo Hall; +Cc: redhat-lspp, dwalsh, Tomas Mraz, selinux On Mon, Jan 29, 2007 at 11:42:15AM -0600, Klaus Weidner wrote: > On Fri, Jan 26, 2007 at 12:54:44PM -0800, Kylene Jo Hall wrote: > > More test data: > > > > ssh testuer/user_r/s#:c0,c1@localhost works for every value of # between > > 0 and 15 except 2. > > I can reproduce this, and it appears to be related to label translations. I've posted a bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=225355 -Klaus -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2007-01-30 2:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1169842300.6956.129.camel@localhost.localdomain>
2007-01-26 20:27 ` [redhat-lspp] Problem SSH-ing into LSPP system with multiple categories Tomas Mraz
[not found] ` <1169844372.6956.130.camel@localhost.localdomain>
2007-01-26 21:10 ` Tomas Mraz
[not found] ` <1169844884.6956.132.camel@localhost.localdomain>
[not found] ` <1169845275.6956.134.camel@localhost.localdomain>
2007-01-26 22:31 ` Daniel J Walsh
2007-01-29 17:42 ` Klaus Weidner
2007-01-30 2:47 ` Klaus Weidner
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.