* trouble with ssh in today's rawhide + refpolicy @ 2007-10-22 21:26 Eamon Walsh 2007-10-22 22:46 ` Eamon Walsh 2007-10-23 13:09 ` Christopher J. PeBenito 0 siblings, 2 replies; 11+ messages in thread From: Eamon Walsh @ 2007-10-22 21:26 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Christopher J. PeBenito, SELinux List On a rawhide box updated this afternoon, running refpolicy trunk in mcs mode, I get the following after rebooting the box and logging in over ssh: $ id -Z sysadm_u:sysadm_r:system_chkpwd_t:s0 After issuing a "service sshd restart" on the box and trying again, it changes to: $ id -Z sysadm_u:sysadm_r:sysadm_t:s0 I've seen this on 2 different machines, and it persists even after a full filesystem relabel. Am i missing something from the refpolicy merge? I haven't changed my seusers file from when I was running strict. -- Eamon Walsh <ewalsh@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: trouble with ssh in today's rawhide + refpolicy 2007-10-22 21:26 trouble with ssh in today's rawhide + refpolicy Eamon Walsh @ 2007-10-22 22:46 ` Eamon Walsh 2007-10-23 10:56 ` Daniel J Walsh 2007-10-23 13:09 ` Christopher J. PeBenito 1 sibling, 1 reply; 11+ messages in thread From: Eamon Walsh @ 2007-10-22 22:46 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Christopher J. PeBenito, SELinux List Eamon Walsh wrote: > On a rawhide box updated this afternoon, running refpolicy trunk in mcs > mode, I get the following after rebooting the box and logging in over ssh: > > $ id -Z > sysadm_u:sysadm_r:system_chkpwd_t:s0 > > After issuing a "service sshd restart" on the box and trying again, it > changes to: Should have used run_init to restart sshd. When I do this, it remains system_chkpwd_t. Also, I'm running in permissive mode and using public key to authenticate. Some searching revealed previous bug reports, most recently Sept 21: http://archives.gentoo.org/gentoo-hardened/msg_07021.xml -- Eamon Walsh <ewalsh@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: trouble with ssh in today's rawhide + refpolicy 2007-10-22 22:46 ` Eamon Walsh @ 2007-10-23 10:56 ` Daniel J Walsh 0 siblings, 0 replies; 11+ messages in thread From: Daniel J Walsh @ 2007-10-23 10:56 UTC (permalink / raw) To: Eamon Walsh; +Cc: Christopher J. PeBenito, SELinux List -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eamon Walsh wrote: > Eamon Walsh wrote: >> On a rawhide box updated this afternoon, running refpolicy trunk in >> mcs mode, I get the following after rebooting the box and logging in >> over ssh: >> >> $ id -Z >> sysadm_u:sysadm_r:system_chkpwd_t:s0 >> >> After issuing a "service sshd restart" on the box and trying again, it >> changes to: > > Should have used run_init to restart sshd. When I do this, it remains > system_chkpwd_t. Also, I'm running in permissive mode and using public > key to authenticate. > > Some searching revealed previous bug reports, most recently Sept 21: > http://archives.gentoo.org/gentoo-hardened/msg_07021.xml > > It sounds to me like sshd is not labeled correctly. Or perhaps the entire machine. What is sshd running as? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHHdNQrlYvE4MpobMRAmNRAJ9XjTkqPfN3e18y+Ofhn4vWqg6vPwCfVMOt Wi8iSuVsdSkNvamccgS6dwc= =ksSk -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: trouble with ssh in today's rawhide + refpolicy 2007-10-22 21:26 trouble with ssh in today's rawhide + refpolicy Eamon Walsh 2007-10-22 22:46 ` Eamon Walsh @ 2007-10-23 13:09 ` Christopher J. PeBenito 2007-10-23 13:23 ` Stephen Smalley 2007-10-23 17:08 ` Eamon Walsh 1 sibling, 2 replies; 11+ messages in thread From: Christopher J. PeBenito @ 2007-10-23 13:09 UTC (permalink / raw) To: Eamon Walsh; +Cc: Daniel J Walsh, SELinux List On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote: > On a rawhide box updated this afternoon, running refpolicy trunk in mcs > mode, I get the following after rebooting the box and logging in over ssh: > > $ id -Z > sysadm_u:sysadm_r:system_chkpwd_t:s0 Do you have ssh_sysadm_login on? Also, it seems odd that this would happen, since this combination doesn't show up in default_contexts, and the only auto transition to system_chkpwd_t from sshd_t is via chkpwd_exec_t. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: trouble with ssh in today's rawhide + refpolicy 2007-10-23 13:09 ` Christopher J. PeBenito @ 2007-10-23 13:23 ` Stephen Smalley 2007-10-23 13:39 ` Christopher J. PeBenito 2007-10-23 17:08 ` Eamon Walsh 1 sibling, 1 reply; 11+ messages in thread From: Stephen Smalley @ 2007-10-23 13:23 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: Eamon Walsh, Daniel J Walsh, SELinux List On Tue, 2007-10-23 at 13:09 +0000, Christopher J. PeBenito wrote: > On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote: > > On a rawhide box updated this afternoon, running refpolicy trunk in mcs > > mode, I get the following after rebooting the box and logging in over ssh: > > > > $ id -Z > > sysadm_u:sysadm_r:system_chkpwd_t:s0 > > Do you have ssh_sysadm_login on? Also, it seems odd that this would > happen, since this combination doesn't show up in default_contexts, and > the only auto transition to system_chkpwd_t from sshd_t is via > chkpwd_exec_t. We've seen this kind of behavior before when the get_ordered_context_list() logic fails to get any contexts from security_compute_user() that correspond with any of the partial contexts in default_contexts - it then falls back to just returning the entire reachable list. get_ordered_context_list() really needs to be overhauled and replaced with a mostly userland solution, only consulting the kernel to get the list of roles and the default level for the user. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: trouble with ssh in today's rawhide + refpolicy 2007-10-23 13:23 ` Stephen Smalley @ 2007-10-23 13:39 ` Christopher J. PeBenito 2007-10-23 13:52 ` Daniel J Walsh 0 siblings, 1 reply; 11+ messages in thread From: Christopher J. PeBenito @ 2007-10-23 13:39 UTC (permalink / raw) To: Stephen Smalley; +Cc: Eamon Walsh, Daniel J Walsh, SELinux List On Tue, 2007-10-23 at 09:23 -0400, Stephen Smalley wrote: > On Tue, 2007-10-23 at 13:09 +0000, Christopher J. PeBenito wrote: > > On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote: > > > On a rawhide box updated this afternoon, running refpolicy trunk in mcs > > > mode, I get the following after rebooting the box and logging in over ssh: > > > > > > $ id -Z > > > sysadm_u:sysadm_r:system_chkpwd_t:s0 > > > > Do you have ssh_sysadm_login on? Also, it seems odd that this would > > happen, since this combination doesn't show up in default_contexts, and > > the only auto transition to system_chkpwd_t from sshd_t is via > > chkpwd_exec_t. > > We've seen this kind of behavior before when the > get_ordered_context_list() logic fails to get any contexts from > security_compute_user() that correspond with any of the partial contexts > in default_contexts - it then falls back to just returning the entire > reachable list. Ok. For some reason I always thought it would just fail if nothing worked from default_contexts. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: trouble with ssh in today's rawhide + refpolicy 2007-10-23 13:39 ` Christopher J. PeBenito @ 2007-10-23 13:52 ` Daniel J Walsh 2007-10-23 17:18 ` Stephen Smalley 0 siblings, 1 reply; 11+ messages in thread From: Daniel J Walsh @ 2007-10-23 13:52 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: Stephen Smalley, Eamon Walsh, SELinux List -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christopher J. PeBenito wrote: > On Tue, 2007-10-23 at 09:23 -0400, Stephen Smalley wrote: >> On Tue, 2007-10-23 at 13:09 +0000, Christopher J. PeBenito wrote: >>> On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote: >>>> On a rawhide box updated this afternoon, running refpolicy trunk in mcs >>>> mode, I get the following after rebooting the box and logging in over ssh: >>>> >>>> $ id -Z >>>> sysadm_u:sysadm_r:system_chkpwd_t:s0 >>> Do you have ssh_sysadm_login on? Also, it seems odd that this would >>> happen, since this combination doesn't show up in default_contexts, and >>> the only auto transition to system_chkpwd_t from sshd_t is via >>> chkpwd_exec_t. >> We've seen this kind of behavior before when the >> get_ordered_context_list() logic fails to get any contexts from >> security_compute_user() that correspond with any of the partial contexts >> in default_contexts - it then falls back to just returning the entire >> reachable list. > > Ok. For some reason I always thought it would just fail if nothing > worked from default_contexts. > I think that is what should happen, but it does not. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHHfyXrlYvE4MpobMRAvQNAKCR6fWOHP0X6JWnq6eDNcgrl4soxQCgwrRr tO7ZGg5rSyioXl4LwdJD/9U= =KTjm -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: trouble with ssh in today's rawhide + refpolicy 2007-10-23 13:52 ` Daniel J Walsh @ 2007-10-23 17:18 ` Stephen Smalley 0 siblings, 0 replies; 11+ messages in thread From: Stephen Smalley @ 2007-10-23 17:18 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Christopher J. PeBenito, Eamon Walsh, SELinux List On Tue, 2007-10-23 at 09:52 -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Christopher J. PeBenito wrote: > > On Tue, 2007-10-23 at 09:23 -0400, Stephen Smalley wrote: > >> On Tue, 2007-10-23 at 13:09 +0000, Christopher J. PeBenito wrote: > >>> On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote: > >>>> On a rawhide box updated this afternoon, running refpolicy trunk in mcs > >>>> mode, I get the following after rebooting the box and logging in over ssh: > >>>> > >>>> $ id -Z > >>>> sysadm_u:sysadm_r:system_chkpwd_t:s0 > >>> Do you have ssh_sysadm_login on? Also, it seems odd that this would > >>> happen, since this combination doesn't show up in default_contexts, and > >>> the only auto transition to system_chkpwd_t from sshd_t is via > >>> chkpwd_exec_t. > >> We've seen this kind of behavior before when the > >> get_ordered_context_list() logic fails to get any contexts from > >> security_compute_user() that correspond with any of the partial contexts > >> in default_contexts - it then falls back to just returning the entire > >> reachable list. > > > > Ok. For some reason I always thought it would just fail if nothing > > worked from default_contexts. > > > I think that is what should happen, but it does not. Well, two observations: - originally default_contexts was only supposed to specify defaults, not everything, so the system was supposed to work even if it was empty (but we have already migrated away from that to some degree), - if we fail entirely in that case, then we'll fail even in permissive mode, unless the caller is also checking for permissive mode and has some fallback behavior in that case. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: trouble with ssh in today's rawhide + refpolicy 2007-10-23 13:09 ` Christopher J. PeBenito 2007-10-23 13:23 ` Stephen Smalley @ 2007-10-23 17:08 ` Eamon Walsh 2007-10-23 17:39 ` Daniel J Walsh 2007-10-25 23:28 ` Eamon Walsh 1 sibling, 2 replies; 11+ messages in thread From: Eamon Walsh @ 2007-10-23 17:08 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: Daniel J Walsh, SELinux List Christopher J. PeBenito wrote: > On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote: >> On a rawhide box updated this afternoon, running refpolicy trunk in mcs >> mode, I get the following after rebooting the box and logging in over ssh: >> >> $ id -Z >> sysadm_u:sysadm_r:system_chkpwd_t:s0 > > Do you have ssh_sysadm_login on? Nope, didn't have this set. That solves the problem, thanks. -- Eamon Walsh <ewalsh@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: trouble with ssh in today's rawhide + refpolicy 2007-10-23 17:08 ` Eamon Walsh @ 2007-10-23 17:39 ` Daniel J Walsh 2007-10-25 23:28 ` Eamon Walsh 1 sibling, 0 replies; 11+ messages in thread From: Daniel J Walsh @ 2007-10-23 17:39 UTC (permalink / raw) To: Eamon Walsh; +Cc: Christopher J. PeBenito, SELinux List -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eamon Walsh wrote: > Christopher J. PeBenito wrote: >> On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote: >>> On a rawhide box updated this afternoon, running refpolicy trunk in >>> mcs mode, I get the following after rebooting the box and logging in >>> over ssh: >>> >>> $ id -Z >>> sysadm_u:sysadm_r:system_chkpwd_t:s0 >> >> Do you have ssh_sysadm_login on? > > Nope, didn't have this set. That solves the problem, thanks. > > You should never log in as root via ssh. :^) I think you should fail to login in enforcing mode and return anything in permissive mode. Allowing the user to reach a shell as a random context is dangerous. As system_chkpwd_t I can read the /etc/shadow file. Although in reality I would figure the shell would not have access to the tty. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHHjHkrlYvE4MpobMRAnyqAJ4stfK0JgY6Fe8292atFcrUXRmsegCg5biQ jWqGKGSVKrvvtrKzY13aec4= =tS7D -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: trouble with ssh in today's rawhide + refpolicy 2007-10-23 17:08 ` Eamon Walsh 2007-10-23 17:39 ` Daniel J Walsh @ 2007-10-25 23:28 ` Eamon Walsh 1 sibling, 0 replies; 11+ messages in thread From: Eamon Walsh @ 2007-10-25 23:28 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: Daniel J Walsh, SELinux List Eamon Walsh wrote: > Christopher J. PeBenito wrote: >> On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote: >>> On a rawhide box updated this afternoon, running refpolicy trunk in mcs >>> mode, I get the following after rebooting the box and logging in over ssh: >>> >>> $ id -Z >>> sysadm_u:sysadm_r:system_chkpwd_t:s0 >> Do you have ssh_sysadm_login on? > > Nope, didn't have this set. That solves the problem, thanks. > I observed the same erroneous type today when I logged into X without xdm_sysadm_login set. -- Eamon Walsh <ewalsh@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2007-10-25 23:28 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-10-22 21:26 trouble with ssh in today's rawhide + refpolicy Eamon Walsh 2007-10-22 22:46 ` Eamon Walsh 2007-10-23 10:56 ` Daniel J Walsh 2007-10-23 13:09 ` Christopher J. PeBenito 2007-10-23 13:23 ` Stephen Smalley 2007-10-23 13:39 ` Christopher J. PeBenito 2007-10-23 13:52 ` Daniel J Walsh 2007-10-23 17:18 ` Stephen Smalley 2007-10-23 17:08 ` Eamon Walsh 2007-10-23 17:39 ` Daniel J Walsh 2007-10-25 23:28 ` Eamon Walsh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.