[refpolicy] [ubuntu-hardened] Cannot use SSH with Refpolicy in Ubuntu Hardy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: mra@hp.com (Matt Anderson)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ubuntu-hardened] Cannot use SSH with Refpolicy in Ubuntu Hardy
Date: Thu, 11 Sep 2008 15:30:55 -0400	[thread overview]
Message-ID: <48C971EF.5010708@hp.com> (raw)
In-Reply-To: <f00ed96d0809061736x73650e80s159ab2d5f2309cc2@mail.gmail.com>

Hong wrote:
> I downloaded the source of refpolicy in Hardy.  (`apt-get source 
> refpolicy`).  I compiled the policy and loaded it.  And then I reboot 
> the system with PERMISSIVE mode.  (add `enforcing=0` in the kernel 
> options when booting)
> 
> Now I cannot login the system remotely using ssh.  Note that the system 
> is in PERMISSIVE mode! (`getenforce` returns `Permissive`).  Everytime I 
> tried `ssh my_host_name` and enter the correct password, the client side 
> shows
> "Read from remote host my_host_name: Connection reset by peer
> Connection to my_host_name."
> 
> And after each unsuccessful login, the /var/log/audit/audit.log file on 
> the server   added a line:
> "type=ANOM_ABEND msg=audit(1220746818.492:93): audit=4294967295 uid=1000 
> gid=1000 subj=system_u:system_r:sysadm_t pid=4713 comm="sshd" sig=6"

The way I read this is the sshd process ended with signal 6 which is 
Abort.  The type ANOM_ABEND I think decodes to Anomalous - Abnormal End.

> By the way, when I use `make load` to load the policy, there is a 
> one-line error message
> '[19691.816572] secuirty; context system-u;system-r;sysadm-mail-t is 
> invalid'

I suspect this is closer to where your problem lies.  For one, I'd 
expect underscores instead of dashes in the context.  I'd try removing 
and trying to rebuild and install the policy cleanly.  Is it possible to 
get a pre-built policy for Hardy?  It might be useful to see if the 
problem exists there as well.

-matt

     prev parent reply	other threads:[~2008-09-11 19:30 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-07  0:36 [refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy Hong
2008-09-07  2:18 ` Justin P. Mattock
2008-09-07  2:57   ` Hong
2008-09-07  3:32     ` Justin P. Mattock
2008-09-08  6:25     ` V�clav Ovs�k
2008-09-08 20:39       ` Justin Mattock
2008-09-11 19:30 ` Matt Anderson [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48C971EF.5010708@hp.com \
    --to=mra@hp.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.