[refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy

[refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy

[Hong]

Hi,

I downloaded the source of refpolicy in Hardy.  (`apt-get source
refpolicy`).  I compiled the policy and loaded it.  And then I reboot the
system with PERMISSIVE mode.  (add `enforcing=0` in the kernel options when
booting)

Now I cannot login the system remotely using ssh.  Note that the system is
in PERMISSIVE mode! (`getenforce` returns `Permissive`).  Everytime I tried
`ssh my_host_name` and enter the correct password, the client side shows
"Read from remote host my_host_name: Connection reset by peer
Connection to my_host_name."

And after each unsuccessful login, the /var/log/audit/audit.log file on the
server   added a line:
"type=ANOM_ABEND msg=audit(1220746818.492:93): audit=4294967295 uid=1000
gid=1000 subj=system_u:system_r:sysadm_t pid=4713 comm="sshd" sig=6"

By the way, when I use `make load` to load the policy, there is a one-line
error message
'[19691.816572] secuirty; context system-u;system-r;sysadm-mail-t is
invalid'

I am not quite familiar with the messages.  Can anyone help me to see what's
going?


Thanks,
Hong
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20080906/5de1a6e1/attachment.html 

[refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy

[Justin P. Mattock]

I know this might sound stupid, but
Check and make sure /etc/selinux/config is in permissive
As well. I.g. A few months ago I couldn't boot, because of having that  
file In enforcing.

justin P. Mattock



On Sep 6, 2008, at 5:36 PM, Hong <kindloaf@gmail.com> wrote:

> Hi,
>
> I downloaded the source of refpolicy in Hardy.  (`apt-get source  
> refpolicy`).  I compiled the policy and loaded it.  And then I  
> reboot the system with PERMISSIVE mode.  (add `enforcing=0` in the  
> kernel options when booting)
>
> Now I cannot login the system remotely using ssh.  Note that the  
> system is in PERMISSIVE mode! (`getenforce` returns `Permissive`).   
> Everytime I tried `ssh my_host_name` and enter the correct password,  
> the client side shows
> "Read from remote host my_host_name: Connection reset by peer
> Connection to my_host_name."
>
> And after each unsuccessful login, the /var/log/audit/audit.log file  
> on the server   added a line:
> "type=ANOM_ABEND msg=audit(1220746818.492:93): audit=4294967295  
> uid=1000 gid=1000 subj=system_u:system_r:sysadm_t pid=4713  
> comm="sshd" sig=6"
>
> By the way, when I use `make load` to load the policy, there is a  
> one-line error message
> '[19691.816572] secuirty; context system-u;system-r;sysadm-mail-t is  
> invalid'
>
> I am not quite familiar with the messages.  Can anyone help me to  
> see what's going?
>
>
> Thanks,
> Hong
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy

[Hong]

Thanks for your reply, Justin.

I just changed the line `SELINUX=enforcing` to `SELINUX=permissive` and
reboot the system.

After reboot, I checked `getenforce` and it returned `permissive`.

But still I cannot ssh to the machine remotely...
After each try with a correct password, /var/log/message doesn't grow but
/var/log/audit/audit.log grows with one line.
If I tried with an incorrect password, neither of the two log files changed.


Hong

On Sat, Sep 6, 2008 at 10:18 PM, Justin P. Mattock
<justinmattock@gmail.com>wrote:

> I know this might sound stupid, but
> Check and make sure /etc/selinux/config is in permissive
> As well. I.g. A few months ago I couldn't boot, because of having that file
> In enforcing.
>
> justin P. Mattock
>
>
>
>
> On Sep 6, 2008, at 5:36 PM, Hong <kindloaf@gmail.com> wrote:
>
>  Hi,
>>
>> I downloaded the source of refpolicy in Hardy.  (`apt-get source
>> refpolicy`).  I compiled the policy and loaded it.  And then I reboot the
>> system with PERMISSIVE mode.  (add `enforcing=0` in the kernel options when
>> booting)
>>
>> Now I cannot login the system remotely using ssh.  Note that the system is
>> in PERMISSIVE mode! (`getenforce` returns `Permissive`).  Everytime I tried
>> `ssh my_host_name` and enter the correct password, the client side shows
>> "Read from remote host my_host_name: Connection reset by peer
>> Connection to my_host_name."
>>
>> And after each unsuccessful login, the /var/log/audit/audit.log file on
>> the server   added a line:
>> "type=ANOM_ABEND msg=audit(1220746818.492:93): audit=4294967295 uid=1000
>> gid=1000 subj=system_u:system_r:sysadm_t pid=4713 comm="sshd" sig=6"
>>
>> By the way, when I use `make load` to load the policy, there is a one-line
>> error message
>> '[19691.816572] secuirty; context system-u;system-r;sysadm-mail-t is
>> invalid'
>>
>> I am not quite familiar with the messages.  Can anyone help me to see
>> what's going?
>>
>>
>> Thanks,
>> Hong
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20080906/94cb8da0/attachment.html 

[refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy

[Justin P. Mattock]

Hmm a few days ago I was able to
Ssh into a machine that was in permissive without an issues, except
For making sure tcpwrappers were set right(/etc/host.*); but couldn't  
into
The machine that was in full enforcment(didn't spend too much time  
though); maybe xorg needs
Adjusting. Anyways check
/etc/host.* aren't blocking anything
As well as /etc/ssh/config is set right.

justin P. Mattock



On Sep 6, 2008, at 7:57 PM, Hong <kindloaf@gmail.com> wrote:

> Thanks for your reply, Justin.
>
> I just changed the line `SELINUX=enforcing` to `SELINUX=permissive`  
> and reboot the system.
>
> After reboot, I checked `getenforce` and it returned `permissive`.
>
> But still I cannot ssh to the machine remotely...
> After each try with a correct password, /var/log/message doesn't  
> grow but /var/log/audit/audit.log grows with one line.
> If I tried with an incorrect password, neither of the two log files  
> changed.
>
>
> Hong
>
> On Sat, Sep 6, 2008 at 10:18 PM, Justin P. Mattock <justinmattock@gmail.com 
> > wrote:
> I know this might sound stupid, but
> Check and make sure /etc/selinux/config is in permissive
> As well. I.g. A few months ago I couldn't boot, because of having  
> that file In enforcing.
>
> justin P. Mattock
>
>
>
>
> On Sep 6, 2008, at 5:36 PM, Hong <kindloaf@gmail.com> wrote:
>
> Hi,
>
> I downloaded the source of refpolicy in Hardy.  (`apt-get source  
> refpolicy`).  I compiled the policy and loaded it.  And then I  
> reboot the system with PERMISSIVE mode.  (add `enforcing=0` in the  
> kernel options when booting)
>
> Now I cannot login the system remotely using ssh.  Note that the  
> system is in PERMISSIVE mode! (`getenforce` returns `Permissive`).   
> Everytime I tried `ssh my_host_name` and enter the correct password,  
> the client side shows
> "Read from remote host my_host_name: Connection reset by peer
> Connection to my_host_name."
>
> And after each unsuccessful login, the /var/log/audit/audit.log file  
> on the server   added a line:
> "type=ANOM_ABEND msg=audit(1220746818.492:93): audit=4294967295  
> uid=1000 gid=1000 subj=system_u:system_r:sysadm_t pid=4713  
> comm="sshd" sig=6"
>
> By the way, when I use `make load` to load the policy, there is a  
> one-line error message
> '[19691.816572] secuirty; context system-u;system-r;sysadm-mail-t is  
> invalid'
>
> I am not quite familiar with the messages.  Can anyone help me to  
> see what's going?
>
>
> Thanks,
> Hong
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20080906/7989cecb/attachment.html 

[refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy

[V�clav Ovs�k]

On Sat, Sep 06, 2008 at 10:57:26PM -0400, Hong wrote:
> Thanks for your reply, Justin.
> 
> I just changed the line `SELINUX=enforcing` to `SELINUX=permissive` and
> reboot the system.
> 
> After reboot, I checked `getenforce` and it returned `permissive`.
> 
> But still I cannot ssh to the machine remotely...
> After each try with a correct password, /var/log/message doesn't grow but
> /var/log/audit/audit.log grows with one line.
> If I tried with an incorrect password, neither of the two log files changed.

Did you relabel file-system?
If you have some SE Linux problem (denials), sshd may fail even in
permissive mode, because it is SE Linux aware application and it can
choose different code flow with SE Linux enabled. Running the system in
permissive mode is not the same as running the system with SE Linux
switched off. I observed this sshd problem too.
Regards
-- 
Zito

[refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy

[Justin Mattock]

On Sun, Sep 7, 2008 at 11:25 PM, V?clav Ovs?k <vaclav.ovsik@i.cz> wrote:
> On Sat, Sep 06, 2008 at 10:57:26PM -0400, Hong wrote:
>> Thanks for your reply, Justin.
>>
>> I just changed the line `SELINUX=enforcing` to `SELINUX=permissive` and
>> reboot the system.
>>
>> After reboot, I checked `getenforce` and it returned `permissive`.
>>
>> But still I cannot ssh to the machine remotely...
>> After each try with a correct password, /var/log/message doesn't grow but
>> /var/log/audit/audit.log grows with one line.
>> If I tried with an incorrect password, neither of the two log files changed.
>
> Did you relabel file-system?
> If you have some SE Linux problem (denials), sshd may fail even in
> permissive mode, because it is SE Linux aware application and it can
> choose different code flow with SE Linux enabled. Running the system in
> permissive mode is not the same as running the system with SE Linux
> switched off. I observed this sshd problem too.
> Regards
> --
> Zito
>

I wondering if he disabled SELinux completly,
just to isolate the issue.

-- 
Justin P. Mattock

[refpolicy] [ubuntu-hardened] Cannot use SSH with Refpolicy in Ubuntu Hardy

[Matt Anderson]

Hong wrote:
> I downloaded the source of refpolicy in Hardy.  (`apt-get source 
> refpolicy`).  I compiled the policy and loaded it.  And then I reboot 
> the system with PERMISSIVE mode.  (add `enforcing=0` in the kernel 
> options when booting)
> 
> Now I cannot login the system remotely using ssh.  Note that the system 
> is in PERMISSIVE mode! (`getenforce` returns `Permissive`).  Everytime I 
> tried `ssh my_host_name` and enter the correct password, the client side 
> shows
> "Read from remote host my_host_name: Connection reset by peer
> Connection to my_host_name."
> 
> And after each unsuccessful login, the /var/log/audit/audit.log file on 
> the server   added a line:
> "type=ANOM_ABEND msg=audit(1220746818.492:93): audit=4294967295 uid=1000 
> gid=1000 subj=system_u:system_r:sysadm_t pid=4713 comm="sshd" sig=6"

The way I read this is the sshd process ended with signal 6 which is 
Abort.  The type ANOM_ABEND I think decodes to Anomalous - Abnormal End.

> By the way, when I use `make load` to load the policy, there is a 
> one-line error message
> '[19691.816572] secuirty; context system-u;system-r;sysadm-mail-t is 
> invalid'

I suspect this is closer to where your problem lies.  For one, I'd 
expect underscores instead of dashes in the context.  I'd try removing 
and trying to rebuild and install the policy cleanly.  Is it possible to 
get a pre-built policy for Hardy?  It might be useful to see if the 
problem exists there as well.

-matt