* [refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy @ 2008-09-07 0:36 Hong 2008-09-07 2:18 ` Justin P. Mattock 2008-09-11 19:30 ` [refpolicy] [ubuntu-hardened] " Matt Anderson 0 siblings, 2 replies; 7+ messages in thread From: Hong @ 2008-09-07 0:36 UTC (permalink / raw) To: refpolicy Hi, I downloaded the source of refpolicy in Hardy. (`apt-get source refpolicy`). I compiled the policy and loaded it. And then I reboot the system with PERMISSIVE mode. (add `enforcing=0` in the kernel options when booting) Now I cannot login the system remotely using ssh. Note that the system is in PERMISSIVE mode! (`getenforce` returns `Permissive`). Everytime I tried `ssh my_host_name` and enter the correct password, the client side shows "Read from remote host my_host_name: Connection reset by peer Connection to my_host_name." And after each unsuccessful login, the /var/log/audit/audit.log file on the server added a line: "type=ANOM_ABEND msg=audit(1220746818.492:93): audit=4294967295 uid=1000 gid=1000 subj=system_u:system_r:sysadm_t pid=4713 comm="sshd" sig=6" By the way, when I use `make load` to load the policy, there is a one-line error message '[19691.816572] secuirty; context system-u;system-r;sysadm-mail-t is invalid' I am not quite familiar with the messages. Can anyone help me to see what's going? Thanks, Hong -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20080906/5de1a6e1/attachment.html ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy 2008-09-07 0:36 [refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy Hong @ 2008-09-07 2:18 ` Justin P. Mattock 2008-09-07 2:57 ` Hong 2008-09-11 19:30 ` [refpolicy] [ubuntu-hardened] " Matt Anderson 1 sibling, 1 reply; 7+ messages in thread From: Justin P. Mattock @ 2008-09-07 2:18 UTC (permalink / raw) To: refpolicy I know this might sound stupid, but Check and make sure /etc/selinux/config is in permissive As well. I.g. A few months ago I couldn't boot, because of having that file In enforcing. justin P. Mattock On Sep 6, 2008, at 5:36 PM, Hong <kindloaf@gmail.com> wrote: > Hi, > > I downloaded the source of refpolicy in Hardy. (`apt-get source > refpolicy`). I compiled the policy and loaded it. And then I > reboot the system with PERMISSIVE mode. (add `enforcing=0` in the > kernel options when booting) > > Now I cannot login the system remotely using ssh. Note that the > system is in PERMISSIVE mode! (`getenforce` returns `Permissive`). > Everytime I tried `ssh my_host_name` and enter the correct password, > the client side shows > "Read from remote host my_host_name: Connection reset by peer > Connection to my_host_name." > > And after each unsuccessful login, the /var/log/audit/audit.log file > on the server added a line: > "type=ANOM_ABEND msg=audit(1220746818.492:93): audit=4294967295 > uid=1000 gid=1000 subj=system_u:system_r:sysadm_t pid=4713 > comm="sshd" sig=6" > > By the way, when I use `make load` to load the policy, there is a > one-line error message > '[19691.816572] secuirty; context system-u;system-r;sysadm-mail-t is > invalid' > > I am not quite familiar with the messages. Can anyone help me to > see what's going? > > > Thanks, > Hong > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy 2008-09-07 2:18 ` Justin P. Mattock @ 2008-09-07 2:57 ` Hong 2008-09-07 3:32 ` Justin P. Mattock 2008-09-08 6:25 ` V�clav Ovs�k 0 siblings, 2 replies; 7+ messages in thread From: Hong @ 2008-09-07 2:57 UTC (permalink / raw) To: refpolicy Thanks for your reply, Justin. I just changed the line `SELINUX=enforcing` to `SELINUX=permissive` and reboot the system. After reboot, I checked `getenforce` and it returned `permissive`. But still I cannot ssh to the machine remotely... After each try with a correct password, /var/log/message doesn't grow but /var/log/audit/audit.log grows with one line. If I tried with an incorrect password, neither of the two log files changed. Hong On Sat, Sep 6, 2008 at 10:18 PM, Justin P. Mattock <justinmattock@gmail.com>wrote: > I know this might sound stupid, but > Check and make sure /etc/selinux/config is in permissive > As well. I.g. A few months ago I couldn't boot, because of having that file > In enforcing. > > justin P. Mattock > > > > > On Sep 6, 2008, at 5:36 PM, Hong <kindloaf@gmail.com> wrote: > > Hi, >> >> I downloaded the source of refpolicy in Hardy. (`apt-get source >> refpolicy`). I compiled the policy and loaded it. And then I reboot the >> system with PERMISSIVE mode. (add `enforcing=0` in the kernel options when >> booting) >> >> Now I cannot login the system remotely using ssh. Note that the system is >> in PERMISSIVE mode! (`getenforce` returns `Permissive`). Everytime I tried >> `ssh my_host_name` and enter the correct password, the client side shows >> "Read from remote host my_host_name: Connection reset by peer >> Connection to my_host_name." >> >> And after each unsuccessful login, the /var/log/audit/audit.log file on >> the server added a line: >> "type=ANOM_ABEND msg=audit(1220746818.492:93): audit=4294967295 uid=1000 >> gid=1000 subj=system_u:system_r:sysadm_t pid=4713 comm="sshd" sig=6" >> >> By the way, when I use `make load` to load the policy, there is a one-line >> error message >> '[19691.816572] secuirty; context system-u;system-r;sysadm-mail-t is >> invalid' >> >> I am not quite familiar with the messages. Can anyone help me to see >> what's going? >> >> >> Thanks, >> Hong >> >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20080906/94cb8da0/attachment.html ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy 2008-09-07 2:57 ` Hong @ 2008-09-07 3:32 ` Justin P. Mattock 2008-09-08 6:25 ` V�clav Ovs�k 1 sibling, 0 replies; 7+ messages in thread From: Justin P. Mattock @ 2008-09-07 3:32 UTC (permalink / raw) To: refpolicy Hmm a few days ago I was able to Ssh into a machine that was in permissive without an issues, except For making sure tcpwrappers were set right(/etc/host.*); but couldn't into The machine that was in full enforcment(didn't spend too much time though); maybe xorg needs Adjusting. Anyways check /etc/host.* aren't blocking anything As well as /etc/ssh/config is set right. justin P. Mattock On Sep 6, 2008, at 7:57 PM, Hong <kindloaf@gmail.com> wrote: > Thanks for your reply, Justin. > > I just changed the line `SELINUX=enforcing` to `SELINUX=permissive` > and reboot the system. > > After reboot, I checked `getenforce` and it returned `permissive`. > > But still I cannot ssh to the machine remotely... > After each try with a correct password, /var/log/message doesn't > grow but /var/log/audit/audit.log grows with one line. > If I tried with an incorrect password, neither of the two log files > changed. > > > Hong > > On Sat, Sep 6, 2008 at 10:18 PM, Justin P. Mattock <justinmattock@gmail.com > > wrote: > I know this might sound stupid, but > Check and make sure /etc/selinux/config is in permissive > As well. I.g. A few months ago I couldn't boot, because of having > that file In enforcing. > > justin P. Mattock > > > > > On Sep 6, 2008, at 5:36 PM, Hong <kindloaf@gmail.com> wrote: > > Hi, > > I downloaded the source of refpolicy in Hardy. (`apt-get source > refpolicy`). I compiled the policy and loaded it. And then I > reboot the system with PERMISSIVE mode. (add `enforcing=0` in the > kernel options when booting) > > Now I cannot login the system remotely using ssh. Note that the > system is in PERMISSIVE mode! (`getenforce` returns `Permissive`). > Everytime I tried `ssh my_host_name` and enter the correct password, > the client side shows > "Read from remote host my_host_name: Connection reset by peer > Connection to my_host_name." > > And after each unsuccessful login, the /var/log/audit/audit.log file > on the server added a line: > "type=ANOM_ABEND msg=audit(1220746818.492:93): audit=4294967295 > uid=1000 gid=1000 subj=system_u:system_r:sysadm_t pid=4713 > comm="sshd" sig=6" > > By the way, when I use `make load` to load the policy, there is a > one-line error message > '[19691.816572] secuirty; context system-u;system-r;sysadm-mail-t is > invalid' > > I am not quite familiar with the messages. Can anyone help me to > see what's going? > > > Thanks, > Hong > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20080906/7989cecb/attachment.html ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy 2008-09-07 2:57 ` Hong 2008-09-07 3:32 ` Justin P. Mattock @ 2008-09-08 6:25 ` V�clav Ovs�k 2008-09-08 20:39 ` Justin Mattock 1 sibling, 1 reply; 7+ messages in thread From: V�clav Ovs�k @ 2008-09-08 6:25 UTC (permalink / raw) To: refpolicy On Sat, Sep 06, 2008 at 10:57:26PM -0400, Hong wrote: > Thanks for your reply, Justin. > > I just changed the line `SELINUX=enforcing` to `SELINUX=permissive` and > reboot the system. > > After reboot, I checked `getenforce` and it returned `permissive`. > > But still I cannot ssh to the machine remotely... > After each try with a correct password, /var/log/message doesn't grow but > /var/log/audit/audit.log grows with one line. > If I tried with an incorrect password, neither of the two log files changed. Did you relabel file-system? If you have some SE Linux problem (denials), sshd may fail even in permissive mode, because it is SE Linux aware application and it can choose different code flow with SE Linux enabled. Running the system in permissive mode is not the same as running the system with SE Linux switched off. I observed this sshd problem too. Regards -- Zito ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy 2008-09-08 6:25 ` V�clav Ovs�k @ 2008-09-08 20:39 ` Justin Mattock 0 siblings, 0 replies; 7+ messages in thread From: Justin Mattock @ 2008-09-08 20:39 UTC (permalink / raw) To: refpolicy On Sun, Sep 7, 2008 at 11:25 PM, V?clav Ovs?k <vaclav.ovsik@i.cz> wrote: > On Sat, Sep 06, 2008 at 10:57:26PM -0400, Hong wrote: >> Thanks for your reply, Justin. >> >> I just changed the line `SELINUX=enforcing` to `SELINUX=permissive` and >> reboot the system. >> >> After reboot, I checked `getenforce` and it returned `permissive`. >> >> But still I cannot ssh to the machine remotely... >> After each try with a correct password, /var/log/message doesn't grow but >> /var/log/audit/audit.log grows with one line. >> If I tried with an incorrect password, neither of the two log files changed. > > Did you relabel file-system? > If you have some SE Linux problem (denials), sshd may fail even in > permissive mode, because it is SE Linux aware application and it can > choose different code flow with SE Linux enabled. Running the system in > permissive mode is not the same as running the system with SE Linux > switched off. I observed this sshd problem too. > Regards > -- > Zito > I wondering if he disabled SELinux completly, just to isolate the issue. -- Justin P. Mattock ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [ubuntu-hardened] Cannot use SSH with Refpolicy in Ubuntu Hardy 2008-09-07 0:36 [refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy Hong 2008-09-07 2:18 ` Justin P. Mattock @ 2008-09-11 19:30 ` Matt Anderson 1 sibling, 0 replies; 7+ messages in thread From: Matt Anderson @ 2008-09-11 19:30 UTC (permalink / raw) To: refpolicy Hong wrote: > I downloaded the source of refpolicy in Hardy. (`apt-get source > refpolicy`). I compiled the policy and loaded it. And then I reboot > the system with PERMISSIVE mode. (add `enforcing=0` in the kernel > options when booting) > > Now I cannot login the system remotely using ssh. Note that the system > is in PERMISSIVE mode! (`getenforce` returns `Permissive`). Everytime I > tried `ssh my_host_name` and enter the correct password, the client side > shows > "Read from remote host my_host_name: Connection reset by peer > Connection to my_host_name." > > And after each unsuccessful login, the /var/log/audit/audit.log file on > the server added a line: > "type=ANOM_ABEND msg=audit(1220746818.492:93): audit=4294967295 uid=1000 > gid=1000 subj=system_u:system_r:sysadm_t pid=4713 comm="sshd" sig=6" The way I read this is the sshd process ended with signal 6 which is Abort. The type ANOM_ABEND I think decodes to Anomalous - Abnormal End. > By the way, when I use `make load` to load the policy, there is a > one-line error message > '[19691.816572] secuirty; context system-u;system-r;sysadm-mail-t is > invalid' I suspect this is closer to where your problem lies. For one, I'd expect underscores instead of dashes in the context. I'd try removing and trying to rebuild and install the policy cleanly. Is it possible to get a pre-built policy for Hardy? It might be useful to see if the problem exists there as well. -matt ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2008-09-11 19:30 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-09-07 0:36 [refpolicy] Cannot use SSH with Refpolicy in Ubuntu Hardy Hong 2008-09-07 2:18 ` Justin P. Mattock 2008-09-07 2:57 ` Hong 2008-09-07 3:32 ` Justin P. Mattock 2008-09-08 6:25 ` V�clav Ovs�k 2008-09-08 20:39 ` Justin Mattock 2008-09-11 19:30 ` [refpolicy] [ubuntu-hardened] " Matt Anderson
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.