Re: SElinux troubles

Re: SElinux troubles

[Daniel J Walsh]

On 09/28/2009 04:13 PM, Orion Poplawski wrote:
> On 09/28/2009 01:03 PM, Daniel J Walsh wrote:
>> On 09/22/2009 11:49 AM, Orion Poplawski wrote:
>>> On 09/22/2009 09:12 AM, Daniel J Walsh wrote:
>>>> On 09/22/2009 07:25 AM, Orion Poplawski wrote:
>>>>> On 09/21/2009 08:32 PM, Daniel J Walsh wrote:
>>>>>> Do you have labels on the rest of the system?  Do you have seedit
>>>>>> installed?
>>>>>
>>>>> Yes, e.g.:
>>>>>
>>>>> # ls -Za /etc/ssh
>>>>> drwxr-xr-x  root root system_u:object_r:etc_t          .
>>>>> drwxr-xr-x  root root system_u:object_r:etc_t          ..
>>>>> -rw-------  root root system_u:object_r:etc_t          moduli
>>>>> -rw-r--r--  root root user_u:object_r:etc_t            ssh_config
>>>>> -rw-------  root root system_u:object_r:etc_t          sshd_config
>>>>> -rw-------  root root system_u:object_r:sshd_key_t    
>>>>> ssh_host_dsa_key
>>>>> -rw-r--r--  root root root:object_r:etc_t
>>>>> ssh_host_dsa_key.pub
>>>>> -rw-------  root root system_u:object_r:sshd_key_t     ssh_host_key
>>>>> -rw-r--r--  root root root:object_r:etc_t             
>>>>> ssh_host_key.pub
>>>>> -rw-------  root root system_u:object_r:sshd_key_t    
>>>>> ssh_host_rsa_key
>>>>> -rw-r--r--  root root root:object_r:etc_t
>>>>> ssh_host_rsa_key.pub
>>>>> -rw-r--r--  root root user_u:object_r:etc_t            ssh_known_hosts
>>>>>
>>>>> Don't appear to have seedit, never heard of it.
>>>>>
>>>> Right now as root you execute
>>>>
>>>> # chcon system_u:object_r:etc_t:s0 /etc/ssh
>>>>
>>>> It gives you an error?
>>>
>>> yup.
>>>
>>> # chcon system_u:object_r:etc_t:s0 /etc/ssh
>>> chcon: failed to change context of /etc/ssh to
>>> system_u:object_r:etc_t:s0: Operation not permitted
>>>
>> Just back from linuxcon.  Can we bring this to the list?
>>
> 
> Definitely, which one?
> 
> 
SE Linux <selinux@tycho.nsa.gov>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SElinux troubles

[Stephen Smalley]

On Mon, 2009-09-28 at 16:17 -0400, Daniel J Walsh wrote:
> On 09/28/2009 04:13 PM, Orion Poplawski wrote:
> > On 09/28/2009 01:03 PM, Daniel J Walsh wrote:
> >> On 09/22/2009 11:49 AM, Orion Poplawski wrote:
> >>> On 09/22/2009 09:12 AM, Daniel J Walsh wrote:
> >>>> On 09/22/2009 07:25 AM, Orion Poplawski wrote:
> >>>>> On 09/21/2009 08:32 PM, Daniel J Walsh wrote:
> >>>>>> Do you have labels on the rest of the system?  Do you have seedit
> >>>>>> installed?
> >>>>>
> >>>>> Yes, e.g.:
> >>>>>
> >>>>> # ls -Za /etc/ssh
> >>>>> drwxr-xr-x  root root system_u:object_r:etc_t          .
> >>>>> drwxr-xr-x  root root system_u:object_r:etc_t          ..
> >>>>> -rw-------  root root system_u:object_r:etc_t          moduli
> >>>>> -rw-r--r--  root root user_u:object_r:etc_t            ssh_config
> >>>>> -rw-------  root root system_u:object_r:etc_t          sshd_config
> >>>>> -rw-------  root root system_u:object_r:sshd_key_t    
> >>>>> ssh_host_dsa_key
> >>>>> -rw-r--r--  root root root:object_r:etc_t
> >>>>> ssh_host_dsa_key.pub
> >>>>> -rw-------  root root system_u:object_r:sshd_key_t     ssh_host_key
> >>>>> -rw-r--r--  root root root:object_r:etc_t             
> >>>>> ssh_host_key.pub
> >>>>> -rw-------  root root system_u:object_r:sshd_key_t    
> >>>>> ssh_host_rsa_key
> >>>>> -rw-r--r--  root root root:object_r:etc_t
> >>>>> ssh_host_rsa_key.pub
> >>>>> -rw-r--r--  root root user_u:object_r:etc_t            ssh_known_hosts
> >>>>>
> >>>>> Don't appear to have seedit, never heard of it.
> >>>>>
> >>>> Right now as root you execute
> >>>>
> >>>> # chcon system_u:object_r:etc_t:s0 /etc/ssh
> >>>>
> >>>> It gives you an error?
> >>>
> >>> yup.
> >>>
> >>> # chcon system_u:object_r:etc_t:s0 /etc/ssh
> >>> chcon: failed to change context of /etc/ssh to
> >>> system_u:object_r:etc_t:s0: Operation not permitted

I think I'm missing context for this discussion.  But it might help to
know:
1) Output of id command,
2) Policy type that is being used (targeted, mls, ...?)
3) Policy version
4) Kernel version

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SElinux troubles

[Stephen Smalley]

On Mon, 2009-09-28 at 14:52 -0600, Orion Poplawski wrote:
> On 09/28/2009 02:22 PM, Stephen Smalley wrote:
> > On Mon, 2009-09-28 at 16:17 -0400, Daniel J Walsh wrote:
> >> On 09/28/2009 04:13 PM, Orion Poplawski wrote:
> >>> On 09/28/2009 01:03 PM, Daniel J Walsh wrote:
> >>>> On 09/22/2009 11:49 AM, Orion Poplawski wrote:
> >>>>> On 09/22/2009 09:12 AM, Daniel J Walsh wrote:
> >>>>>> On 09/22/2009 07:25 AM, Orion Poplawski wrote:
> >>>>>>> On 09/21/2009 08:32 PM, Daniel J Walsh wrote:
> >>>>>>>> Do you have labels on the rest of the system?  Do you have seedit
> >>>>>>>> installed?
> >>>>>>>
> >>>>>>> Yes, e.g.:
> >>>>>>>
> >>>>>>> # ls -Za /etc/ssh
> >>>>>>> drwxr-xr-x  root root system_u:object_r:etc_t          .
> >>>>>>> drwxr-xr-x  root root system_u:object_r:etc_t          ..
> >>>>>>> -rw-------  root root system_u:object_r:etc_t          moduli
> >>>>>>> -rw-r--r--  root root user_u:object_r:etc_t            ssh_config
> >>>>>>> -rw-------  root root system_u:object_r:etc_t          sshd_config
> >>>>>>> -rw-------  root root system_u:object_r:sshd_key_t
> >>>>>>> ssh_host_dsa_key
> >>>>>>> -rw-r--r--  root root root:object_r:etc_t
> >>>>>>> ssh_host_dsa_key.pub
> >>>>>>> -rw-------  root root system_u:object_r:sshd_key_t     ssh_host_key
> >>>>>>> -rw-r--r--  root root root:object_r:etc_t
> >>>>>>> ssh_host_key.pub
> >>>>>>> -rw-------  root root system_u:object_r:sshd_key_t
> >>>>>>> ssh_host_rsa_key
> >>>>>>> -rw-r--r--  root root root:object_r:etc_t
> >>>>>>> ssh_host_rsa_key.pub
> >>>>>>> -rw-r--r--  root root user_u:object_r:etc_t            ssh_known_hosts
> >>>>>>>
> >>>>>>> Don't appear to have seedit, never heard of it.
> >>>>>>>
> >>>>>> Right now as root you execute
> >>>>>>
> >>>>>> # chcon system_u:object_r:etc_t:s0 /etc/ssh
> >>>>>>
> >>>>>> It gives you an error?
> >>>>>
> >>>>> yup.
> >>>>>
> >>>>> # chcon system_u:object_r:etc_t:s0 /etc/ssh
> >>>>> chcon: failed to change context of /etc/ssh to
> >>>>> system_u:object_r:etc_t:s0: Operation not permitted
> >
> > I think I'm missing context for this discussion.  But it might help to
> > know:
> > 1) Output of id command,
> > 2) Policy type that is being used (targeted, mls, ...?)
> > 3) Policy version
> > 4) Kernel version
> >
> 
> uid=0(root) gid=0(root) 
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 
> context=user_u:system_r:unconfined_t

Dan, is this supposed to be user_u:system_r in RHEL5?  Or should it be
unconfined_u:unconfined_r as in current Fedora?

Do you get any avc denial in /var/log/audit/audit.log
or /var/log/messages?  If so, what does audit2why say about it?

> selinux-policy-targeted-2.4.6-257.el5
> 
> 2.6.18-128.7.1.el5
> 
> Basically, I'm running CentOS 5.3, but with Dan Walsh's selinux 
> repository enabled.  For some reason it appears to be preventing the 
> above labeling operation, which it happening during the installation of 
> openssh:
> 
>    Installing     : openssh                                           [1/5]
> Error unpacking rpm package openssh-4.3p2-36.el5.i386
> error: unpacking of archive failed on file /etc/ssh: cpio: lsetfilecon
> 
> 
> I probably should reboot to 2.6.18-164.el5 soon, but am kind of scared 
> due to the intermediate state of openssh.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SElinux troubles

[Daniel J Walsh]

On 09/29/2009 07:59 AM, Stephen Smalley wrote:
> On Mon, 2009-09-28 at 14:52 -0600, Orion Poplawski wrote:
>> On 09/28/2009 02:22 PM, Stephen Smalley wrote:
>>> On Mon, 2009-09-28 at 16:17 -0400, Daniel J Walsh wrote:
>>>> On 09/28/2009 04:13 PM, Orion Poplawski wrote:
>>>>> On 09/28/2009 01:03 PM, Daniel J Walsh wrote:
>>>>>> On 09/22/2009 11:49 AM, Orion Poplawski wrote:
>>>>>>> On 09/22/2009 09:12 AM, Daniel J Walsh wrote:
>>>>>>>> On 09/22/2009 07:25 AM, Orion Poplawski wrote:
>>>>>>>>> On 09/21/2009 08:32 PM, Daniel J Walsh wrote:
>>>>>>>>>> Do you have labels on the rest of the system?  Do you have seedit
>>>>>>>>>> installed?
>>>>>>>>>
>>>>>>>>> Yes, e.g.:
>>>>>>>>>
>>>>>>>>> # ls -Za /etc/ssh
>>>>>>>>> drwxr-xr-x  root root system_u:object_r:etc_t          .
>>>>>>>>> drwxr-xr-x  root root system_u:object_r:etc_t          ..
>>>>>>>>> -rw-------  root root system_u:object_r:etc_t          moduli
>>>>>>>>> -rw-r--r--  root root user_u:object_r:etc_t            ssh_config
>>>>>>>>> -rw-------  root root system_u:object_r:etc_t          sshd_config
>>>>>>>>> -rw-------  root root system_u:object_r:sshd_key_t
>>>>>>>>> ssh_host_dsa_key
>>>>>>>>> -rw-r--r--  root root root:object_r:etc_t
>>>>>>>>> ssh_host_dsa_key.pub
>>>>>>>>> -rw-------  root root system_u:object_r:sshd_key_t     ssh_host_key
>>>>>>>>> -rw-r--r--  root root root:object_r:etc_t
>>>>>>>>> ssh_host_key.pub
>>>>>>>>> -rw-------  root root system_u:object_r:sshd_key_t
>>>>>>>>> ssh_host_rsa_key
>>>>>>>>> -rw-r--r--  root root root:object_r:etc_t
>>>>>>>>> ssh_host_rsa_key.pub
>>>>>>>>> -rw-r--r--  root root user_u:object_r:etc_t            ssh_known_hosts
>>>>>>>>>
>>>>>>>>> Don't appear to have seedit, never heard of it.
>>>>>>>>>
>>>>>>>> Right now as root you execute
>>>>>>>>
>>>>>>>> # chcon system_u:object_r:etc_t:s0 /etc/ssh
>>>>>>>>
>>>>>>>> It gives you an error?
>>>>>>>
>>>>>>> yup.
>>>>>>>
>>>>>>> # chcon system_u:object_r:etc_t:s0 /etc/ssh
>>>>>>> chcon: failed to change context of /etc/ssh to
>>>>>>> system_u:object_r:etc_t:s0: Operation not permitted
>>>
>>> I think I'm missing context for this discussion.  But it might help to
>>> know:
>>> 1) Output of id command,
>>> 2) Policy type that is being used (targeted, mls, ...?)
>>> 3) Policy version
>>> 4) Kernel version
>>>
>>
>> uid=0(root) gid=0(root) 
>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 
>> context=user_u:system_r:unconfined_t
> 
That is correct for RHEL5.
> Dan, is this supposed to be user_u:system_r in RHEL5?  Or should it be
> unconfined_u:unconfined_r as in current Fedora?
> 
Can you apply the context in permissive mode?
If you turn off mcstrans does it succeed?
> Do you get any avc denial in /var/log/audit/audit.log
> or /var/log/messages?  If so, what does audit2why say about it?
> 
>> selinux-policy-targeted-2.4.6-257.el5
>>
>> 2.6.18-128.7.1.el5
>>
>> Basically, I'm running CentOS 5.3, but with Dan Walsh's selinux 
>> repository enabled.  For some reason it appears to be preventing the 
>> above labeling operation, which it happening during the installation of 
>> openssh:
>>
>>    Installing     : openssh                                           [1/5]
>> Error unpacking rpm package openssh-4.3p2-36.el5.i386
>> error: unpacking of archive failed on file /etc/ssh: cpio: lsetfilecon
>>
>>
>> I probably should reboot to 2.6.18-164.el5 soon, but am kind of scared 
>> due to the intermediate state of openssh.
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SElinux troubles

[Daniel J Walsh]

On 09/29/2009 10:32 AM, Orion Poplawski wrote:
> On 09/29/2009 05:59 AM, Stephen Smalley wrote:
>> Do you get any avc denial in /var/log/audit/audit.log
>> or /var/log/messages?  If so, what does audit2why say about it?
> 
> No denial messages.
> 
Any chance you have an acl set on this directory or Immutable

lsattr /etc/ssh


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SElinux troubles

[Daniel J Walsh]

On 09/29/2009 04:01 PM, Orion Poplawski wrote:
> On 09/29/2009 01:06 PM, Daniel J Walsh wrote:
>> On 09/29/2009 10:32 AM, Orion Poplawski wrote:
>>> On 09/29/2009 05:59 AM, Stephen Smalley wrote:
>>>> Do you get any avc denial in /var/log/audit/audit.log
>>>> or /var/log/messages?  If so, what does audit2why say about it?
>>>
>>> No denial messages.
>>>
>> Any chance you have an acl set on this directory or Immutable
>>
>> lsattr /etc/ssh
> 
> That was it:
> 
> # lsattr /etc/ssh
> s---ia------- /etc/ssh/ssh_host_rsa_key.pub
> s---ia------- /etc/ssh/ssh_host_dsa_key.pub
> s---ia------- /etc/ssh/ssh_config
> s---ia------- /etc/ssh/ssh_host_key
> s---ia------- /etc/ssh/sshd_config
> s---ia------- /etc/ssh/moduli
> s---ia------- /etc/ssh/ssh_host_key.pub
> s---ia------- /etc/ssh/ssh_known_hosts
> s---ia------- /etc/ssh/ssh_host_rsa_key
> s---ia------- /etc/ssh/ssh_host_dsa_key
> 
> no idea how these got set as this was the first time I've heard of these
> attributes.
> 
> Thanks!
> 
> -- 
> Orion Poplawski
> Technical Manager                     303-415-9701 x222
> NWRA/CoRA Division                    FAX: 303-415-9702
> 3380 Mitchell Lane                  orion@cora.nwra.com
> Boulder, CO 80301              http://www.cora.nwra.com
And it wasn't even caused by SELinux.  (I hope).

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.