[refpolicy] sshd and run_init - Justin P. Mattock

All of lore.kernel.org
 help / color / mirror / Atom feed

From: justinmattock@gmail.com (Justin P. Mattock)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] sshd and run_init
Date: Thu, 24 Jun 2010 10:19:28 -0700	[thread overview]
Message-ID: <4C2393A0.2000605@gmail.com> (raw)
In-Reply-To: <4C2384C4.9020602@gmail.com>

On 06/24/2010 09:16 AM, Dominick Grift wrote:
> On 06/24/2010 06:10 PM, Justin P. Mattock wrote:
>> On 06/24/2010 09:04 AM, Dominick Grift wrote:
>>> On 06/24/2010 04:43 PM, Justin P. Mattock wrote:
>>>> quick question.. just set up sshd as a test with ipsec
>>>> (everything seems to be running o.k. with the latest policy).
>>>> the question I have is how do I run run_init to turn this service on and
>>>> off?
>>>> right now the current role is staff_r
>>>> any link's pointing to the right direction would be appreciated..
>>>
>>> newrole -r sysadm_r
>>> su
>>> run_init /etc/rc.d/init.d/sshd start
>>>
>>> Does that work?
>>
>> I'll try that out and see.. last I remember though staff_r cant go into
>> sysadm_r(but this was about a year ago I tried). I'll see and post back.
>
> so map sysadm_r to staff_u or do newrole -r unconfined_r instead.
>
>> Justin P. Mattock
>
>

maybe I have a mislabel, and/or polyinstantiation is messd up somewhere 
on this machine. seems I keep getting the same avc generated even after 
allowing. using the above proceedure gives me these allow rules:

#============= sysadm_su_t ==============
allow sysadm_su_t user_home_dir_t:dir { write search add_name };

#============= xauth_t ==============
allow xauth_t user_home_dir_t:dir { write search add_name };

(maybe a boolean needs to be enabled?!!)


and the avc's are as is:


[   51.954501] type=1100 audit(1277399132.954:12): user pid=2291 
uid=1000 auid=1000 ses=1 subj=name:staff_r:chkpwd_t:s0 
msg='op=PAM:unix_chkpwd acct="name" exe="/lib/security/unix_chkpwd" 
hostname=? addr=? terminal=? res=succ  s'
[   85.796478] type=1100 audit(1277399166.795:13): user pid=2329 
uid=1000 auid=1000 ses=1 subj=name:staff_r:chkpwd_t:s0 
msg='op=PAM:unix_chkpwd acct="name" exe="/lib/security/unix_chkpwd" 
hostname=? addr=? terminal=? res=succ  s'
[   90.515361] type=1100 audit(1277399171.514:14): user pid=2336 
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0 
msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
[   90.523846] type=1101 audit(1277399171.522:15): user pid=2336 
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0 
msg='op=PAM:accounting acct="root" exe="/bin/su" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
[   90.526476] type=1400 audit(1277399171.525:16): avc:  denied  { 
search } for  pid=2336 comm="su" name="root" dev=sda3 ino=3447 
scontext=name:sysadm_r:sysadm_su_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   90.526639] type=1300 audit(1277399171.525:16): arch=c000003e 
syscall=4 success=no exit=-2 a0=616b90 a1=7fff7e52abc0 a2=7fff7e52abc0 
a3=20 items=0 ppid=2331 pid=2336 auid=1000 uid=1000 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0  sgid=0 tty=pts0 ses=1 comm="su" exe="/bin/su" 
subj=name:sysadm_r:sysadm_su_t:s0 key=(null)
[   90.526850] type=1103 audit(1277399171.525:17): user pid=2336 
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0 
msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
[   92.344367] type=1400 audit(1277399173.344:18): avc:  denied  { write 
} for  pid=2336 comm="su" name="root" dev=sda3 ino=3447 
scontext=name:sysadm_r:sysadm_su_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   92.344411] type=1400 audit(1277399173.344:18): avc:  denied  { 
add_name } for  pid=2336 comm="su" name=".xauthzzG3Kx" 
scontext=name:sysadm_r:sysadm_su_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   92.344736] type=1300 audit(1277399173.344:18): arch=c000003e 
syscall=2 success=yes exit=4 a0=619d3b a1=c2 a2=180 a3=132b1 items=0 
ppid=2331 pid=2336 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=pts  ses=1 comm="su" exe="/bin/su" 
subj=name:sysadm_r:sysadm_su_t:s0 key=(null)
[   92.349846] type=1400 audit(1277399173.349:19): avc:  denied  { 
search } for  pid=2343 comm="xauth" name="root" dev=sda3 ino=3447 
scontext=name:sysadm_r:xauth_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   92.350105] type=1300 audit(1277399173.349:19): arch=c000003e 
syscall=4 success=no exit=-2 a0=7fff2223b7e0 a1=7fff2223bbf0 
a2=7fff2223bbf0 a3=0 items=0 ppid=2336 pid=2343 auid=1000 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid   fsgid=0 tty=pts0 ses=1 comm="xauth" 
exe="/usr/bin/xauth" subj=name:sysadm_r:xauth_t:s0 key=(null)
[   92.350215] type=1400 audit(1277399173.349:20): avc:  denied  { write 
} for  pid=2343 comm="xauth" name="root" dev=sda3 ino=3447 
scontext=name:sysadm_r:xauth_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   92.350267] type=1400 audit(1277399173.349:20): avc:  denied  { 
add_name } for  pid=2343 comm="xauth" name=".xauthzzG3Kx-c" 
scontext=name:sysadm_r:xauth_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   92.350526] type=1300 audit(1277399173.349:20): arch=c000003e 
syscall=2 success=yes exit=2 a0=7fff2223b7e0 a1=c1 a2=180 a3=0 items=0 
ppid=2336 pid=2343 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=pts0  es=1 comm="xauth" exe="/usr/bin/xauth" 
subj=name:sysadm_r:xauth_t:s0 key=(null)
[   92.351503] type=1400 audit(1277399173.351:21): avc:  denied  { 
remove_name } for  pid=2343 comm="xauth" name=".xauthzzG3Kx" dev=sda3 
ino=592 scontext=name:sysadm_r:xauth_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass  ir
[   92.351704] type=1300 audit(1277399173.351:21): arch=c000003e 
syscall=87 success=yes exit=0 a0=609010 a1=7f79faa5ae60 a2=ecf 
a3=7f79faa5aeb0 items=0 ppid=2336 pid=2343 auid=1000 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid=0   gid=0 tty=pts0 ses=1 comm="xauth" 
exe="/usr/bin/xauth" subj=name:sysadm_r:xauth_t:s0 key=(null)
[   92.352825] type=1105 audit(1277399173.352:22): user pid=2336 
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0 
msg='op=PAM:session_open acct="root" exe="/bin/su" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
[   98.353197] type=1100 audit(1277399179.352:23): user pid=2348 uid=0 
auid=1000 ses=1 subj=name:sysadm_r:run_init_t:s0 
msg='op=PAM:authentication acct="name" exe="/usr/sbin/run_init" 
hostname=? addr=? terminal=pts/0 res=succ  s'
[   98.359986] type=1101 audit(1277399179.358:24): user pid=2348 uid=0 
auid=1000 ses=1 subj=name:sysadm_r:run_init_t:s0 msg='op=PAM:accounting 
acct="name" exe="/usr/sbin/run_init" hostname=? addr=? terminal=pts/0 
res=success'
[  105.288236] type=1400 audit(1277399186.287:25): avc:  denied  { 
remove_name } for  pid=2336 comm="su" name=".xauthzzG3Kx" dev=sda3 
ino=594 scontext=name:sysadm_r:sysadm_su_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclas  dir
[  105.288511] type=1300 audit(1277399186.287:25): arch=c000003e 
syscall=87 success=yes exit=0 a0=617f50 a1=7f8ee314aa6a a2=619d60 
a3=7f8ee5316cb0 items=0 ppid=2331 pid=2336 auid=1000 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid   fsgid=0 tty=pts0 ses=1 comm="su" 
exe="/bin/su" subj=name:sysadm_r:sysadm_su_t:s0 key=(null)
[  105.288750] type=1106 audit(1277399186.288:26): user pid=2336 uid=0 
auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0 
msg='op=PAM:session_close acct="root" exe="/bin/su" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
[  115.032652] type=1100 audit(1277399196.031:27): user pid=2392 
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:chkpwd_t:s0 
msg='op=PAM:unix_chkpwd acct="name" exe="/lib/security/unix_chkpwd" 
hostname=? addr=? terminal=? res=suc  ss'


worst case scenario is I just boot into permissive mode disable 	sshd 
and not even worry about su/sudo...
(just being a lazy admin...)

Justin P. Mattock

     prev parent reply	other threads:[~2010-06-24 17:19 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-06-24 14:43 [refpolicy] sshd and run_init Justin P. Mattock
2010-06-24 16:04 ` Dominick Grift
2010-06-24 16:10   ` Justin P. Mattock
2010-06-24 16:16     ` Dominick Grift
2010-06-24 17:19       ` Justin P. Mattock [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4C2393A0.2000605@gmail.com \
    --to=justinmattock@gmail.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.