All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] sshd and run_init
@ 2010-06-24 14:43 Justin P. Mattock
  2010-06-24 16:04 ` Dominick Grift
  0 siblings, 1 reply; 5+ messages in thread
From: Justin P. Mattock @ 2010-06-24 14:43 UTC (permalink / raw)
  To: refpolicy

quick question.. just set up sshd as a test with ipsec
(everything seems to be running o.k. with the latest policy).
the question I have is how do I run run_init to turn this service on and
off?
right now the current role is staff_r
any link's pointing to the right direction would be appreciated..

cheers,

Justin P. Mattock

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [refpolicy] sshd and run_init
  2010-06-24 14:43 [refpolicy] sshd and run_init Justin P. Mattock
@ 2010-06-24 16:04 ` Dominick Grift
  2010-06-24 16:10   ` Justin P. Mattock
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2010-06-24 16:04 UTC (permalink / raw)
  To: refpolicy

On 06/24/2010 04:43 PM, Justin P. Mattock wrote:
> quick question.. just set up sshd as a test with ipsec
> (everything seems to be running o.k. with the latest policy).
> the question I have is how do I run run_init to turn this service on and
> off?
> right now the current role is staff_r
> any link's pointing to the right direction would be appreciated..

newrole -r sysadm_r
su
run_init /etc/rc.d/init.d/sshd start

Does that work?
> cheers,
> 
> Justin P. Mattock
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100624/c5e33d4a/attachment.bin 

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [refpolicy] sshd and run_init
  2010-06-24 16:04 ` Dominick Grift
@ 2010-06-24 16:10   ` Justin P. Mattock
  2010-06-24 16:16     ` Dominick Grift
  0 siblings, 1 reply; 5+ messages in thread
From: Justin P. Mattock @ 2010-06-24 16:10 UTC (permalink / raw)
  To: refpolicy

On 06/24/2010 09:04 AM, Dominick Grift wrote:
> On 06/24/2010 04:43 PM, Justin P. Mattock wrote:
>> quick question.. just set up sshd as a test with ipsec
>> (everything seems to be running o.k. with the latest policy).
>> the question I have is how do I run run_init to turn this service on and
>> off?
>> right now the current role is staff_r
>> any link's pointing to the right direction would be appreciated..
>
> newrole -r sysadm_r
> su
> run_init /etc/rc.d/init.d/sshd start
>
> Does that work?

I'll try that out and see.. last I remember though staff_r cant go into 
sysadm_r(but this was about a year ago I tried). I'll see and post back.

Justin P. Mattock

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [refpolicy] sshd and run_init
  2010-06-24 16:10   ` Justin P. Mattock
@ 2010-06-24 16:16     ` Dominick Grift
  2010-06-24 17:19       ` Justin P. Mattock
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2010-06-24 16:16 UTC (permalink / raw)
  To: refpolicy

On 06/24/2010 06:10 PM, Justin P. Mattock wrote:
> On 06/24/2010 09:04 AM, Dominick Grift wrote:
>> On 06/24/2010 04:43 PM, Justin P. Mattock wrote:
>>> quick question.. just set up sshd as a test with ipsec
>>> (everything seems to be running o.k. with the latest policy).
>>> the question I have is how do I run run_init to turn this service on and
>>> off?
>>> right now the current role is staff_r
>>> any link's pointing to the right direction would be appreciated..
>>
>> newrole -r sysadm_r
>> su
>> run_init /etc/rc.d/init.d/sshd start
>>
>> Does that work?
> 
> I'll try that out and see.. last I remember though staff_r cant go into
> sysadm_r(but this was about a year ago I tried). I'll see and post back.

so map sysadm_r to staff_u or do newrole -r unconfined_r instead.

> Justin P. Mattock


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100624/64d6fe6c/attachment.bin 

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [refpolicy] sshd and run_init
  2010-06-24 16:16     ` Dominick Grift
@ 2010-06-24 17:19       ` Justin P. Mattock
  0 siblings, 0 replies; 5+ messages in thread
From: Justin P. Mattock @ 2010-06-24 17:19 UTC (permalink / raw)
  To: refpolicy

On 06/24/2010 09:16 AM, Dominick Grift wrote:
> On 06/24/2010 06:10 PM, Justin P. Mattock wrote:
>> On 06/24/2010 09:04 AM, Dominick Grift wrote:
>>> On 06/24/2010 04:43 PM, Justin P. Mattock wrote:
>>>> quick question.. just set up sshd as a test with ipsec
>>>> (everything seems to be running o.k. with the latest policy).
>>>> the question I have is how do I run run_init to turn this service on and
>>>> off?
>>>> right now the current role is staff_r
>>>> any link's pointing to the right direction would be appreciated..
>>>
>>> newrole -r sysadm_r
>>> su
>>> run_init /etc/rc.d/init.d/sshd start
>>>
>>> Does that work?
>>
>> I'll try that out and see.. last I remember though staff_r cant go into
>> sysadm_r(but this was about a year ago I tried). I'll see and post back.
>
> so map sysadm_r to staff_u or do newrole -r unconfined_r instead.
>
>> Justin P. Mattock
>
>

maybe I have a mislabel, and/or polyinstantiation is messd up somewhere 
on this machine. seems I keep getting the same avc generated even after 
allowing. using the above proceedure gives me these allow rules:

#============= sysadm_su_t ==============
allow sysadm_su_t user_home_dir_t:dir { write search add_name };

#============= xauth_t ==============
allow xauth_t user_home_dir_t:dir { write search add_name };

(maybe a boolean needs to be enabled?!!)


and the avc's are as is:


[   51.954501] type=1100 audit(1277399132.954:12): user pid=2291 
uid=1000 auid=1000 ses=1 subj=name:staff_r:chkpwd_t:s0 
msg='op=PAM:unix_chkpwd acct="name" exe="/lib/security/unix_chkpwd" 
hostname=? addr=? terminal=? res=succ  s'
[   85.796478] type=1100 audit(1277399166.795:13): user pid=2329 
uid=1000 auid=1000 ses=1 subj=name:staff_r:chkpwd_t:s0 
msg='op=PAM:unix_chkpwd acct="name" exe="/lib/security/unix_chkpwd" 
hostname=? addr=? terminal=? res=succ  s'
[   90.515361] type=1100 audit(1277399171.514:14): user pid=2336 
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0 
msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
[   90.523846] type=1101 audit(1277399171.522:15): user pid=2336 
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0 
msg='op=PAM:accounting acct="root" exe="/bin/su" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
[   90.526476] type=1400 audit(1277399171.525:16): avc:  denied  { 
search } for  pid=2336 comm="su" name="root" dev=sda3 ino=3447 
scontext=name:sysadm_r:sysadm_su_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   90.526639] type=1300 audit(1277399171.525:16): arch=c000003e 
syscall=4 success=no exit=-2 a0=616b90 a1=7fff7e52abc0 a2=7fff7e52abc0 
a3=20 items=0 ppid=2331 pid=2336 auid=1000 uid=1000 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0  sgid=0 tty=pts0 ses=1 comm="su" exe="/bin/su" 
subj=name:sysadm_r:sysadm_su_t:s0 key=(null)
[   90.526850] type=1103 audit(1277399171.525:17): user pid=2336 
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0 
msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
[   92.344367] type=1400 audit(1277399173.344:18): avc:  denied  { write 
} for  pid=2336 comm="su" name="root" dev=sda3 ino=3447 
scontext=name:sysadm_r:sysadm_su_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   92.344411] type=1400 audit(1277399173.344:18): avc:  denied  { 
add_name } for  pid=2336 comm="su" name=".xauthzzG3Kx" 
scontext=name:sysadm_r:sysadm_su_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   92.344736] type=1300 audit(1277399173.344:18): arch=c000003e 
syscall=2 success=yes exit=4 a0=619d3b a1=c2 a2=180 a3=132b1 items=0 
ppid=2331 pid=2336 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=pts  ses=1 comm="su" exe="/bin/su" 
subj=name:sysadm_r:sysadm_su_t:s0 key=(null)
[   92.349846] type=1400 audit(1277399173.349:19): avc:  denied  { 
search } for  pid=2343 comm="xauth" name="root" dev=sda3 ino=3447 
scontext=name:sysadm_r:xauth_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   92.350105] type=1300 audit(1277399173.349:19): arch=c000003e 
syscall=4 success=no exit=-2 a0=7fff2223b7e0 a1=7fff2223bbf0 
a2=7fff2223bbf0 a3=0 items=0 ppid=2336 pid=2343 auid=1000 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid   fsgid=0 tty=pts0 ses=1 comm="xauth" 
exe="/usr/bin/xauth" subj=name:sysadm_r:xauth_t:s0 key=(null)
[   92.350215] type=1400 audit(1277399173.349:20): avc:  denied  { write 
} for  pid=2343 comm="xauth" name="root" dev=sda3 ino=3447 
scontext=name:sysadm_r:xauth_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   92.350267] type=1400 audit(1277399173.349:20): avc:  denied  { 
add_name } for  pid=2343 comm="xauth" name=".xauthzzG3Kx-c" 
scontext=name:sysadm_r:xauth_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
[   92.350526] type=1300 audit(1277399173.349:20): arch=c000003e 
syscall=2 success=yes exit=2 a0=7fff2223b7e0 a1=c1 a2=180 a3=0 items=0 
ppid=2336 pid=2343 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=pts0  es=1 comm="xauth" exe="/usr/bin/xauth" 
subj=name:sysadm_r:xauth_t:s0 key=(null)
[   92.351503] type=1400 audit(1277399173.351:21): avc:  denied  { 
remove_name } for  pid=2343 comm="xauth" name=".xauthzzG3Kx" dev=sda3 
ino=592 scontext=name:sysadm_r:xauth_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass  ir
[   92.351704] type=1300 audit(1277399173.351:21): arch=c000003e 
syscall=87 success=yes exit=0 a0=609010 a1=7f79faa5ae60 a2=ecf 
a3=7f79faa5aeb0 items=0 ppid=2336 pid=2343 auid=1000 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid=0   gid=0 tty=pts0 ses=1 comm="xauth" 
exe="/usr/bin/xauth" subj=name:sysadm_r:xauth_t:s0 key=(null)
[   92.352825] type=1105 audit(1277399173.352:22): user pid=2336 
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0 
msg='op=PAM:session_open acct="root" exe="/bin/su" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
[   98.353197] type=1100 audit(1277399179.352:23): user pid=2348 uid=0 
auid=1000 ses=1 subj=name:sysadm_r:run_init_t:s0 
msg='op=PAM:authentication acct="name" exe="/usr/sbin/run_init" 
hostname=? addr=? terminal=pts/0 res=succ  s'
[   98.359986] type=1101 audit(1277399179.358:24): user pid=2348 uid=0 
auid=1000 ses=1 subj=name:sysadm_r:run_init_t:s0 msg='op=PAM:accounting 
acct="name" exe="/usr/sbin/run_init" hostname=? addr=? terminal=pts/0 
res=success'
[  105.288236] type=1400 audit(1277399186.287:25): avc:  denied  { 
remove_name } for  pid=2336 comm="su" name=".xauthzzG3Kx" dev=sda3 
ino=594 scontext=name:sysadm_r:sysadm_su_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclas  dir
[  105.288511] type=1300 audit(1277399186.287:25): arch=c000003e 
syscall=87 success=yes exit=0 a0=617f50 a1=7f8ee314aa6a a2=619d60 
a3=7f8ee5316cb0 items=0 ppid=2331 pid=2336 auid=1000 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid   fsgid=0 tty=pts0 ses=1 comm="su" 
exe="/bin/su" subj=name:sysadm_r:sysadm_su_t:s0 key=(null)
[  105.288750] type=1106 audit(1277399186.288:26): user pid=2336 uid=0 
auid=1000 ses=1 subj=name:sysadm_r:sysadm_su_t:s0 
msg='op=PAM:session_close acct="root" exe="/bin/su" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
[  115.032652] type=1100 audit(1277399196.031:27): user pid=2392 
uid=1000 auid=1000 ses=1 subj=name:sysadm_r:chkpwd_t:s0 
msg='op=PAM:unix_chkpwd acct="name" exe="/lib/security/unix_chkpwd" 
hostname=? addr=? terminal=? res=suc  ss'


worst case scenario is I just boot into permissive mode disable 	sshd 
and not even worry about su/sudo...
(just being a lazy admin...)

Justin P. Mattock

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-06-24 17:19 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-06-24 14:43 [refpolicy] sshd and run_init Justin P. Mattock
2010-06-24 16:04 ` Dominick Grift
2010-06-24 16:10   ` Justin P. Mattock
2010-06-24 16:16     ` Dominick Grift
2010-06-24 17:19       ` Justin P. Mattock

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.