Trouble logging in through SSH

Trouble logging in through SSH

[Simon Peter Nicholls]

Hi All,

I'm having some trouble setting up SELinux using refpolicy, and am 
unable to login my test user through ssh when in enforcing mode. Could 
someone help me work out where the problem lies? I have some basic 
experience with SELinux, but based on working Fedora systems that have 
gone slightly awry.

Similar denial messages to the ssh one are seen when trying to run 
software like Emacs in permissive mode. In each case it feels like I am 
restricted by the consoletype_t, whilst I was expecting to gain an 
unconfined_t type for my user (to match unconfined_u & unconfined_r).

I also expected to see the sshd_t type for the sshd process, but it is 
using init_t. Are transitions failing for my startup services?

Some detailed info follows; Many thanks.

the denial when attempting ssh login
-------------------------------------------------
Feb  4 22:57:36 mailer kernel: type=1400 audit(1296856656.870:4): avc:  
denied  { entrypoint } for  pid=1003 comm="sshd" path="/bin/bash" 
dev=vda1 ino=1513 scontext=unconfined_u:unconfined_r:consoletype_t 
tcontext=system_u:object_r:shell_exec_t tclass=file

some debug.log for boot
--------------------------------
Feb  4 22:57:13 mailer kernel: SELinux: 2048 avtab hash slots, 211693 
rules.
Feb  4 22:57:13 mailer kernel: SELinux: 2048 avtab hash slots, 211693 
rules.
Feb  4 22:57:13 mailer kernel: SELinux:  6 users, 15 roles, 3386 types, 
143 bools
Feb  4 22:57:13 mailer kernel: SELinux:  77 classes, 211693 rules
Feb  4 22:57:13 mailer kernel: SELinux:  Permission audit_access in 
class file not defined in policy.
Feb  4 22:57:13 mailer kernel: SELinux:  Permission audit_access in 
class dir not defined in policy.
Feb  4 22:57:13 mailer kernel: SELinux:  Permission execmod in class dir 
not defined in policy.
Feb  4 22:57:13 mailer kernel: SELinux:  Permission audit_access in 
class lnk_file not defined in policy.
Feb  4 22:57:13 mailer kernel: SELinux:  Permission open in class 
lnk_file not defined in policy.
Feb  4 22:57:13 mailer kernel: SELinux:  Permission execmod in class 
lnk_file not defined in policy.
Feb  4 22:57:13 mailer kernel: SELinux:  Permission audit_access in 
class chr_file not defined in policy.
Feb  4 22:57:13 mailer kernel: SELinux:  Permission audit_access in 
class blk_file not defined in policy.
Feb  4 22:57:13 mailer kernel: SELinux:  Permission execmod in class 
blk_file not defined in policy.
Feb  4 22:57:13 mailer kernel: SELinux:  Permission audit_access in 
class sock_file not defined in policy.
Feb  4 22:57:13 mailer kernel: SELinux:  Permission execmod in class 
sock_file not defined in policy.
Feb  4 22:57:13 mailer kernel: SELinux:  Permission audit_access in 
class fifo_file not defined in policy.
Feb  4 22:57:13 mailer kernel: SELinux:  Permission execmod in class 
fifo_file not defined in policy.
Feb  4 22:57:13 mailer kernel: SELinux: the above unknown classes and 
permissions will be allowed
Feb  4 22:57:13 mailer kernel: SELinux:  Completing initialization.
Feb  4 22:57:13 mailer kernel: SELinux:  Setting up existing superblocks.
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev sysfs, type 
sysfs), uses genfs_contexts
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev rootfs, type 
rootfs), uses genfs_contexts
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev bdev, type 
bdev), uses genfs_contexts
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev proc, type 
proc), uses genfs_contexts
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev tmpfs, type 
tmpfs), uses transition SIDs
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev devtmpfs, type 
devtmpfs), uses transition SIDs
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev sockfs, type 
sockfs), uses task SIDs
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev debugfs, type 
debugfs), uses genfs_contexts
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev pipefs, type 
pipefs), uses task SIDs
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev anon_inodefs, 
type anon_inodefs), uses genfs_contexts
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev devpts, type 
devpts), uses transition SIDs
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev hugetlbfs, type 
hugetlbfs), uses transition SIDs
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev mqueue, type 
mqueue), uses transition SIDs
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev selinuxfs, type 
selinuxfs), uses genfs_contexts
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev sysfs, type 
sysfs), uses genfs_contexts
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev vda1, type 
ext4), uses xattr
Feb  4 22:57:13 mailer kernel: type=1403 audit(1296856630.883:2): policy 
loaded auid=4294967295 ses=4294967295
...
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev usbfs, type 
usbfs), uses genfs_contexts
...
Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev tmpfs, type 
tmpfs), uses transition SIDs

sestatus -v
---------------
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        sipolicy

Process contexts:
Current context:                unconfined_u:unconfined_r:consoletype_t
Init context:                   system_u:system_r:init_t
/sbin/agetty                    system_u:system_r:getty_t
/usr/sbin/sshd                  system_u:system_r:init_t

File contexts:
Controlling term:               unconfined_u:object_r:devpts_t
/etc/passwd                     system_u:object_r:etc_t
/etc/shadow                     system_u:object_r:shadow_t
/bin/bash                       system_u:object_r:shell_exec_t
/bin/login                      system_u:object_r:login_exec_t
/bin/sh                         system_u:object_r:bin_t -> 
system_u:object_r:shell_exec_t
/sbin/agetty                    system_u:object_r:getty_exec_t
/sbin/init                      system_u:object_r:init_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/lib/libc.so.6                  system_u:object_r:lib_t -> 
system_u:object_r:lib_t

semanage login -l output
---------------------------------
Login Name                SELinux User

si                        unconfined_u
__default__               user_u
root                      root
system_u                  system_u

build.conf for policy
--------------------------
TYPE = standard
NAME = sipolicy
UNK_PERMS = allow #instead of deny, due to kernel boot complaints
DIRECT_INITRC = y
MONOLITHIC = n
UBAC = n

auth.log
-----------
Feb  4 22:57:54 mailer sshd[1005]: pam_selinux(sshd:session): pam: 
default-context=unconfined_u:unconfined_r:consoletype_t 
selected-context=(null) success 0
Feb  4 22:57:54 mailer sshd[1005]: pam_selinux(sshd:session): pam: 
default-context=unconfined_u:unconfined_r:consoletype_t 
selected-context=unconfined_u:unconfined_r:consoletype_t success 1

/etc/pam.d/sshd
--------------------
#%PAM-1.0
#auth           required        pam_securetty.so        #Disable remote 
root
auth            required        pam_unix.so
auth            required        pam_nologin.so
auth            required        pam_env.so
account         required        pam_unix.so
account         required        pam_time.so
password        required        pam_unix.so
# pam_selinux.so close should be the first session rule
session         required        pam_selinux.so close
# pam_selinux.so open should only be followed by sessions to be executed 
in the user context
session         required        pam_selinux.so open env_params
session         required        pam_unix_session.so
session         required        pam_limits.so

installed packages
------------------------
local/kernel26-selinux 2.6.36.3-1 (selinux selinux-system-utilities)
     The SELinux enabled Linux Kernel and modules
local/kernel26-selinux-headers 2.6.36.3-1 (selinux selinux-system-utilities)
     Header files and scripts for building modules for kernel26-selinux
local/selinux-coreutils 8.9-1 (selinux selinux-system-utilities)
     SELinux aware basic file, shell and text manipulation utilities of 
the GNU operating system
local/selinux-cronie 1.4.4-4 (selinux selinux-system-utilities)
     Fedora fork of vixie-cron with PAM and SELinux support
local/selinux-findutils 4.4.2-3 (selinux selinux-system-utilities)
     GNU utilities to locate files with Gentoo SELinux patch
local/selinux-flex 2.5.4a-4 (selinux selinux-system-utilities)
     A tool for generating text-scanning programs
local/selinux-logrotate 3.7.9-2 (selinux selinux-system-utilities)
     Tool to rotate system logs automatically with SELinux support
local/selinux-openssh 5.6p1-1 (selinux selinux-system-utilities)
     A Secure SHell server/client with SELinux support
local/selinux-pam 1.1.3-1 (selinux selinux-system-utilities)
     SELinux aware PAM (Pluggable Authentication Modules) library
local/selinux-procps 3.2.8-3 (selinux selinux-system-utilities)
     Utilities for monitoring your system and processes on your system 
with SELinux patch
local/selinux-psmisc 22.13-1 (selinux selinux-system-utilities)
     SELinux aware miscellaneous procfs tools
local/selinux-refpolicy 20101213-1 (selinux selinux-policies)
     Modular SELinux reference policy including headers and docs
local/selinux-refpolicy-src 20101213-1 (selinux selinux-policies)
     SELinux reference policy sources
local/selinux-setools 3.3.7-4 (selinux selinux-extras)
     SELinux SETools GUI and CLI tools and libraries for SELinux policy 
analysis
local/selinux-shadow 4.1.4.2-5 (selinux selinux-system-utilities)
     Shadow password file utilities with SELinux support
local/selinux-sudo 1.7.4p5-1 (selinux selinux-system-utilities)
     Give certain users the ability to run some commands as root with 
SELinux support
local/selinux-sysvinit 2.88-2 (selinux selinux-system-utilities)
     SELinux aware Linux System V Init
local/selinux-udev 165-1 (selinux selinux-system-utilities)
     The userspace dev tools (udev) with SELinux support
local/selinux-usr-checkpolicy 2.0.23-1 (selinux selinux-userspace)
     SELinux userspace (checkpolicy)
local/selinux-usr-libselinux 2.0.98-1 (selinux selinux-userspace)
     SELinux userspace (libselinux including python bindings)
local/selinux-usr-libsemanage 2.0.46-1 (selinux selinux-userspace)
     SELinux userspace (libsemanage including python bindings)
local/selinux-usr-libsepol 2.0.42-1 (selinux selinux-userspace)
     SELinux userspace (libsepol)
local/selinux-usr-policycoreutils 2.0.85-2 (selinux selinux-userspace)
     SELinux userspace (policycoreutils)
local/selinux-usr-sepolgen 1.0.23-4 (selinux selinux-userspace)
     SELinux userspace (sepolgen)
local/selinux-util-linux-ng 2.18-4 (selinux selinux-system-utilities)
     SELinux aware miscellaneous system utilities for Linux


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trouble logging in through SSH

[Simon Peter Nicholls]

On 05/02/11 00:22, Simon Peter Nicholls wrote:
> Hi All,
>
> I'm having some trouble setting up SELinux using refpolicy, and am 
> unable to login my test user through ssh when in enforcing mode. Could 
> someone help me work out where the problem lies? I have some basic 
> experience with SELinux, but based on working Fedora systems that have 
> gone slightly awry.
>
> Similar denial messages to the ssh one are seen when trying to run 
> software like Emacs in permissive mode. In each case it feels like I 
> am restricted by the consoletype_t, whilst I was expecting to gain an 
> unconfined_t type for my user (to match unconfined_u & unconfined_r).
>
> I also expected to see the sshd_t type for the sshd process, but it is 
> using init_t. Are transitions failing for my startup services?

Typical. The act of writing this gave substance to my suspicions. I 
checked the type for the the SSH init script and it was incorrectly set 
to etc_t, the underlying reason being that Arch Linux uses the 
non-standard /etc/rc.d directory for it's startup scripts.

As a quick test to confirm, I used chcon to set the sshd script to 
initrc_exec_t, rebooted, and I find I can login under enforcing mode. 
The sshd process now has the sshd_t type, and my user also has the 
unconfined_u:unconfined_r:unconfined_t context, as I previously 
expected. The subsequent running of programs like Emacs are now no problem.

I have some log related denials however, which I'll look into. Any 
pointers would be appreciated.

Feb  5 09:13:41 mailer kernel: type=1400 audit(1296893621.240:3): avc:  
denied \
  { write } for  pid=945 comm="sshd" name="log" dev=devtmpfs ino=4929 
scontext=s\
ystem_u:system_r:sshd_t tcontext=system_u:object_r:device_t 
tclass=sock_file
Feb  5 09:13:41 mailer kernel: type=1400 audit(1296893621.240:4): avc:  
denied \
  { connectto } for  pid=945 comm="sshd" path="/dev/log" 
scontext=system_u:syste\
m_r:sshd_t tcontext=system_u:system_r:init_t tclass=unix_stream_socket


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trouble logging in through SSH

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/05/2011 09:33 AM, Simon Peter Nicholls wrote:
> On 05/02/11 00:22, Simon Peter Nicholls wrote:
>> Hi All,
>>
>> I'm having some trouble setting up SELinux using refpolicy, and am
>> unable to login my test user through ssh when in enforcing mode. Could
>> someone help me work out where the problem lies? I have some basic
>> experience with SELinux, but based on working Fedora systems that have
>> gone slightly awry.
>>
>> Similar denial messages to the ssh one are seen when trying to run
>> software like Emacs in permissive mode. In each case it feels like I
>> am restricted by the consoletype_t, whilst I was expecting to gain an
>> unconfined_t type for my user (to match unconfined_u & unconfined_r).
>>
>> I also expected to see the sshd_t type for the sshd process, but it is
>> using init_t. Are transitions failing for my startup services?
> 
> Typical. The act of writing this gave substance to my suspicions. I
> checked the type for the the SSH init script and it was incorrectly set
> to etc_t, the underlying reason being that Arch Linux uses the
> non-standard /etc/rc.d directory for it's startup scripts.
> 
> As a quick test to confirm, I used chcon to set the sshd script to
> initrc_exec_t, rebooted, and I find I can login under enforcing mode.
> The sshd process now has the sshd_t type, and my user also has the
> unconfined_u:unconfined_r:unconfined_t context, as I previously
> expected. The subsequent running of programs like Emacs are now no problem.
> 
> I have some log related denials however, which I'll look into. Any
> pointers would be appreciated.

Looks like /dev/log is mislabelled for some reason.
Does syslog run in the proper domain?

> Feb  5 09:13:41 mailer kernel: type=1400 audit(1296893621.240:3): avc: 
> denied \
>  { write } for  pid=945 comm="sshd" name="log" dev=devtmpfs ino=4929
> scontext=s\
> ystem_u:system_r:sshd_t tcontext=system_u:object_r:device_t
> tclass=sock_file
> Feb  5 09:13:41 mailer kernel: type=1400 audit(1296893621.240:4): avc: 
> denied \
>  { connectto } for  pid=945 comm="sshd" path="/dev/log"
> scontext=system_u:syste\
> m_r:sshd_t tcontext=system_u:system_r:init_t tclass=unix_stream_socket
> 
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1NT/UACgkQMlxVo39jgT8mxQCg0se84g3dMmc89cQy/aY6i0+L
aLoAnjp5NaoR2OsHVGPdxPkHU7nG8sxL
=GXdW
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trouble logging in through SSH

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/05/2011 09:33 AM, Simon Peter Nicholls wrote:
> On 05/02/11 00:22, Simon Peter Nicholls wrote:
>> Hi All,
>>
>> I'm having some trouble setting up SELinux using refpolicy, and am
>> unable to login my test user through ssh when in enforcing mode. Could
>> someone help me work out where the problem lies? I have some basic
>> experience with SELinux, but based on working Fedora systems that have
>> gone slightly awry.
>>
>> Similar denial messages to the ssh one are seen when trying to run
>> software like Emacs in permissive mode. In each case it feels like I
>> am restricted by the consoletype_t, whilst I was expecting to gain an
>> unconfined_t type for my user (to match unconfined_u & unconfined_r).
>>
>> I also expected to see the sshd_t type for the sshd process, but it is
>> using init_t. Are transitions failing for my startup services?
> 
> Typical. The act of writing this gave substance to my suspicions. I
> checked the type for the the SSH init script and it was incorrectly set
> to etc_t, the underlying reason being that Arch Linux uses the
> non-standard /etc/rc.d directory for it's startup scripts.
> 
> As a quick test to confirm, I used chcon to set the sshd script to
> initrc_exec_t, rebooted, and I find I can login under enforcing mode.
> The sshd process now has the sshd_t type, and my user also has the
> unconfined_u:unconfined_r:unconfined_t context, as I previously
> expected. The subsequent running of programs like Emacs are now no problem.
> 
> I have some log related denials however, which I'll look into. Any
> pointers would be appreciated.
> 

By the way, these policy related questions should go to
refpolicy@oss.tresys.com maillist.

> Feb  5 09:13:41 mailer kernel: type=1400 audit(1296893621.240:3): avc: 
> denied \
>  { write } for  pid=945 comm="sshd" name="log" dev=devtmpfs ino=4929
> scontext=s\
> ystem_u:system_r:sshd_t tcontext=system_u:object_r:device_t
> tclass=sock_file
> Feb  5 09:13:41 mailer kernel: type=1400 audit(1296893621.240:4): avc: 
> denied \
>  { connectto } for  pid=945 comm="sshd" path="/dev/log"
> scontext=system_u:syste\
> m_r:sshd_t tcontext=system_u:system_r:init_t tclass=unix_stream_socket
> 
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1NUDgACgkQMlxVo39jgT8vlwCfZKJ+O+h3Wv+6CnehqfclR1z6
XfwAn0/mtPNd5lXUnCiIX5/GlBWDkUrO
=oAYm
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trouble logging in through SSH

[Simon Peter Nicholls]

On 05/02/11 14:27, Dominick Grift wrote:
> By the way, these policy related questions should go to
> refpolicy@oss.tresys.com maillist.

Hi Dominick, thanks for your replies to my issues.

When I hit trouble, I thought I had hit something other than regular 
policy issues, but this was incorrect. I have missing access_vectors, 
and face some other issues (due to a combination of recent software and 
non-standard file locations), but all appear to be surmountable through 
a custom policy build.

I've learned a lot in a short time, thanks in large part to reading some 
key posts in this mailing list, and my system is firmly in the realm of 
policy tweaking now. Mostly I'm twiddling booleans and changing file 
contexts to match Arch Linux at this point, with cron and syslog-ng the 
only services with issues. My "semanage permissive -a" functionality is 
broken, as the "/var/lib/selinux" path I see hardcoded into semanage 
does not exist on my system, but it was no bother to hand code a 
permissive module to get my logging working for now. So I can run 
enforcing from boot whilst I finish up, no problem.

It looks like Fedora have already addressed some of the core refpolicy 
issues I've faced (problems unrelated to Arch file locations), but 
patches had not made it upstream the last time I checked. I'd also like 
to see a passenger module make it into refpolicy. So, I still have some 
outstanding refpolicy queries, which I'll take over to the mailing list 
you mention.

Thanks again.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trouble logging in through SSH

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 2777 bytes --]

On Sun, Feb 06, 2011 at 10:28:48AM +0100, Simon Peter Nicholls wrote:
> On 05/02/11 14:27, Dominick Grift wrote:
> >By the way, these policy related questions should go to
> >refpolicy@oss.tresys.com maillist.
> 
> Hi Dominick, thanks for your replies to my issues.
> 
> When I hit trouble, I thought I had hit something other than regular
> policy issues, but this was incorrect. I have missing
> access_vectors, and face some other issues (due to a combination of
> recent software and non-standard file locations), but all appear to
> be surmountable through a custom policy build.

Agreed, Implementation of reference policy always requires modification to some extend.
Although i believe that the access vectors that you seem to be missing should have been included with the refrence policy you are using.

> 
> I've learned a lot in a short time, thanks in large part to reading
> some key posts in this mailing list, and my system is firmly in the
> realm of policy tweaking now. Mostly I'm twiddling booleans and
> changing file contexts to match Arch Linux at this point, with cron
> and syslog-ng the only services with issues. My "semanage permissive
> -a" functionality is broken, as the "/var/lib/selinux" path I see
> hardcoded into semanage does not exist on my system, but it was no
> bother to hand code a permissive module to get my logging working
> for now. So I can run enforcing from boot whilst I finish up, no
> problem.
> 

Yes maillist archives ave much information. Also agree that most work is modifying the labelling specifation to match your distros requirements,

As for semanage permissive -a. This requires that policy for semanage is modified to allow semanage these permissions. Redhat has this semanage policy modified but it is, i believe, not done in a acceptable way to reference policy, and so reference policy has not adopted redhats solution for this. The /var/lib/selinux issue may be a packaging issue. 

> It looks like Fedora have already addressed some of the core
> refpolicy issues I've faced (problems unrelated to Arch file
> locations), but patches had not made it upstream the last time I
> checked. I'd also like to see a passenger module make it into
> refpolicy. So, I still have some outstanding refpolicy queries,
> which I'll take over to the mailing list you mention.

You can indeed borrow some of redhats solutions. Some of it is not acceptable for reference policy though because it breaks policy/toolchain.
As for passenger, i started work on a module for ruby on rails and passenger but i was not able to finish it. Redhat is using what i have for inspiration for a passenger policy that they are working on. So that might show up in the near future.

> Thanks again.

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: Trouble logging in through SSH

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/05/2011 12:22 AM, Simon Peter Nicholls wrote:
> Hi All,
> 
> I'm having some trouble setting up SELinux using refpolicy, and am
> unable to login my test user through ssh when in enforcing mode. Could
> someone help me work out where the problem lies? I have some basic
> experience with SELinux, but based on working Fedora systems that have
> gone slightly awry.
> 
> Similar denial messages to the ssh one are seen when trying to run
> software like Emacs in permissive mode. In each case it feels like I am
> restricted by the consoletype_t, whilst I was expecting to gain an
> unconfined_t type for my user (to match unconfined_u & unconfined_r).
> 
> I also expected to see the sshd_t type for the sshd process, but it is
> using init_t. Are transitions failing for my startup services?
> 
> Some detailed info follows; Many thanks.
> 
> the denial when attempting ssh login
> -------------------------------------------------
> Feb  4 22:57:36 mailer kernel: type=1400 audit(1296856656.870:4): avc: 
> denied  { entrypoint } for  pid=1003 comm="sshd" path="/bin/bash"
> dev=vda1 ino=1513 scontext=unconfined_u:unconfined_r:consoletype_t
> tcontext=system_u:object_r:shell_exec_t tclass=file
> 
> some debug.log for boot
> --------------------------------
> Feb  4 22:57:13 mailer kernel: SELinux: 2048 avtab hash slots, 211693
> rules.
> Feb  4 22:57:13 mailer kernel: SELinux: 2048 avtab hash slots, 211693
> rules.
> Feb  4 22:57:13 mailer kernel: SELinux:  6 users, 15 roles, 3386 types,
> 143 bools
> Feb  4 22:57:13 mailer kernel: SELinux:  77 classes, 211693 rules
> Feb  4 22:57:13 mailer kernel: SELinux:  Permission audit_access in
> class file not defined in policy.
> Feb  4 22:57:13 mailer kernel: SELinux:  Permission audit_access in
> class dir not defined in policy.
> Feb  4 22:57:13 mailer kernel: SELinux:  Permission execmod in class dir
> not defined in policy.
> Feb  4 22:57:13 mailer kernel: SELinux:  Permission audit_access in
> class lnk_file not defined in policy.
> Feb  4 22:57:13 mailer kernel: SELinux:  Permission open in class
> lnk_file not defined in policy.
> Feb  4 22:57:13 mailer kernel: SELinux:  Permission execmod in class
> lnk_file not defined in policy.
> Feb  4 22:57:13 mailer kernel: SELinux:  Permission audit_access in
> class chr_file not defined in policy.
> Feb  4 22:57:13 mailer kernel: SELinux:  Permission audit_access in
> class blk_file not defined in policy.
> Feb  4 22:57:13 mailer kernel: SELinux:  Permission execmod in class
> blk_file not defined in policy.
> Feb  4 22:57:13 mailer kernel: SELinux:  Permission audit_access in
> class sock_file not defined in policy.
> Feb  4 22:57:13 mailer kernel: SELinux:  Permission execmod in class
> sock_file not defined in policy.
> Feb  4 22:57:13 mailer kernel: SELinux:  Permission audit_access in
> class fifo_file not defined in policy.
> Feb  4 22:57:13 mailer kernel: SELinux:  Permission execmod in class
> fifo_file not defined in policy.
> Feb  4 22:57:13 mailer kernel: SELinux: the above unknown classes and
> permissions will be allowed

Looks like you may have some issue in your flask/access_vectors file.
As far as i can tell these should all be defined in reference policy.

> Feb  4 22:57:13 mailer kernel: SELinux:  Completing initialization.
> Feb  4 22:57:13 mailer kernel: SELinux:  Setting up existing superblocks.
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev sysfs, type
> sysfs), uses genfs_contexts
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev rootfs, type
> rootfs), uses genfs_contexts
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev bdev, type
> bdev), uses genfs_contexts
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev proc, type
> proc), uses genfs_contexts
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev tmpfs, type
> tmpfs), uses transition SIDs
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev devtmpfs, type
> devtmpfs), uses transition SIDs
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev sockfs, type
> sockfs), uses task SIDs
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev debugfs, type
> debugfs), uses genfs_contexts
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev pipefs, type
> pipefs), uses task SIDs
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev anon_inodefs,
> type anon_inodefs), uses genfs_contexts
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev devpts, type
> devpts), uses transition SIDs
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev hugetlbfs, type
> hugetlbfs), uses transition SIDs
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev mqueue, type
> mqueue), uses transition SIDs
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev selinuxfs, type
> selinuxfs), uses genfs_contexts
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev sysfs, type
> sysfs), uses genfs_contexts
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev vda1, type
> ext4), uses xattr
> Feb  4 22:57:13 mailer kernel: type=1403 audit(1296856630.883:2): policy
> loaded auid=4294967295 ses=4294967295
> ...
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev usbfs, type
> usbfs), uses genfs_contexts
> ...
> Feb  4 22:57:13 mailer kernel: SELinux: initialized (dev tmpfs, type
> tmpfs), uses transition SIDs
> 
> sestatus -v
> ---------------
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 24
> Policy from config file:        sipolicy
> 
> Process contexts:
> Current context:                unconfined_u:unconfined_r:consoletype_t
> Init context:                   system_u:system_r:init_t
> /sbin/agetty                    system_u:system_r:getty_t
> /usr/sbin/sshd                  system_u:system_r:init_t
> 
> File contexts:
> Controlling term:               unconfined_u:object_r:devpts_t
> /etc/passwd                     system_u:object_r:etc_t
> /etc/shadow                     system_u:object_r:shadow_t
> /bin/bash                       system_u:object_r:shell_exec_t
> /bin/login                      system_u:object_r:login_exec_t
> /bin/sh                         system_u:object_r:bin_t ->
> system_u:object_r:shell_exec_t
> /sbin/agetty                    system_u:object_r:getty_exec_t
> /sbin/init                      system_u:object_r:init_exec_t
> /usr/sbin/sshd                  system_u:object_r:sshd_exec_t
> /lib/libc.so.6                  system_u:object_r:lib_t ->
> system_u:object_r:lib_t
> 
> semanage login -l output
> ---------------------------------
> Login Name                SELinux User
> 
> si                        unconfined_u
> __default__               user_u
> root                      root
> system_u                  system_u
> 
> build.conf for policy
> --------------------------
> TYPE = standard
> NAME = sipolicy
> UNK_PERMS = allow #instead of deny, due to kernel boot complaints
> DIRECT_INITRC = y
> MONOLITHIC = n
> UBAC = n
> 
> auth.log
> -----------
> Feb  4 22:57:54 mailer sshd[1005]: pam_selinux(sshd:session): pam:
> default-context=unconfined_u:unconfined_r:consoletype_t
> selected-context=(null) success 0
> Feb  4 22:57:54 mailer sshd[1005]: pam_selinux(sshd:session): pam:
> default-context=unconfined_u:unconfined_r:consoletype_t
> selected-context=unconfined_u:unconfined_r:consoletype_t success 1
> 
> /etc/pam.d/sshd
> --------------------
> #%PAM-1.0
> #auth           required        pam_securetty.so        #Disable remote
> root
> auth            required        pam_unix.so
> auth            required        pam_nologin.so
> auth            required        pam_env.so
> account         required        pam_unix.so
> account         required        pam_time.so
> password        required        pam_unix.so
> # pam_selinux.so close should be the first session rule
> session         required        pam_selinux.so close
> # pam_selinux.so open should only be followed by sessions to be executed
> in the user context
> session         required        pam_selinux.so open env_params
> session         required        pam_unix_session.so
> session         required        pam_limits.so
> 
> installed packages
> ------------------------
> local/kernel26-selinux 2.6.36.3-1 (selinux selinux-system-utilities)
>     The SELinux enabled Linux Kernel and modules
> local/kernel26-selinux-headers 2.6.36.3-1 (selinux
> selinux-system-utilities)
>     Header files and scripts for building modules for kernel26-selinux
> local/selinux-coreutils 8.9-1 (selinux selinux-system-utilities)
>     SELinux aware basic file, shell and text manipulation utilities of
> the GNU operating system
> local/selinux-cronie 1.4.4-4 (selinux selinux-system-utilities)
>     Fedora fork of vixie-cron with PAM and SELinux support
> local/selinux-findutils 4.4.2-3 (selinux selinux-system-utilities)
>     GNU utilities to locate files with Gentoo SELinux patch
> local/selinux-flex 2.5.4a-4 (selinux selinux-system-utilities)
>     A tool for generating text-scanning programs
> local/selinux-logrotate 3.7.9-2 (selinux selinux-system-utilities)
>     Tool to rotate system logs automatically with SELinux support
> local/selinux-openssh 5.6p1-1 (selinux selinux-system-utilities)
>     A Secure SHell server/client with SELinux support
> local/selinux-pam 1.1.3-1 (selinux selinux-system-utilities)
>     SELinux aware PAM (Pluggable Authentication Modules) library
> local/selinux-procps 3.2.8-3 (selinux selinux-system-utilities)
>     Utilities for monitoring your system and processes on your system
> with SELinux patch
> local/selinux-psmisc 22.13-1 (selinux selinux-system-utilities)
>     SELinux aware miscellaneous procfs tools
> local/selinux-refpolicy 20101213-1 (selinux selinux-policies)
>     Modular SELinux reference policy including headers and docs
> local/selinux-refpolicy-src 20101213-1 (selinux selinux-policies)
>     SELinux reference policy sources
> local/selinux-setools 3.3.7-4 (selinux selinux-extras)
>     SELinux SETools GUI and CLI tools and libraries for SELinux policy
> analysis
> local/selinux-shadow 4.1.4.2-5 (selinux selinux-system-utilities)
>     Shadow password file utilities with SELinux support
> local/selinux-sudo 1.7.4p5-1 (selinux selinux-system-utilities)
>     Give certain users the ability to run some commands as root with
> SELinux support
> local/selinux-sysvinit 2.88-2 (selinux selinux-system-utilities)
>     SELinux aware Linux System V Init
> local/selinux-udev 165-1 (selinux selinux-system-utilities)
>     The userspace dev tools (udev) with SELinux support
> local/selinux-usr-checkpolicy 2.0.23-1 (selinux selinux-userspace)
>     SELinux userspace (checkpolicy)
> local/selinux-usr-libselinux 2.0.98-1 (selinux selinux-userspace)
>     SELinux userspace (libselinux including python bindings)
> local/selinux-usr-libsemanage 2.0.46-1 (selinux selinux-userspace)
>     SELinux userspace (libsemanage including python bindings)
> local/selinux-usr-libsepol 2.0.42-1 (selinux selinux-userspace)
>     SELinux userspace (libsepol)
> local/selinux-usr-policycoreutils 2.0.85-2 (selinux selinux-userspace)
>     SELinux userspace (policycoreutils)
> local/selinux-usr-sepolgen 1.0.23-4 (selinux selinux-userspace)
>     SELinux userspace (sepolgen)
> local/selinux-util-linux-ng 2.18-4 (selinux selinux-system-utilities)
>     SELinux aware miscellaneous system utilities for Linux
> 
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1NUqMACgkQMlxVo39jgT/TkwCfabvIlbI96uQW46D8HoirOm+w
ZS4AoI1KRrwyOpC7IIRIH/SV+D9uCI3g
=BLKt
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.