From: dE <de.techno@gmail.com>
To: selinux@tycho.nsa.gov
Subject: sshd and default security context.
Date: Wed, 07 May 2014 21:02:14 +0530 [thread overview]
Message-ID: <536A51FE.1050506@gmail.com> (raw)
I was tying out default_contexts which has the following lines --
cat default_contexts | grep sshd
system_r:sshd_t:s0 user_r:user_t:s0
And sshd does run with that type --
ps auxZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 279 0.0 0.6 80636 3392
? Ss 09:20 0:00 /usr/sbin/sshd -D
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 458 0.0 0.9 131280 4652
? Ss 09:22 0:00 sshd: de [priv]
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 de 468 0.0 0.4
131280 2144 ? S 09:22 0:00 sshd: de@pts/0
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 5115 1.1 0.9 131280 4624
? Ss 20:22 0:00 sshd: de [priv]
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 de 5121 0.0 0.4
131280 2124 ? S 20:22 0:00 sshd: de@notty
But the processes spawned by sshd do not have type user_t --
ps auxZ | grep user_t
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 de 5183 0.0 0.1
112632 884 pts/0 S+ 20:25 0:00 grep --color=auto user_t
I'm running the sleep command over SSH for e.g. but --
ps auxZ | grep sleep
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 de 5126 0.0 0.1
107888 504 ? Ss 20:22 0:00 sleep 10m
ps f -Ao args,label
COMMAND LABEL
/usr/sbin/sshd -D system_u:system_r:sshd_t:s0-s0:c0.c1023
\_ sshd: de [priv] system_u:system_r:sshd_t:s0-s0:c0.c1023
| \_ sshd: de@pts/0
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
| \_ -bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
| \_ ps f -Ao ar
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
\_ sshd: de [priv] system_u:system_r:sshd_t:s0-s0:c0.c1023
\_ sshd: de@notty
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
\_ sleep 10m unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
I'm aware of the possibility that ssh devs may have intended to use
libselinux for a different purpose, but it's kind of pointless otherwise.
ldd $(which sshd) | grep selinux
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f4cf93f6000)
next reply other threads:[~2014-05-07 15:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-07 15:32 dE [this message]
2014-05-07 18:44 ` sshd and default security context Stephen Smalley
2014-05-09 5:59 ` dE
2014-05-09 12:17 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=536A51FE.1050506@gmail.com \
--to=de.techno@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.