xinetd and selinux issues

[Paul Howarth]

freund at post.queensu.ca wrote:
> On Thu, 2006-06-29 at 17:13 -0400, Al Freundorfer wrote:
>> I set up xinetd to allow certian sites to connect to the server
>> thru /etc/xinetd.d/ssh.
>>> It works perfectly when I set selinux to permissive, but doesn't work
> when set
>>> to enforcing even though I have the box checked in system-config-security
>>> under selinux tab to allow ssh connection through inetd.
>>>
>>> Can anyone help me with this?
>> Change back to permissive:
>>
>> # setenforce 0
>>
>> Make a note of the exact time.
>>
>> Then try out a connection (which should work since you're in permissive
>> mode).
>>
>> Then look in your /var/log/messages or /var/log/audit/audit.log (if you
>> have one) for messages containing "type=AVC" after the time you did the
>> "setenforce". Post back here any that you find.
>>
>> Paul.
> 
> Thanks for your help. This is what I got.

(snip)

> selinux set to enforcing:
> remote terminal attemped login:
> password:
> Authentication successful.
> Last login: Fri Jun 30 12:49:57 2006
> /bin/bash: Permission denied
> bash-2.03$
> 
> /var/log/messages:
> Jun 30 12:57:28 local kernel: audit(1151686648.208:4): enforcing=1
> old_enforcing=0 auid=4294967295
> Jun 30 12:58:06 local kernel: audit(1151686686.350:5): avc:  denied  {
> entrypoint } for  pid=2627 comm="sshd" name="bash" dev=dm-0 ino=49053782
> scontext=user_u:system_r:amanda_t:s0
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

This is a bit weird. The failures all refer to the "amanda_t" domain, 
which is what the "amanda" backup program should run in. Nothing to do 
with ssh. So that suggests to me that there's a labelling problem.

However, before resorting to relabelling your system, try this:

# setsebool -P run_ssh_inetd 1

You'll need this anyway for ssh via inetd/xinetd but I suspect it may 
not fix the problem.

Paul.