selinux-policy-strict bug

Stephen Smalley sds at tycho.nsa.gov
Wed Jun 6 12:53:11 UTC 2007


On Wed, 2007-06-06 at 00:48 +0200, Paul S wrote:
> selinux-policy-strict seems to fail with allowing remote access to the
> sshd on Fedora7 (2.6.21-1.3194.fc7). I've installed Fedora7 with all
> the package collections disabled for a minimal system in the
> installer, installed the necessary tools for selinux and the strict
> policy and enabled it. Installed sshd, touched /.autorelabel and
> rebooted (twice). When enabling the enforced mode, and try to ssh from
> the LAN, I get avc messages because of denied access ("permission
> denied" after entering the password on the client). I tried to make a
> module for allowing it but I get assertions when installing the
> modules. 

Already reported, try updating to latest policy.
Or add:
	require {
		attribute can_set_loginuid;
		attribute can_send_audit_msg;
	}
	typeattribute sshd_t can_set_loginuid, can_send_audit_msg;
to your .te file.
	
> 
> #######################################################
> 
> [root at area51 sshd]# cat MYsshd.te
> module MYsshd 1.0;
> 
> require {
>         type staff_t;
>         type user_home_dir_t;
>         type sshd_t; 
>         class file { write ioctl };
>         class capability { audit_control audit_write };
>         class netlink_audit_socket { create nlmsg_relay write read };
> }
> 
> #============= sshd_t ==============
> allow sshd_t self:capability { audit_control audit_write };
> allow sshd_t self:netlink_audit_socket { create nlmsg_relay read
> write };
> 
> #============= staff_t =============
> allow staff_t user_home_dir_t:file { write ioctl }; 
> 
> -------------------------------------------------------
> 
> [root at area51 sshd]# semodule -i MYsshd.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> sshd_t sshd_t:netlink_audit_socket { nlmsg_relay }; 
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> sshd_t sshd_t:capability { audit_write };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> sshd_t sshd_t:capability { audit_control }; 
> libsepol.check_assertions: 3 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule:  Failed!
> 
> #######################################################
> 
> cat /var/log/messages | audit2allow -M MYautogen 
> semodule -i MYautogen.pp
> 
> -------------------------------------------------------
> 
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_t security_t:security { load_policy };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_xserver_t staff_xserver_t:netlink_audit_socket { nlmsg_relay };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> local_login_t local_login_t:netlink_audit_socket { nlmsg_relay }; 
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> sshd_t sshd_t:netlink_audit_socket { nlmsg_relay };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> setfiles_t setfiles_t:netlink_audit_socket { nlmsg_relay }; 
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_xserver_t staff_xserver_t:capability { audit_write };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> local_login_t local_login_t:capability { audit_write }; 
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> sshd_t sshd_t:capability { audit_write };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> setfiles_t setfiles_t:capability { audit_write }; 
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> local_login_t local_login_t:capability { audit_control };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> sshd_t sshd_t:capability { audit_control }; 
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_t staff_t:capability { audit_control };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_t staff_t:capability { sys_module }; 
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_xserver_t shadow_t:file { write create };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_t shadow_t:file { write create }; 
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_xserver_t shadow_t:file { read };
> libsepol.check_assertions: 16 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed 
> semodule:  Failed!
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list