Unconfining root user in strict policy mode

Daniel J Walsh dwalsh at redhat.com
Wed Sep 16 17:41:45 UTC 2009 

On 09/15/2009 08:58 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
> 
>  Hi Dan,
> 
>  Thanks for you response.
>   
>  We attempted to set ssh_sysadm_login to 1 in the booleans file for our
> strict policy. We also did an setsebool -P to turn on ssh_sysadm_login.
> We also modified the security context of root user to
>  root:sysadm_r:sysadm_t. We see a couple of issues now
> 
>  1. The value for ssh_sysadm_login is not persistent across reboots
setsebool -P should persist

>From the looks of it, you never relabeled when you switched to the strict policy.

touch /.autorelabel
reboot 
Make sure you boot in permissive mode (Kernel option "enforcing=0")
>  2. Even when the ssh_sysadm_login is turned on we cannot login as root
> user
> 
> The sealert messaged seem to indicate the following . What else do we
> need to do to get it working?
> 
> [root at vos-cm98 ~]# sealert -l e7c8894d-a508-430a-a594-da2a693e585f
> 
> Summary:
> 
> SELinux is preventing sshd (sshd_t) "execute" to /lib/libdl-2.5.so
> (lib_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by sshd. It is not expected that this
> access is
> required by sshd and this access may signal an intrusion attempt. It is
> also
> possible that the specific version or configuration of the application
> is
> causing it to require additional access.
> 
> Allowing Access:
> 
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for /lib/libdl-2.5.so,
> 
> restorecon -v '/lib/libdl-2.5.so'
> 
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:sshd_t:s0
> Target Context                system_u:object_r:lib_t:s0
> Target Objects                /lib/libdl-2.5.so [ file ]
> Source                        sshd
> Source Path                   /usr/sbin/sshd
> Port                          <Unknown>
> Host                          vos-cm98.cisco.com
> Source RPM Packages           openssh-server-4.3p2-36.el5
> Target RPM Packages           glibc-2.5-42
> Policy RPM                    selinux-policy-2.4.6-255.el5
> Selinux Enabled               True
> Policy Type                   strict
> MLS Enabled                   False
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     vos-cm98.cisco.com
> Platform                      Linux vos-cm98.cisco.com 2.6.18-160.el5PAE
> #1 SMP
>                               Mon Jul 27 17:45:11 EDT 2009 i686 i686
> Alert Count                   3
> First Seen                    Tue Sep 15 16:02:26 2009
> Last Seen                     Tue Sep 15 17:51:19 2009
> Local ID                      e7c8894d-a508-430a-a594-da2a693e585f
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=vos-cm98.cisco.com type=AVC msg=audit(1253062279.960:406): avc:
> denied  { execute } for  pid=4261 comm="sshd" path="/lib/libdl-2.5.so"
> dev=dm-0 ino=51413920 scontext=system_u:system_r:sshd_t
> tcontext=system_u:object_r:lib_t tclass=file
> 
> host=vos-cm98.cisco.com type=SYSCALL msg=audit(1253062279.960:406):
> arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=3078 a2=5 a3=802
> items=0 ppid=3119 pid=4261 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd"
> exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t key=(null)
> 
>    
> Thanks
> Anamitra
> 
> 
> -----Original Message-----
> From: Daniel J Walsh [mailto:dwalsh at redhat.com] 
> Sent: Friday, September 11, 2009 1:49 PM
> To: Anamitra Dutta Majumdar (anmajumd)
> Subject: Re: Unconfining root user in strict policy mode
> 
> On 09/11/2009 04:34 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>  
>> We need a way to unconfine the root user with the strict policy being 
>> loaded in RHEL5.4. Currently with the strict policy the security 
>> context for root user is root:staff_r:staff_t.
>> Is there a way to do so.
>>
>>
>> Thanks
>> Anamitra & Radha
>>
>>
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
> There is no unconfined_t for Strict policy but you can set the root
> account to login as sysadm_t which is very close
> 
> You have to turn on the ssh_sysadm_login if you want to login via ssh as
> sysadm_t
> 
> And I think remove staff_r from root account will set it up to login as
> sysadm_r
> 
> something like
> 
> # semanage user -m -R"sysadm_r system_r" root

More information about the fedora-selinux-list mailing list