Unconfining root user in strict policy mode
Anamitra Dutta Majumdar (anmajumd)
anmajumd at cisco.com
Wed Sep 16 00:58:50 UTC 2009
Hi Dan,
Thanks for you response.
We attempted to set ssh_sysadm_login to 1 in the booleans file for our
strict policy. We also did an setsebool -P to turn on ssh_sysadm_login.
We also modified the security context of root user to
root:sysadm_r:sysadm_t. We see a couple of issues now
1. The value for ssh_sysadm_login is not persistent across reboots
2. Even when the ssh_sysadm_login is turned on we cannot login as root
user
The sealert messaged seem to indicate the following . What else do we
need to do to get it working?
[root at vos-cm98 ~]# sealert -l e7c8894d-a508-430a-a594-da2a693e585f
Summary:
SELinux is preventing sshd (sshd_t) "execute" to /lib/libdl-2.5.so
(lib_t).
Detailed Description:
SELinux denied access requested by sshd. It is not expected that this
access is
required by sshd and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application
is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for /lib/libdl-2.5.so,
restorecon -v '/lib/libdl-2.5.so'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:sshd_t:s0
Target Context system_u:object_r:lib_t:s0
Target Objects /lib/libdl-2.5.so [ file ]
Source sshd
Source Path /usr/sbin/sshd
Port <Unknown>
Host vos-cm98.cisco.com
Source RPM Packages openssh-server-4.3p2-36.el5
Target RPM Packages glibc-2.5-42
Policy RPM selinux-policy-2.4.6-255.el5
Selinux Enabled True
Policy Type strict
MLS Enabled False
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name vos-cm98.cisco.com
Platform Linux vos-cm98.cisco.com 2.6.18-160.el5PAE
#1 SMP
Mon Jul 27 17:45:11 EDT 2009 i686 i686
Alert Count 3
First Seen Tue Sep 15 16:02:26 2009
Last Seen Tue Sep 15 17:51:19 2009
Local ID e7c8894d-a508-430a-a594-da2a693e585f
Line Numbers
Raw Audit Messages
host=vos-cm98.cisco.com type=AVC msg=audit(1253062279.960:406): avc:
denied { execute } for pid=4261 comm="sshd" path="/lib/libdl-2.5.so"
dev=dm-0 ino=51413920 scontext=system_u:system_r:sshd_t
tcontext=system_u:object_r:lib_t tclass=file
host=vos-cm98.cisco.com type=SYSCALL msg=audit(1253062279.960:406):
arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=3078 a2=5 a3=802
items=0 ppid=3119 pid=4261 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd"
exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t key=(null)
Thanks
Anamitra
-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh at redhat.com]
Sent: Friday, September 11, 2009 1:49 PM
To: Anamitra Dutta Majumdar (anmajumd)
Subject: Re: Unconfining root user in strict policy mode
On 09/11/2009 04:34 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>
> We need a way to unconfine the root user with the strict policy being
> loaded in RHEL5.4. Currently with the strict policy the security
> context for root user is root:staff_r:staff_t.
> Is there a way to do so.
>
>
> Thanks
> Anamitra & Radha
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
There is no unconfined_t for Strict policy but you can set the root
account to login as sysadm_t which is very close
You have to turn on the ssh_sysadm_login if you want to login via ssh as
sysadm_t
And I think remove staff_r from root account will set it up to login as
sysadm_r
something like
# semanage user -m -R"sysadm_r system_r" root
More information about the fedora-selinux-list
mailing list