Unconfining root user in strict policy mode

Anamitra Dutta Majumdar (anmajumd) anmajumd at cisco.com
Wed Sep 16 00:58:50 UTC 2009 

 Hi Dan,

 Thanks for you response.
  
 We attempted to set ssh_sysadm_login to 1 in the booleans file for our
strict policy. We also did an setsebool -P to turn on ssh_sysadm_login.
We also modified the security context of root user to
 root:sysadm_r:sysadm_t. We see a couple of issues now

 1. The value for ssh_sysadm_login is not persistent across reboots
 2. Even when the ssh_sysadm_login is turned on we cannot login as root
user

The sealert messaged seem to indicate the following . What else do we
need to do to get it working?

[root at vos-cm98 ~]# sealert -l e7c8894d-a508-430a-a594-da2a693e585f

Summary:

SELinux is preventing sshd (sshd_t) "execute" to /lib/libdl-2.5.so
(lib_t).

Detailed Description:

SELinux denied access requested by sshd. It is not expected that this
access is
required by sshd and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application
is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for /lib/libdl-2.5.so,

restorecon -v '/lib/libdl-2.5.so'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:sshd_t:s0
Target Context                system_u:object_r:lib_t:s0
Target Objects                /lib/libdl-2.5.so [ file ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          <Unknown>
Host                          vos-cm98.cisco.com
Source RPM Packages           openssh-server-4.3p2-36.el5
Target RPM Packages           glibc-2.5-42
Policy RPM                    selinux-policy-2.4.6-255.el5
Selinux Enabled               True
Policy Type                   strict
MLS Enabled                   False
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     vos-cm98.cisco.com
Platform                      Linux vos-cm98.cisco.com 2.6.18-160.el5PAE
#1 SMP
                              Mon Jul 27 17:45:11 EDT 2009 i686 i686
Alert Count                   3
First Seen                    Tue Sep 15 16:02:26 2009
Last Seen                     Tue Sep 15 17:51:19 2009
Local ID                      e7c8894d-a508-430a-a594-da2a693e585f
Line Numbers                  

Raw Audit Messages            

host=vos-cm98.cisco.com type=AVC msg=audit(1253062279.960:406): avc:
denied  { execute } for  pid=4261 comm="sshd" path="/lib/libdl-2.5.so"
dev=dm-0 ino=51413920 scontext=system_u:system_r:sshd_t
tcontext=system_u:object_r:lib_t tclass=file

host=vos-cm98.cisco.com type=SYSCALL msg=audit(1253062279.960:406):
arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=3078 a2=5 a3=802
items=0 ppid=3119 pid=4261 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd"
exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t key=(null)

   
Thanks
Anamitra


-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh at redhat.com] 
Sent: Friday, September 11, 2009 1:49 PM
To: Anamitra Dutta Majumdar (anmajumd)
Subject: Re: Unconfining root user in strict policy mode

On 09/11/2009 04:34 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>  
> We need a way to unconfine the root user with the strict policy being 
> loaded in RHEL5.4. Currently with the strict policy the security 
> context for root user is root:staff_r:staff_t.
> Is there a way to do so.
> 
> 
> Thanks
> Anamitra & Radha
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 
There is no unconfined_t for Strict policy but you can set the root
account to login as sysadm_t which is very close

You have to turn on the ssh_sysadm_login if you want to login via ssh as
sysadm_t

And I think remove staff_r from root account will set it up to login as
sysadm_r

something like

# semanage user -m -R"sysadm_r system_r" root

More information about the fedora-selinux-list mailing list