CentOS 5.4 + xinetd + sshd + SELinux issues

Daniel J Walsh dwalsh at redhat.com
Mon Jan 4 18:01:24 UTC 2010


On 12/31/2009 05:06 AM, Grzegorz Nosek wrote:
> Hi all,
> 
> I have a problem trying to run sshd via xinetd on a CentOS 5.4 system
> (I want to slap a tcpwrappers-style wrapper before sshd, so I need it
> that way).
> 
> In permissive mode I can log in/out with the following failures reported
> by audit2allow:
> 
> allow amanda_t consoletype_exec_t:file { execute execute_no_trans };
> allow amanda_t devpts_t:chr_file { write ioctl };
> allow amanda_t hostname_exec_t:file { execute execute_no_trans };
> allow amanda_t shell_exec_t:file entrypoint;
> 
> I don't even have amanda installed, so the context is clearly bogus.
> 
> After a chat on #fedora-selinux it seems that sshd cannot find its
> default context, so falls back to the first available one, which happens
> to be something:something:amanda_t (the list is read from /selinux/user).
> This operation is performed by sshd itself (as verified by strace).
> 
> I don't need Fort Knox type security but I'd like to use SELinux to
> tighten down other parts of the system, so I'd really like to use the
> enforcing mode.
> 
> Any hints? A good TFM to R will hopefully do.
> 
> Best regards,
>  Grzegorz Nosek
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 
This looks like you have a very screwed up system.

What domain is sshd running with?

ps -eZ | grep sshd

You could try a relabel

touch /.autorelabel; reboot

Which should get all the processes running in the correct domain.




More information about the fedora-selinux-list mailing list