[redhat-lspp] Problem SSH-ing into LSPP system with multiple categories

Kylene Jo Hall kjhall at us.ibm.com
Fri Jan 26 22:42:03 UTC 2007 

On Fri, 2007-01-26 at 17:31 -0500, Daniel J Walsh wrote:
> Kylene Jo Hall wrote:
> > More test data:
> >
> >
> > [root at rheal3a ~]# ssh testuser/user_r/s2:c0 at localhost
> > Password:
> > Last login: Fri Jan 26 14:55:13 2007 from rheal3a.endicott.ibm.com
> > -bash-3.1$ id
> > uid=501(testuser) gid=501(testuser) groups=501(testuser)
> > context=testuser_u:user_r:user_t:A
> > -bash-3.1$ exit
> > logout
> > Connection to localhost closed.
> > [root at rheal3a ~]# ssh testuser/user_r/s2:c1 at localhost
> > Password:
> > Last login: Fri Jan 26 14:55:29 2007 from rheal3a.endicott.ibm.com
> > -bash-3.1$ id
> > uid=501(testuser) gid=501(testuser) groups=501(testuser)
> > context=testuser_u:user_r:user_t:B
> > -bash-3.1$ exit
> > logout
> > Connection to localhost closed.
> > [root at rheal3a ~]# ssh testuser/user_r/s2:c3 at localhost
> > Password:
> > Last login: Fri Jan 26 14:55:40 2007 from rheal3a.endicott.ibm.com
> > -bash-3.1$ id
> > uid=501(testuser) gid=501(testuser) groups=501(testuser)
> > context=testuser_u:user_r:user_t:s2:c3
> > -bash-3.1$ quit
> > -bash: quit: command not found
> > -bash-3.1$ exit
> > logout
> > Connection to localhost closed.
> > [root at rheal3a ~]# ssh testuser/user_r/s2:c2 at localhost
> > Password:
> > Last login: Fri Jan 26 14:56:05 2007 from rheal3a.endicott.ibm.com
> > -bash-3.1$ ls
> > -bash-3.1$ id
> > uid=501(testuser) gid=501(testuser) groups=501(testuser)
> > context=testuser_u:user_r:user_t:s2:c2
> > -bash-3.1$ quit
> > -bash: quit: command not found
> > -bash-3.1$ exit
> > logout
> > Connection to localhost closed.
> > [root at rheal3a ~]# ssh testuser/user_r/s2:c2,c3 at localhost
> > Password:
> > Last login: Fri Jan 26 14:56:22 2007 from rheal3a.endicott.ibm.com
> > -bash-3.1$ id
> > uid=501(testuser) gid=501(testuser) groups=501(testuser)
> > context=testuser_u:user_r:user_t:s2:c2,c3
> > -bash-3.1$ exit
> > logout
> > Connection to localhost closed.
> > [root at rheal3a ~]#
> >
> >
> >
> > On Fri, 2007-01-26 at 12:54 -0800, Kylene Jo Hall wrote:
> >   
> >> More test data:
> >>
> >> ssh testuer/user_r/s#:c0,c1 at localhost works for every value of # between
> >> 0 and 15 except 2.
> >>
> >> Thanks,
> >> Kylie
> >>
> >> On Fri, 2007-01-26 at 21:27 +0100, Tomas Mraz wrote:
> >>     
> >>> On Fri, 2007-01-26 at 12:11 -0800, Kylene Jo Hall wrote:
> >>>       
> >>>> I have been unable to ssh into an LSPP system with multiple categories.
> >>>>
> >>>> For example the following work:
> >>>> ssh testuser/user_r/s2 at localhost
> >>>> ssh testuser/user_r/s2:c0 at localhost
> >>>> ssh testuser/user_r/s2:c1 at localhost
> >>>>
> >>>> But these do not:
> >>>> ssh testuser/user_r/s2:c0.c1 at localhost
> >>>> ssh testuser/user_r/s2:c0,c1 at localhost
> >>>>
> >>>> Policy version: selinux-policy-mls-2.4.6-28.el5
> >>>> Kernel version: kernel-2.6.18-1.3015.2.1.el5.lspp.63
> >>>>
> >>>> We have tested this on multiple architectures to no avail.  Any
> >>>> suggestions?
> >>>>         
> >>> Could you modify LogLevel in /etc/ssh/sshd_config to DEBUG3 and look
> >>> into the /var/log/secure what messages are there when the login fails?
> >>>
> >>>       
> >
> >   
> 
> 
> 
> I am not able to recreate this here.
> 
> semanage user -l
> semanage login -l
> ps -eZ | grep ssh
> 
[root at rheal3c framework]# semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range
SELinux Roles

abat_u          abat       SystemLow  SystemLow-SystemHigh
abat_r
root            sysadm     SystemLow  SystemLow-SystemHigh
sysadm_r staff_r secadm_r auditadm_r
staff_u         staff      SystemLow  SystemLow-SystemHigh
sysadm_r staff_r secadm_r auditadm_r
sysadm_u        sysadm     SystemLow  SystemLow-SystemHigh
sysadm_r
system_u        user       SystemLow  SystemLow-SystemHigh
system_r
testuser_u      user       SystemLow  SystemLow-SystemHigh
user_r
user_u          user       SystemLow  SystemLow
user_r
[root at rheal3c framework]# semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               user_u                    SystemLow
abat                      abat_u                    SystemLow-SystemHigh
ealuser                   staff_u                   SystemLow-SystemHigh
root                      root                      SystemLow-SystemHigh
system_u                  system_u                  SystemLow-SystemHigh
testuser                  testuser_u                SystemLow-SystemHigh
[root at rheal3c framework]# ps -eZ | grep ssh
system_u:system_r:sshd_t:SystemLow-SystemHigh 1156 ? 00:00:00 sshd
system_u:system_r:sshd_t:SystemLow-SystemHigh 1240 ? 00:00:00 sshd
system_u:system_r:sshd_t:SystemLow-SystemHigh 1248 ? 00:00:01 sshd

More information about the redhat-lspp mailing list