[redhat-lspp] Problem SSH-ing into LSPP system with multiple categories
Kylene Jo Hall
kjhall at us.ibm.com
Fri Jan 26 22:42:03 UTC 2007
On Fri, 2007-01-26 at 17:31 -0500, Daniel J Walsh wrote:
> Kylene Jo Hall wrote:
> > More test data:
> >
> >
> > [root at rheal3a ~]# ssh testuser/user_r/s2:c0 at localhost
> > Password:
> > Last login: Fri Jan 26 14:55:13 2007 from rheal3a.endicott.ibm.com
> > -bash-3.1$ id
> > uid=501(testuser) gid=501(testuser) groups=501(testuser)
> > context=testuser_u:user_r:user_t:A
> > -bash-3.1$ exit
> > logout
> > Connection to localhost closed.
> > [root at rheal3a ~]# ssh testuser/user_r/s2:c1 at localhost
> > Password:
> > Last login: Fri Jan 26 14:55:29 2007 from rheal3a.endicott.ibm.com
> > -bash-3.1$ id
> > uid=501(testuser) gid=501(testuser) groups=501(testuser)
> > context=testuser_u:user_r:user_t:B
> > -bash-3.1$ exit
> > logout
> > Connection to localhost closed.
> > [root at rheal3a ~]# ssh testuser/user_r/s2:c3 at localhost
> > Password:
> > Last login: Fri Jan 26 14:55:40 2007 from rheal3a.endicott.ibm.com
> > -bash-3.1$ id
> > uid=501(testuser) gid=501(testuser) groups=501(testuser)
> > context=testuser_u:user_r:user_t:s2:c3
> > -bash-3.1$ quit
> > -bash: quit: command not found
> > -bash-3.1$ exit
> > logout
> > Connection to localhost closed.
> > [root at rheal3a ~]# ssh testuser/user_r/s2:c2 at localhost
> > Password:
> > Last login: Fri Jan 26 14:56:05 2007 from rheal3a.endicott.ibm.com
> > -bash-3.1$ ls
> > -bash-3.1$ id
> > uid=501(testuser) gid=501(testuser) groups=501(testuser)
> > context=testuser_u:user_r:user_t:s2:c2
> > -bash-3.1$ quit
> > -bash: quit: command not found
> > -bash-3.1$ exit
> > logout
> > Connection to localhost closed.
> > [root at rheal3a ~]# ssh testuser/user_r/s2:c2,c3 at localhost
> > Password:
> > Last login: Fri Jan 26 14:56:22 2007 from rheal3a.endicott.ibm.com
> > -bash-3.1$ id
> > uid=501(testuser) gid=501(testuser) groups=501(testuser)
> > context=testuser_u:user_r:user_t:s2:c2,c3
> > -bash-3.1$ exit
> > logout
> > Connection to localhost closed.
> > [root at rheal3a ~]#
> >
> >
> >
> > On Fri, 2007-01-26 at 12:54 -0800, Kylene Jo Hall wrote:
> >
> >> More test data:
> >>
> >> ssh testuer/user_r/s#:c0,c1 at localhost works for every value of # between
> >> 0 and 15 except 2.
> >>
> >> Thanks,
> >> Kylie
> >>
> >> On Fri, 2007-01-26 at 21:27 +0100, Tomas Mraz wrote:
> >>
> >>> On Fri, 2007-01-26 at 12:11 -0800, Kylene Jo Hall wrote:
> >>>
> >>>> I have been unable to ssh into an LSPP system with multiple categories.
> >>>>
> >>>> For example the following work:
> >>>> ssh testuser/user_r/s2 at localhost
> >>>> ssh testuser/user_r/s2:c0 at localhost
> >>>> ssh testuser/user_r/s2:c1 at localhost
> >>>>
> >>>> But these do not:
> >>>> ssh testuser/user_r/s2:c0.c1 at localhost
> >>>> ssh testuser/user_r/s2:c0,c1 at localhost
> >>>>
> >>>> Policy version: selinux-policy-mls-2.4.6-28.el5
> >>>> Kernel version: kernel-2.6.18-1.3015.2.1.el5.lspp.63
> >>>>
> >>>> We have tested this on multiple architectures to no avail. Any
> >>>> suggestions?
> >>>>
> >>> Could you modify LogLevel in /etc/ssh/sshd_config to DEBUG3 and look
> >>> into the /var/log/secure what messages are there when the login fails?
> >>>
> >>>
> >
> >
>
>
>
> I am not able to recreate this here.
>
> semanage user -l
> semanage login -l
> ps -eZ | grep ssh
>
[root at rheal3c framework]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
abat_u abat SystemLow SystemLow-SystemHigh
abat_r
root sysadm SystemLow SystemLow-SystemHigh
sysadm_r staff_r secadm_r auditadm_r
staff_u staff SystemLow SystemLow-SystemHigh
sysadm_r staff_r secadm_r auditadm_r
sysadm_u sysadm SystemLow SystemLow-SystemHigh
sysadm_r
system_u user SystemLow SystemLow-SystemHigh
system_r
testuser_u user SystemLow SystemLow-SystemHigh
user_r
user_u user SystemLow SystemLow
user_r
[root at rheal3c framework]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u SystemLow
abat abat_u SystemLow-SystemHigh
ealuser staff_u SystemLow-SystemHigh
root root SystemLow-SystemHigh
system_u system_u SystemLow-SystemHigh
testuser testuser_u SystemLow-SystemHigh
[root at rheal3c framework]# ps -eZ | grep ssh
system_u:system_r:sshd_t:SystemLow-SystemHigh 1156 ? 00:00:00 sshd
system_u:system_r:sshd_t:SystemLow-SystemHigh 1240 ? 00:00:00 sshd
system_u:system_r:sshd_t:SystemLow-SystemHigh 1248 ? 00:00:01 sshd
More information about the redhat-lspp
mailing list