Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo Hardened (http://www.linux-archive.org/gentoo-hardened/)
-   -   ssh root login -> root:system_r:system_chkpwd_t !? (http://www.linux-archive.org/gentoo-hardened/36149-ssh-root-login-root-system_r-system_chkpwd_t.html)

Antoine Martin 01-13-2008 10:32 AM
ssh root login -> root:system_r:system_chkpwd_t !?
 
Hi,

make.profile -> ../usr/portage/profiles/selinux/2007.0/amd64
Running 2.6.23.13 in non-enforcing mode, targetted policy.

system_u:system_r:sshd_t root sshd: root@pts/0
root:system_r:system_chkpwd_t root pts/0 00:00:00 -bash

The first denials:

[ 140.780441] inode_doinit_with_dentry:
context_to_sid(root:object_r:staff_tmpfs_t) returned 22 for dev=md2
ino=961000
[ 265.282465] audit(1200225126.688:46): avc: denied { entrypoint }
for pid=6208 comm="sshd" path="/bin/bash" dev=md0 ino=49189
scontext=root:system_r:system_chkpwd_t
tcontext=system_u:object_r:shell_exec_t tclass=file
[ 265.282727] audit(1200225126.688:47): avc: denied { read write }
for pid=6208 comm="bash" name="0" dev=devpts ino=2
scontext=root:system_r:system_chkpwd_t
tcontext=root:object_r:sshd_devpts_t tclass=chr_file

Any ideas?


Also, was getting some denials because /lib was not labeled:
lrwxrwxrwx root root system_u:object_r:default_t /lib -> lib64
I had to add this to file_contexts:
/lib -l system_u:object_r:lib_t
How come?

Cheers
Antoine
--
gentoo-hardened@lists.gentoo.org mailing list


All times are GMT. The time now is 05:49 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.