SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: ssh policy hassles This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: Dale Amon <amon_at_vnl.com> Date: Sat, 27 Sep 2003 11:47:35 +0100 I'm still at work on the sshd problem. Just as a summary: kernel: 2.6.0-test5 using devpts Russell Coker policy Colin's selinux experimental branch debian packages Via the artifice of /root/newrules.pl > /etc/selinux/domain/tmp.te make load I've been able to get a copy of Colin's ssh source running with my own added debugging printout. I've (thus far) not been able to get sshd running under gdb with enforcing on so I can't get much of a look at the ephemeral /dev/pts. I've captured the point of failure though, and am not sure why it should be so since it happens only with enforcing turned on: *# TEST 1 ENFORCE=1* # # ssh refuses rhost authentication Sep 27 11:10:30 cvs ssh(pam_unix)[515]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=scout.islandone.org user=root # ssh accepts password as valid Sep 27 11:10:37 cvs sshd[515]: Accepted password for root from 10.0.0.25 port 2968 ssh2 # ssh sets security context Sep 27 11:10:37 cvs sshd[515]: default security context is root:staff_r:staff_t # ssh has a pty now Sep 27 11:10:37 cvs sshd[515]: setting tty /dev/pts/0 context to root:object_r:staff_devpts_t # But it fails a test in sshpty.c where it does a stat on the file and compares the # results of the stat. The failure is caused by st.gid = 0 instead of the expected 5. # (DMA is a token on my debug statements) Sep 27 11:10:37 cvs sshd[515]: fatal: DMA pty=/dev/pts/0 pwuid=0 stuid=0 gid=5 stgid=0 # We see further failures as it tries to release the pty Sep 27 11:10:37 cvs sshd[515]: error: chown /dev/pts/0 0 0 failed: Permission denied Sep 27 11:10:37 cvs sshd[515]: error: chmod /dev/pts/0 0666 failed: Permission denied *# TEST 1 ENFORCE=0* # # First part is the same Sep 27 11:32:45 cvs ssh(pam_unix)[559]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=scout.islandone.org user=root Sep 27 11:32:50 cvs sshd[559]: Accepted password for root from 10.0.0.25 port 2982 ssh2 Sep 27 11:32:50 cvs sshd[559]: default security context is root:staff_r:staff_t Sep 27 11:32:50 cvs sshd[559]: setting tty /dev/pts/0 context to root:object_r:staff_devpts_t # But it succeeds and the session is good and the connection works. Sep 27 11:32:50 cvs ssh(pam_unix)[559]: session opened for user root by (uid=0) Sep 27 11:32:50 cvs sshd[561]: setting security context to root:staff_r:staff_t Has anyone a suggestion as to what is happening? There are no avc's at this point so this looks like something deeper. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Sat 27 Sep 2003 - 06:47:48 EDT This message: [ Message body ] Next message: Russell Coker: "unlabeled_t and assert.te" Previous message: Russell Coker: "Re: Emacs major mode for policy editing" In reply to: Stephen Smalley: "Re: ssh policy hassles" Next in thread: Russell Coker: "Re: ssh policy hassles" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom