Research
Skip Research Menus
Research MenuSecurity Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links |
SELinux Mailing ListRe: ssh policy hassles
From: Dale Amon <amon_at_vnl.com>
Date: Sat, 27 Sep 2003 11:47:35 +0100
kernel: 2.6.0-test5 using devpts Russell Coker policy Colin's selinux experimental branch debian packages Via the artifice of /root/newrules.pl > /etc/selinux/domain/tmp.te make load I've been able to get a copy of Colin's ssh source running with my own added debugging printout. I've (thus far) not been able to get sshd running under gdb with enforcing on so I can't get much of a look at the ephemeral /dev/pts. I've captured the point of failure though, and am not sure why it should be so since it happens only with enforcing turned on:
# TEST 1 ENFORCE=1
# ssh accepts password as valid
# ssh sets security context
# ssh has a pty now
# But it fails a test in sshpty.c where it does a stat on the file and compares the
# We see further failures as it tries to release the pty
# TEST 1 ENFORCE=0 Sep 27 11:32:50 cvs sshd[559]: Accepted password for root from 10.0.0.25 port 2982 ssh2 Sep 27 11:32:50 cvs sshd[559]: default security context is root:staff_r:staff_t Sep 27 11:32:50 cvs sshd[559]: setting tty /dev/pts/0 context to root:object_r:staff_devpts_t
# But it succeeds and the session is good and the connection works. Has anyone a suggestion as to what is happening? There are no avc's at this point so this looks like something deeper. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Sat 27 Sep 2003 - 06:47:48 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |