|
List Info
Thread: OpenSSH update goes wrong (SELinux)
|
|
| OpenSSH update goes wrong (SELinux) |
|
2006-09-22 12:00:47 |
On Thu, Sep 21, 2006 at 07:56:36PM +0200, Jan V wrote:
> Hi there,
>
> Kernel: 2.6.16-hardened-r10
> Policy version: 20
>
> After upgrading net-misc/openssh-4.3_p2-1 to
net-misc/openssh-4.3_p2-r3 and restarting the sshd daemon
the login won't work anymore. It seems that ssh doesn't
switch the incoming user into the staff_r anymore and SE
thows audits.
>
> Anybody experienced that too?
true.
both the selinux patch and the ebuild needs to be fixed.
please open a bug report.
cheers,
peter
--
petre rodan
<kaiowas gentoo.org>
Developer,
Hardened Gentoo Linux
|
|
| newrole -r selinux problem |
|
2006-09-22 14:10:47 |
Hello all
I want to ask you for help.
I have problem with my selinux gentoo. The cron isn't
function. 18:20:36
gentoo64 syslog-ng[14808]: STATS: dropped
0
I google it and I fount, that it's problem with permission.
When I tried
to login to my system that su - to root, there was no
problem and I'm in
these groups
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(whe
el),11(floppy),16(cron),20(dialout),26(tape),27(video)
context=user_u:user_r:user_t
but if I tried to newrole -r sysadm_r it's not working
newrole -r sysadm_r
Authenticating root.
Password:
user_u:sysadm_r:sysadm_t is not a valid context
But if I logon to my system with keyboard console and direct
to root,
the system is asking me if I want to choose different
selinux profile
and i'm able to switch to sysadm_r role.
So please can someone help me with cron and with the selinux
roles.
Thank you
Stankestankox.eu
--
gentoo-hardenedgentoo.org mailing list
|
|
| newrole -r selinux problem |
|
2006-09-22 14:38:07 |
On Fri, Sep 22, 2006 at 04:10:47PM +0200, stanke wrote:
> Hello all
>
> I want to ask you for help.
>
> I have problem with my selinux gentoo. The cron isn't
function. 18:20:36
> gentoo64 syslog-ng[14808]: STATS: dropped
> 0
>
>
> I google it and I fount, that it's problem with
permission. When I tried
> to login to my system that su - to root, there was no
problem and I'm in
> these groups
> uid=0(root) gid=0(root)
>
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(whe
el),11(floppy),16(cron),20(dialout),26(tape),27(video)
> context=user_u:user_r:user_t
> but if I tried to newrole -r sysadm_r it's not working
> newrole -r sysadm_r
> Authenticating root.
> Password:
> user_u:sysadm_r:sysadm_t is not a valid context
The policy does not allow a role transition from user_r to
sysadm_r.
So thats why su can't work.
>
>
> But if I logon to my system with keyboard console and
direct to root,
> the system is asking me if I want to choose different
selinux profile
> and i'm able to switch to sysadm_r role.
Here the source role for the transition is different, login
can
transition to user_r, as well as sysadm_r.
>
> So please can someone help me with cron and with the
selinux roles.
Sorry, don't know how to fix the cron thing...
>
> Thank you
|
|
| newrole -r selinux problem |
|
2006-09-22 15:06:02 |
> > Authenticating root.
> > Password:
> > user_u:sysadm_r:sysadm_t is not a valid context
> The policy does not allow a role transition from user_r
to sysadm_r.
> So thats why su can't work.
The solution in this case is to make sure that when you
login as root
you get into sysadm_u:sysadm_r:sysadm_t or another context
which does
allow the transition to sysadm. Setting the default for ssh
is fairly
well documented.
> Sorry, don't know how to fix the cron thing...
Clarify the problem and we may be able to help.
Antoine
--
gentoo-hardenedgentoo.org mailing list
|
|
| newrole -r selinux problem |
|
2006-09-22 14:49:38 |
Antoine Martin wrote:
>>> Authenticating root.
>>> Password:
>>> user_u:sysadm_r:sysadm_t is not a valid context
>>>
>> The policy does not allow a role transition from
user_r to sysadm_r.
>> So thats why su can't work.
>>
> The solution in this case is to make sure that when you
login as root
> you get into sysadm_u:sysadm_r:sysadm_t or another
context which does
> allow the transition to sysadm. Setting the default for
ssh is fairly
> well documented.
>
>
>> Sorry, don't know how to fix the cron thing...
>>
> Clarify the problem and we may be able to help.
>
> Antoine
>
>
Thanks for help could you please send me some link for
manuals, i google
it (probably wrong) but i didn't found nothing usefull.
Thanks a lot
--
gentoo-hardenedgentoo.org mailing list
|
|
| newrole -r selinux problem |
|
2006-09-22 16:30:19 |
> >> The policy does not allow a role transition
from user_r to sysadm_r.
> >> So thats why su can't work.
> >>
> > The solution in this case is to make sure that
when you login as root
> > you get into sysadm_u:sysadm_r:sysadm_t or another
context which does
> > allow the transition to sysadm. Setting the
default for ssh is fairly
> > well documented.
> Thanks for help could you please send me some link for
manuals, i google
> it (probably wrong) but i didn't found nothing usefull.
/etc/security/default_contexts
is what you're looking for.
Antoine
--
gentoo-hardenedgentoo.org mailing list
|
|
| newrole -r selinux problem |
|
2006-09-25 03:34:06 |
Hello
Thanks for help, I solved my problem with user_r and
sysadm_r it's
working ok now, but I have still problem with my cron,
Everything (probably) usefull I can find in logs is.
Could please someone help me or show me the right way i
should go.
Thank you
Sep 25 05:23:01 gentoo64 cron[24435]: (root) ENTRYPOINT
FAILED
(crontabs/root)
Sep 25 05:21:53 gentoo64 audit(1159154513.832:8048): avc:
denied for pid=21140 comm="crontab"
name="/" dev=dm-3 ino=2
ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
Sep 25 05:21:53 gentoo64 audit(1159154513.832:8049): avc:
denied for pid=21140 comm="crontab"
name="/" dev=dm-3 ino=2
ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
Sep 25 05:21:53 gentoo64 audit(1159154513.832:8050): avc:
denied for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG"
ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
Sep 25 05:21:53 gentoo64 audit(1159154513.832:8051): avc:
denied for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG"
ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
tcontext=tester:object_r:unlabeled_t tclass=file
Sep 25 05:21:53 gentoo64 audit(1159154513.832:8052): avc:
denied for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG"
ipaddr=16.14.42.166 scontext=tester:object_r:unlabeled_t
tcontext=system_u:object_r:unlabeled_t tclass=filesystem
Sep 25 05:21:53 gentoo64 audit(1159154513.832:8053): avc:
denied for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG"
dev=dm-3 ino=58 ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
tcontext=system_u:object_r:unlabeled_t tclass=file
Sep 25 05:21:53 gentoo64 audit(1159154513.832:8054): avc:
denied for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG"
dev=dm-3 ino=58 ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
tcontext=system_u:object_r:unlabeled_t tclass=file
Sep 25 05:21:53 gentoo64 audit(1159154513.844:8055): avc:
denied for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG" dev=dm-3
ino=58 ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
tcontext=system_u:object_r:unlabeled_t tclass=file
Sep 25 05:22:02 gentoo64 audit(1159154522.949:8056): avc:
denied for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG" dev=dm-3
ino=58 ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
tcontext=system_u:object_r:unlabeled_t tclass=file
Sep 25 05:22:02 gentoo64 audit(1159154522.949:8057): avc:
denied for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG"
dev=dm-3 ino=58 ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
Sep 25 05:22:02 gentoo64 audit(1159154522.949:8058): avc:
denied for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG"
dev=dm-3 ino=58 ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
tcontext=system_u:object_r:unlabeled_t tclass=file
Antoine Martin wrote / napísal(a):
>>>> The policy does not allow a role transition
from user_r to sysadm_r.
>>>> So thats why su can't work.
>>>>
>>>>
>>> The solution in this case is to make sure that
when you login as root
>>> you get into sysadm_u:sysadm_r:sysadm_t or
another context which does
>>> allow the transition to sysadm. Setting the
default for ssh is fairly
>>> well documented.
>>>
>> Thanks for help could you please send me some link
for manuals, i google
>> it (probably wrong) but i didn't found nothing
usefull.
>>
> /etc/security/default_contexts
> is what you're looking for.
>
> Antoine
>
>
--
gentoo-hardenedgentoo.org mailing list
|
|
| newrole -r selinux problem |
|
2006-09-25 08:39:59 |
It appears that several of your cron related files are not
labeled.
Furthermore, the temp files cron is creating are not being
labeled when
they are generated. Check to see that you have
sec-policy/selinux-vixie-cron installed and try doing 'make
relabel'.
stanke wrote:
> Hello
>
> Thanks for help, I solved my problem with user_r and
sysadm_r it's
> working ok now, but I have still problem with my cron,
> Everything (probably) usefull I can find in logs is.
>
> Could please someone help me or show me the right way i
should go.
>
> Thank you
>
> Sep 25 05:23:01 gentoo64 cron[24435]: (root) ENTRYPOINT
FAILED
> (crontabs/root)
>
> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8048):
avc: denied {
> search } for pid=21140 comm="crontab"
name="/" dev=dm-3 ino=2
> ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
> tcontext=system_u:object_r:unlabeled_t tclass=dir
> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8049):
avc: denied {
> write } for pid=21140 comm="crontab"
name="/" dev=dm-3 ino=2
> ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
> tcontext=system_u:object_r:unlabeled_t tclass=dir
> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8050):
avc: denied {
> add_name } for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG"
> ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
> tcontext=system_u:object_r:unlabeled_t tclass=dir
> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8051):
avc: denied {
> create } for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG"
> ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
> tcontext=tester:object_r:unlabeled_t tclass=file
> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8052):
avc: denied {
> associate } for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG"
> ipaddr=16.14.42.166
scontext=tester:object_r:unlabeled_t
> tcontext=system_u:object_r:unlabeled_t
tclass=filesystem
> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8053):
avc: denied {
> setattr } for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG"
> dev=dm-3 ino=58 ipaddr=16.14.42.166
> scontext=tester:sysadm_r:sysadm_crontab_t
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8054):
avc: denied {
> getattr } for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG"
> dev=dm-3 ino=58 ipaddr=16.14.42.166
> scontext=tester:sysadm_r:sysadm_crontab_t
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Sep 25 05:21:53 gentoo64 audit(1159154513.844:8055):
avc: denied {
> write } for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG" dev=dm-3
> ino=58 ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Sep 25 05:22:02 gentoo64 audit(1159154522.949:8056):
avc: denied {
> read } for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG" dev=dm-3
> ino=58 ipaddr=16.14.42.166
scontext=tester:sysadm_r:sysadm_crontab_t
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Sep 25 05:22:02 gentoo64 audit(1159154522.949:8057):
avc: denied {
> remove_name } for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG"
> dev=dm-3 ino=58 ipaddr=16.14.42.166
> scontext=tester:sysadm_r:sysadm_crontab_t
> tcontext=system_u:object_r:unlabeled_t tclass=dir
> Sep 25 05:22:02 gentoo64 audit(1159154522.949:8058):
avc: denied {
> unlink } for pid=21140 comm="crontab"
name="crontab.XXXX9WNbfG"
> dev=dm-3 ino=58 ipaddr=16.14.42.166
> scontext=tester:sysadm_r:sysadm_crontab_t
> tcontext=system_u:object_r:unlabeled_t tclass=file
>
>
>
>
> Antoine Martin wrote / napísal(a):
>>>>> The policy does not allow a role
transition from user_r to sysadm_r.
>>>>> So thats why su can't work.
>>>>>
>>>>>
>>>> The solution in this case is to make sure
that when you login as root
>>>> you get into sysadm_u:sysadm_r:sysadm_t or
another context which does
>>>> allow the transition to sysadm. Setting the
default for ssh is fairly
>>>> well documented.
>>>>
>>> Thanks for help could you please send me some
link for manuals, i google
>>> it (probably wrong) but i didn't found nothing
usefull.
>>>
>> /etc/security/default_contexts
>> is what you're looking for.
>>
>> Antoine
>>
>>
>
--
lunaslide * GPG
key->lunapark.org/~luna/key.asc
* * * * * *
*
...you shall now pay me in full for the grief you have
caused me
on account of my comrades whom you have killed in battle.
*
* - Achilles, The Iliad *
* * * * *
*
* * * *
--
gentoo-hardenedgentoo.org mailing list
|
|
[1-8]
|
|