Access to /root/.[rs]hosts
Göran Uddeborg
goeran at uddeborg.se
Sun May 2 18:13:22 UTC 2010
I tried to set up root ssh access between a couple of (carefully
selected) hosts. For root the standard /etc/hosts.equiv and
/etc/ssh/shosts.equiv isn't recoginzed, so I created an /root/.shosts.
But it turns out that sshd isn't allowed to read this file. The
complete AVC:s below. Is this an intentional restriction? That
hostbased root access via ssh is not allowed in the standard policy?
Or is it a bug I could report in bugzilla?
time->Sun May 2 19:57:09 2010
type=SYSCALL msg=audit(1272823029.521:20484): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2fb22cb0 a1=7fff2fb22c20 a2=7fff2fb22c20 a3=fffffff9 items=0 ppid=2920 pid=2922 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1272823029.521:20484): avc: denied { getattr } for pid=2922 comm="sshd" path="/root/.shosts" dev=sda2 ino=7031802 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
----
time->Sun May 2 19:57:09 2010
type=SYSCALL msg=audit(1272823029.533:20485): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2fb22cb0 a1=7fff2fb22c20 a2=7fff2fb22c20 a3=fffffff9 items=0 ppid=2920 pid=2922 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1272823029.533:20485): avc: denied { getattr } for pid=2922 comm="sshd" path="/root/.shosts" dev=sda2 ino=7031802 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
----
time->Sun May 2 19:57:09 2010
type=SYSCALL msg=audit(1272823029.536:20487): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2fb22cb0 a1=7fff2fb22c20 a2=7fff2fb22c20 a3=fffffff9 items=0 ppid=2920 pid=2922 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1272823029.536:20487): avc: denied { getattr } for pid=2922 comm="sshd" path="/root/.shosts" dev=sda2 ino=7031802 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
----
time->Sun May 2 19:57:09 2010
type=SYSCALL msg=audit(1272823029.539:20488): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2fb22cb0 a1=7fff2fb22c20 a2=7fff2fb22c20 a3=fffffff9 items=0 ppid=2920 pid=2922 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1272823029.539:20488): avc: denied { getattr } for pid=2922 comm="sshd" path="/root/.shosts" dev=sda2 ino=7031802 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
More information about the selinux
mailing list